LogLogic Blue Coat ProxySG Syslog Log Configuration Guide Document Release: September 2011 Part Number: LL600070-00ELS100000 This manual supports LogLogic Blue Coat ProxySG Release 1.0 and later, and LogLogic Software Release 5.1 and later until replaced by a new edition.
2011 LogLogic, Inc. Proprietary Information Trademarks This document contains proprietary and confidential information of LogLogic, Inc. and its licensors. In accordance with the license, this document may not be copied, disclosed, modified, transmitted, or translated except as permitted in writing by LogLogic, Inc. LogLogic and the LogLogic logo are trademarks or registered trademarks of LogLogic, Inc. in the United States and/or foreign countries. All other company or product names are trademarks or registered trademarks of their respective owners. Notice The information contained in this document is subject to change at any time without notice. All warranties with respect to the software and accompanying documentation are set our exclusively in the Software License Agreement or in the Product Purchase Agreement that covers the documentation. LogLogic, Inc. 110 Rose Orchard Way, Suite 200 San Jose, CA 95134 Tel: +1 408 215 5900 Fax: +1 408 774 1752 U.S. Toll Free: 888 347 3883 http://www.loglogic.com
Contents Preface About This Guide........................................................5 Technical Support........................................................5 Documentation Support.................................................... 5 Conventions............................................................. 6 Chapter 1 Configuring LogLogic s Blue Coat ProxySG Syslog Log Collection Introduction to Blue Coat Syslog............................................. 7 Prerequisites............................................................ 7 Standard Configuration for Blue Coat Syslog................................... 7 Configuring Blue Coat Syslog for Syslog Using the CLI........................... 8 Configure Event Logging Using Advanced Web Configuration................... 8 Configure Event Logging Using the CLI..................................... 9 Advanced Configuration for Blue Coat Syslog................................ 9 Enabling the LogLogic Appliance to Capture Data........................... 15 Adding a Blue Coat Syslog Syslog Device................................. 16 Verifying the Configuration................................................ 17 Chapter 2 How LogLogic Supports Blue Coat ProxySG Syslog How LogLogic Captures Blue Coat Syslog Log Data............................ 19 LogLogic Real-Time Reports............................................... 20 Chapter 3 Troubleshooting and FAQ Troubleshooting......................................................... 21 Frequently Asked Questions (FAQ).......................................... 21 Appendix A Event Reference LogLogic Support for Blue Coat ProxySG Syslog Events......................... 23 Blue Coat ProxySG Syslog Log Configuration Guide 3
4 Blue Coat ProxySG Syslog Log Configuration Guide
Preface About This Guide The LogLogic Appliance-based solution lets you capture and manage log data from all types of og sources in your enterprise. The LogLogic support for Blue Coat ProxySG enables LogLogic Appliances to capture logs from Blue Coat ProxySG via Syslog. Technical Support LogLogic is committed to the success of our customers and to ensuring our products improve customers' ability to maintain secure, reliable networks. Although LogLogic products are easy to use and maintain, occasional assistance might be necessary. LogLogic provides timely and comprehensive customer support and technical assistance from highly knowledgeable, experienced engineers who can help you maximize the performance of your LogLogic Appliances. To reach LogLogic Customer Support: Telephone: Toll Free 1-800-957-LOGS Local 1-408-834-7480 EMEA or APAC: + 44 (0) 207 1170075 or +44 (0) 8000 669970 Email: support@loglogic.com You can also visit the LogLogic Support website at: http://loglogic.com/services/support. When contacting Customer Support, be prepared to provide: Your name, email address, phone number, and fax number Your company name and company address Your machine type and release version A description of the problem and the content of pertinent error messages (if any) Documentation Support Your feedback on LogLogic documentation is important to us. Send e-mail to DocComments@loglogic.com if you have questions or comments. Your comments will be reviewed and addressed by the LogLogic technical writing team. In your e-mail message, please indicate the software name and version you are using, as well as the title and document date of your documentation. Blue Coat ProxySG Syslog Log Configuration Guide 5
Conventions LogLogic documentation uses the following conventions to highlight code and command-line elements: A monospace font is used for programming elements (such as code fragments, objects, methods, parameters, and HTML tags) and system elements (such as filenames, directories, paths, and URLs). A monospace bold font is used to distinguish system prompts or screen output from user responses, as in this example: username: system home directory: home\app A monospace italic font is used for placeholders, which are general names that you replace with names specific to your site, as in this example: LogLogic_home_directory\upgrade\ Straight brackets signal options in command-line syntax. For example: ls [-AabCcdFfgiLlmnopqRrstux1] [-X attr] [path...] 6 Blue Coat ProxySG Syslog Log Configuration Guide
Chapter 1 Configuring LogLogic s Blue Coat ProxySG Syslog Log Collection This chapter describes the configuration steps involved to enable a LogLogic Appliance to capture Blue Coat Syslog Syslog. The configuration steps assume that you have a functioning LogLogic Appliance that can be configured to capture Blue Coat Syslog related log data. Introduction to Blue Coat Syslog.............................................. 7 Prerequisites............................................................. 7 Standard Configuration for Blue Coat Syslog.................................... 7 Configuring Blue Coat Syslog for Syslog Using the CLI............................ 8 Verifying the Configuration.................................................. 17 Introduction to Blue Coat Syslog The Blue Coat Syslog range of appliances provide points of control that accelerate and secure business applications for users across the distributed organization. Prerequisites Prior to configuring the Blue Coat Syslog and LogLogic Appliance, ensure that you meet the following prerequisites: LogLogic v5.1 Appliance or later installed with the Blue Coat Syslog Log Source Package. Blue Coat Syslog SGOS version 5.4 Administrator access on the LogLogic Appliance. Standard Configuration for Blue Coat Syslog Blue Coat has native syslog support for event logs, not access logs. In addition to event logs, it is possible to send access logs continuously via TCP port 514 (syslog port) by defining a custom client to send access logs as text. However, this does not alter the log format to allow for the individual messages to be properly identified. Thus the basic level of support for Blue Coat syslog messages allows for identification and collection of event logs, not access logs. 1 The recommended configuration is to use the Standard Configuration. In this configuration the Proxy will send only event logs via syslog, and requires using the standard methods described in the LogLogic Blue Coat ProxySG Log Configuration Guide for access logs collection and reporting. For customers who cannot use the standard methods for collection of access logs, the Advanced Configuration for Blue Coat Syslog allows for use of a custom client to transport the access logs over the syslog port (TCP only). To collect access logs over port 514, modification of the log formats and instantiation of a specific policy is required. This configuration option is covered in the next section. 1. Event logs are operational logs and do not contain information about proxy access. Blue Coat ProxySG Syslog Log Configuration Guide 7
For the Syslog event logging, there are five event log levels. They are: Severe errors Configuration events Policy messages Informational Verbose The proxysg will send events that are in accordance to those various levels. Each level can be turned on or off but events within a level are not configurable. Configuring Blue Coat Syslog for Syslog Using the CLI You must enable and configure Syslog on Blue Coat Syslog prior to configuring the LogLogic Appliance. Note: This document does not describe all features and functionality within Blue Coat Syslog regarding configuration and Syslog. For more information on these areas, see Blue Coat Syslog Product Documentation. Configure Event Logging Using Advanced Web Configuration Using the Advanced Configuration window, select Maintenance > Event Logging. Under the sub-tab Syslog, click the Enable syslog check box. Click the New button to add a Syslog host by hostname or IP address. Up to four hosts can be defined. 8 Blue Coat ProxySG Syslog Log Configuration Guide
Next, choose the logging level desired. Click the Level sub-tab and check the box for the desired level. Checking "Verbose" will automatically check the lower levels. Configure Event Logging Using the CLI It is possible to configure the syslog hosts and event levels using the CLI. For more information on this configuration option consult Configuration and Management Suite Volume 11: Command Line Interface Reference in the Blue Coat documentation. Advanced Configuration for Blue Coat Syslog The preferred configuration uses the standard methods as described in the LogLogic Blue Coat ProxySG Log Configuration Guide for access logs collection and the standard configuration for event log collection. Prerequisites and Considerations Deciding Which Collection Method to Use for Access Logs This method of access log collection has important differences from LogLogic's standard file based (non-syslog) support for Blue Coat Access Logs. The recommended configuration is to use the standard collection methods described in Blue Coat Log Source Configuration Guide. Those methods provide for support of more log formats as well as encryption and digital signatures that cannot be offered using syslog. The advanced configuration for collection of access logs over syslog should only be used when the standard methods cannot be used. The collection methods over syslog are provided primarily as a work-around for environments where firewalls deny the protocols used by the traditional file collection method. The standard methods of collection treat the Blue Coat access logs as a file. This is a more natural approach as the access logs are file based. This allows for the parser to use the header line to reliably map the fields to their positions in the individual messages. Using syslog therefore entails a loss of reliability and flexibility in that the exact field order cannot be determined but is prescribed. This is a necessary loss; syslog is based on messages rather than files. Furthermore, any deviation from the prescribed field order will cause either a failure to parse or will improperly map the field data. Therefore this method is more prone to error due to misconfiguration than the standard collection methods. Blue Coat ProxySG Syslog Log Configuration Guide 9
The standard file based collection methods and the methods described here are mutually exclusive at the level of the log format. It is technically possible to mix use of the standard methods with the advanced configuration for syslog but if the standard methods can be used at all then it is recommended that they be used exclusively. Requirements on the Proxy In order to use the Advanced Configuration you must override the value of a standard Blue Coat access log field. Usually there is one available to use. Our example uses the field cs-auth-group. If you are already using this field for other purposes you must choose another standard field, preferably one that is not used by the three supported formats (or that fields information will be lost). If you cannot find a standard ELFF field to override and insert in the correct position then the Advanced configuration option cannot be used. It is recommended to use the cs-auth-group field if possible. The advanced configuration option requires modifying three log formats to a prescribed standard and implementing a Web Access Policy on the Proxy. As in traditional support access logging must be configured. Unlike traditional support, the advanced configuration for syslog requires a custom client to be defined. Support is limited to three message formats: main, im and streaming. These formats are modified from their default. The fields and field order configuration must be exact and are defined in this document. Decide whether to overload the overridden field The configuration requires that a standard Blue Coat access log field be overridden. This can be optionally overloaded to also contain an identifier, such as the name of the proxy. Configuring Log Formats Supported Log Formats The main, im, and streaming log formats are all supported with a specific field order that is a slight modification of the default field order found in SGOS 5.4 (and later). Within the Configuration tab, select Access Logging, Formats. For each log format you wish to collect among main, im, and streaming, select view/edit, clear the format line of all data, and paste the format string provided below according to log format name into the format line. Click Test Format to validate your change. 10 Blue Coat ProxySG Syslog Log Configuration Guide
These are the ELFF strings to use per log format: main: cs-auth-group date time time-taken cs-auth-groups c-ip sc-status s-action sc-bytes cs-bytes cs-method cs-uri-scheme cs-host cs-uri-port cs-uri-path cs-uri-query cs-username s-hierarchy s-supplier-name rs(content-type) cs(referer) cs(user-agent) sc-filter-result cs-categories x-virus-id s-ip im: date time c-ip cs-auth-group cs-auth-groups cs-username cs-protocol x-im-method x-im-user-id x-im-user-name x-im-user-state x-im-client-info x-im-buddy-id x-im-buddy-name x-im-buddy-state x-im-chat-room-id x-im-chat-room-type x-im-chat-room-members x-im-message-text x-im-message-size x-im-message-route x-im-message-type x-im-file-path x-im-file-size s-action streaming: date time cs-auth-group c-ip cs-auth-groups c-dns cs-uri-scheme cs-host cs-uri-port cs-uri-path cs-uri-query c-starttime x-duration c-rate c-status c-playerid c-playerversion c-playerlanguage cs(user-agent) cs(referer) c-hostexe c-hostexever c-os c-osversion c-cpu filelength filesize avgbandwidth protocol transport audiocodec videocodec channelurl sc-bytes c-bytes s-pkts-sent c-pkts-received c-pkts-lost-client c-pkts-lost-net c-pkts-lost-cont-net c-resendreqs c-pkts-recovered-ecc c-pkts-recovered-resent c-buffercount c-totalbuffertime c-quality s-ip s-dns s-totalclients s-cpu-util x-cache-user s-session-id x-cache-info x-client-address s-action Click Apply to save your configuration changes. The Proxy should indicate success. Note: Make sure there are no spaces before the field names. Configuring the Custom Client Within the Configuration > Access Logging, select Logs. If necessary choose the first tab within this section, also called 'Logs'. Note that each Name maps to the Format with the same name for main, im, and streaming. In any case that they do not match, delete the mapping and create a new one that does. 1. Select Configuration > Access Logging > Logs > Upload Client. 2. Select Custom Client from the Client type drop-down list. Click the Settings button. Blue Coat ProxySG Syslog Log Configuration Guide 11
3. From the Settings for drop-down list, select to configure the primary or alternate custom server. 4. Fill in the server fields, as appropriate: a. Host: Enter the hostname or IP address of the upload destination. b. Port: This must be set to 514. c. Use secure connections (SSL): Off. 5. Click OK. 6. Click Apply. For each log format you wish to use among main, im, and streaming, select the log, assign the Upload Client to be the custom client. Choose <No Encryption> and <No Signing> and save the log file as text file. Configuring a Web Access Layer Policy Note: In our example we define a Web Access Layer policy with an Override Access Log Field object that uses the cs-auth-group field. If you choose another field to override then configure your policy using that field. Add the Policy to the Proxy Use the Blue Coat Management Console Visual Policy Manager (VPM) on the proxy to create the new policy. 1. In the VPM, click Policy in the menu at top and then select Add Web Access Layer. The Web Access Layer is the broadest layer and most likely to gather data and is recommended as the layer for this policy. An Add New Layer text box prompts you to name the layer; this example names the layer LogLogic. 12 Blue Coat ProxySG Syslog Log Configuration Guide
2. Click OK. After a moment the Visual Policy Manager window displays the new layer. 3. Choose Edit->New Rule. Leave Any as the rule for the Source, Destination, Service, and Time objects. For the Action object, right-click Deny and choose Set. A Set Action Object window opens. In the Show drop-down list at top, select Override Access Log Field Objects. The window changes to show defined Override Access Log Field Objects. Blue Coat ProxySG Syslog Log Configuration Guide 13
4. Click New and select Override Access Log Field Objects from the drop-down list. An Add Access Log Field Override Object window opens. This is where you insert the identifier string that allows the LogLogic Appliance to identify the log type. 5. Make these specifications: a. Provide a name that makes sense for the rule name or accept the default name. b. For Log Name, select [ALL]. This insures the field is altered in all three supported log formats. c. For Field Name, select the field you have identified to override, in this example, cs-auth-group. d. Click Rewrite value to and put the exact text 'ProxySG:[identifier]' where [identifier] is an optional place to provide the name of the proxy. 6. Click OK. The Add Access Log Field Override Object window closes. 7. Click OK. The Set Action Object window closes. 14 Blue Coat ProxySG Syslog Log Configuration Guide
8. In the Visual Policy Manager window, click Install Policy. The View Generated CPL and Current SG Appliance VPM Policy Files windows display. You can close the windows after verifying the generated CPL (content policy language). Close the Visual Policy Manager by clicking the window close icon. Enabling the LogLogic Appliance to Capture Data The following sections describe how to enable the LogLogic Appliance to capture Blue Coat Syslog Syslog messages. With the auto-identification feature, the LogLogic Appliance recognizes Blue Coat Syslog Syslog messages by default. As the Syslog messages come into the Appliance, they are automatically identified and a new Blue Coat Syslog is added to the log source device list. Default values are used for certain properties, such as the device name. To enable auto-identification in the LogLogic Appliance: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Administration > System Settings. The General tab appears. 3. For Auto-identify Log Sources, select Yes. 4. Click Update. 5. Once the automatically identified device is added, you can edit its properties. IMPORTANT! Do not change the auto-identified Device Type and Host IP information. Blue Coat ProxySG Syslog Log Configuration Guide 15
To edit an existing Blue Coat Syslog device: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Management > Devices. The Devices tab appears. 3. Click on the link of an existing Blue Coat Syslog device in the list. The Modify Device tab appears. 4. Edit the device fields as needed, then click Update Device. Adding a Blue Coat Syslog Syslog Device If you do not want to utilize the auto-identification feature, you can manually add a Blue Coat Syslog device to the LogLogic Appliance before you redirect the logs. IMPORTANT! LogLogic highly recommends using the auto-identification feature for all supported devices. If you want to add devices manually, make sure that the Auto-identify Log Sources setting is not enabled on the LogLogic Appliance. If the auto-identification setting is enabled and you manually add devices, duplicate device entries might appear on the Appliance. To add Blue Coat Syslog as a new device: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Management > Devices. The Devices tab appears. 16 Blue Coat ProxySG Syslog Log Configuration Guide
3. Click Add New. The Add Device tab appears. 4. Type in the following information for the device: Name Name for the Blue Coat Syslog device Description (optional) Description of the Blue Coat Syslog device Device Type Select Blue Coat Syslog from the drop-down menu Host IP IP address of the Blue Coat Syslog host machine Enable Data Collection Select the Yes radio button Refresh Device Name through DNS Lookups (optional) Select this checkbox to enable the Name field to be automatically updated. The name is obtained using a reverse DNS lookup on the configured refresh interval. The DNS name overrides any manual name you assign. 5. Click Add. 6. Verify that your new device appears in the Devices tab and that Enabled is set to Yes. When the logs arrive from the specified Blue Coat Syslog host machine, the LogLogic Appliance uses the device you just added if the hostname or IP match. Verifying the Configuration The section describes how to verify that the configuration changes made to Blue Coat Syslog and the LogLogic Appliance are applied correctly. To verify the configuration: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Dashboards > Log Source Status. The Log Source Status tab appears. 3. Locate the IP address for each Blue Coat Syslog device. If the device name (Blue Coat Proxy) appears in the list of devices, then the configuration is correct. Blue Coat ProxySG Syslog Log Configuration Guide 17
Figure 1 Blue Coat Syslog Device Added 18 Blue Coat ProxySG Syslog Log Configuration Guide
Chapter 2 How LogLogic Supports Blue Coat ProxySG Syslog This chapter describes LogLogic s support for Blue Coat Syslog Syslog. LogLogic enables you to capture Blue Coat Syslog Syslog data to monitor Blue Coat Syslog events. How LogLogic Captures Blue Coat Syslog Log Data.............................. 19 LogLogic Real-Time Reports................................................ 20 How LogLogic Captures Blue Coat Syslog Log Data Blue Coat Syslog generates Syslog messages which are sent, to the Syslog Listener on the LogLogic Appliance where they are processed, stored, and made available for alerting and searching. The following figure shows how Blue Coat Syslog logs are captured and forwarded to the LogLogic Appliance for further processing. Figure 2 Blue Coat ProxySG and LogLogic Appliance Once the data is captured, it can be used for generating search reports such as Index search and Regular Expression search. Blue Coat ProxySG Syslog Log Configuration Guide 19
LogLogic Real-Time Reports LogLogic provides pre-configured Real-Time Reports for Blue Coat ProxySG log data. The following Real-Time Reports are available: All Unparsed Events Displays data for all events retrieved from the Blue Coat ProxySG log for a specified time interval Web Cache Activity Displays locally-stored web cache information served during a specified time interval To access LMI 5 Real-Time Reports: 1. In the top navigation pane, click Reports. 2. Click Network Activity. The following Real-Time Report is available: Web Cache Activity 3. Click Operational. The following Real-Time Reports is available: All Unparsed Events You can create custom reports from the existing Real-Time Report templates. For more information, see the LogLogic User Guide and LogLogic Online Help. 20 Blue Coat ProxySG Syslog Log Configuration Guide
Chapter 3 Troubleshooting and FAQ This chapter contains troubleshooting regarding the configuration and/or use of log collection for Blue Coat Proxy. It also contains an FAQ, providing quick answers to common questions. Troubleshooting.......................................................... 21 Frequently Asked Questions (FAQ)........................................... 21 Troubleshooting Is your version of Blue Coat Syslog logs supported? For more information, see Prerequisites on page 7. Is your LogLogic Appliance running Release 5.1 or later? If you are running a release prior to 5.1, you must upgrade. Contact LogLogic Support for more information. Is the appropriate Log Source Package (LSP) installed properly? Check to make sure that the LSP that is installed includes support for Blue Coat Syslog. Also make sure that the package was installed successfully. For more information on LSP installation procedures, see the LogLogic Log Source Package Release Notes. If Blue Coat Syslog events are not appearing on the LogLogic Appliance... Blue Coat Syslog might not be configured correctly. Make sure that Blue Coat Syslog is configured correctly, that syslog logging is enabled, and that a Syslog Server (i.e., the LogLogic Appliance) has been defined. For more information see Configuring Blue Coat Syslog for Syslog Using the CLI on page 8. Frequently Asked Questions (FAQ) How does the LogLogic Appliance collect logs from Blue Coat Proxy? Blue Coat Syslog sends the logs via Syslog to the LogLogic Appliance which captures the logs using the syslog listener. For more information see How LogLogic Captures Blue Coat Syslog Log Data on page 19. What is the supported log format for Blue Coat Syslog? Please see Supported Log Formats on page 10. Blue Coat ProxySG Syslog Log Configuration Guide 21
22 Blue Coat ProxySG Syslog Log Configuration Guide
Appendix A Event Reference This appendix lists the LogLogic-supported Blue Coat ProxySG Syslog events. The LogLogic Blue Coat ProxySG Syslog event table identifies event formats that can be analyzed through LogLogic Agile Reports, as well as a sample log message. LogLogic Support for Blue Coat ProxySG Syslog Events The following list describes the contents of the sample below. Event ID Not Applicable (N/A) Agile Reports/Search Not Applicable (N/A) Title Not Applicable (N/A) Event Category The category of the event can be either Operational or Audit Event Type Type of events, IM, Main & Streaming Sample Log Message Sample Blue Coat ProxySG Syslog log messages LogLogic supports all "Main", IM and Streaming events if enabled to log on the Blue Coat ProxySG Syslog device in the supported log format. These events are supported by the Web Cache Activity report. Example IM Event: 2011-01-26 00:59:31 10.60.1.30 ProxySG:LogLabsBC - ford yahoo-im RECEIVE michaelploglogic - Online "Yahoo! Messenger 8.1.0.421" mperrone - - - - - ":( :-*" 6 service text - - ALLOWED Example Main Event: ProxySG:LogLabsBC 2011-01-06 20:59:52 9954-10.60.1.22 200 TCP_TUNNELED 10769 1929 TUNNEL tcp 205.227.136.116 8801 / - - DIRECT 205.227.136.116 - - - PROXIED "unavailable;unavailable" - 10.60.0.107 Example Streaming Event: 2011-02-07 23:00:28 ProxySG:LogLabsBC 10.60.1.30-10.60.1.30 rtmp 198.87.182.191 1935 / - - - 1 403 - - - "Shockwave Flash" - - - - - - - - - rtmp tcp - - - 0 - - - - - - - - - - - - 10.60.0.107 10.60.0.107-1 - 81297f607eb4497a UNKNOWN 10.60.1.30 DENIED Symantec Endpoint Protection Log Configuration Guide 23