Creating extra custom format key-value pairs
Use the Extended Log File Format (ELFF) custom format to forward specific Blue Coat data or events to IBM QRadar.
The custom format is a series of pipe-delimited fields that start with the
Bluecoat| field and contains the $(Blue Coat ELFF) parameter.
For example:
Bluecoat|src=$(c-ip)|srcport=$(c-port)|dst=$(cs-uri-address)|dstport=$(cs-uri-port)|username=$(cs-username)|devicetime=$(gmttime)|s-action=$(s-action)|sc-status=$(sc-status)|cs-method=$(cs-method)
| Blue Coat ELFF Parameter | QRadar Custom Format Example |
|---|---|
| sc-bytes | $(sc-bytes) |
| rs(Content-type) | $(rs(Content-Type)) |
For more information about available Blue Coat ELFF parameters, see your Blue Coat appliance documentation.