For setup help or any questions, please post them on answers.splunk.com and tag them with SplunkAppForBlueCoatProxySG.
The app requires the Google Maps (http://splunk-base.splunk.com/apps/22365/google-maps) app from Splunkbase. You do not need to install this apps if you do not wish to use the mapping features. However, the main dashboard will not render properly without the above apps.
If you want to use the map feature, install the app dependencies from Splunkbase. If you are running a distributed splunk setup, the app contains an Add-on that you can install on the indexers. Otherwise, you just need to install the app from splunk base.
In Splunk, you will need to add a new TCP Data input. The app expects the source type to be bcoat_log. You may choose something different, but you will need to modify the app as well. Too add this input, log into Splunk and click on Manager. Under the Data section, click on "Data inputs". Then click on "Add new" for a TCP input. On this page, you can enter the port number, 20108 for example. You can optionally override the source name as well. Leave "Set sourcetype" as "From list", and choose bcoat_log from the dropdown list. Click on more settings, and set the index for this source to be bcoat_logs.
In Blue Coat, you will have to set up custom client for the logs you want to forward to Splunk. You will need to give it the Splunk indexer IP address and the TCP port you specified earlier.
If you are using a different index, in addition to modifying the bcoat_request macro, you will need to modify the bcoat_overview dashboard. To do this:
You may have to modify the incoming sourcetype, transforms.conf, and props.conf depending on your BlueCoat configuration. By default, the app expects the incoming logs to be in the bcreportermain_v1 format for ProxySG 6.2.x and above. Specifically, it expects these fields:
date, time, time_taken, c_ip, cs_username, cs_auth_group,
x_exception_id, filter_result, category,http_referrer,
sc_status, action, cs_method, http_content_type, cs_uri_scheme,
cs_host, cs_uri_port, cs_uri_path, cs_uri_query,
cs_uri_extension, http_user_agent, s_ip, sc_bytes, cs_bytes,
x_virus_id, x_bluecoat_application_name, x_bluecoat_application_operation
If you are running an earlier version of SGOS, you can create an entry in the bcoat_proxysg section of your local props.conf file to use the brceportermain_v1_old format. It's the same format but without x_bluecoat_application_name and x_bluecoat_application_operation.
If you use a different log format than those, you will need to create an entry for it in your local transforms.conf file. Then in the bcoat_proxysg section of your local props.conf, you will need to set REPORT-main to the name you specified in the transforms.conf. You may need to set appropriate field aliases as well.
The app uses macros to define the categories for WFA issues and possible infections. Depending on your policies, you may want to modify these macros to suite your needs. These are located in the macros.conf file.
Updated support information.
Moved nullPound transform to bcoat_logs in props.conf. This will make it easier to monitor log file on disk because it will ignore the header lines (lines that begin with #).
Fixed issue with data not display in app. Blue Coat always uses UTC timestamps, so configured app to reflect that reality.
Updated About App page.
Fixed issue where bluecoat field s_ip was mislabed as dest_ip instead of dvc_ip. Fixed issue preventing the Dashboard Map from populating.
Small vocab changes
Corrected the name of the log format in the README.
Fixed location MAX_TIMESTAMP_LOOKAHEAD in props.conf
Latest version has improved performance and scalability.
Fixes large text in single value displayed
Updated logic on determining if a site was blocked or not to use filter_result
Updated version of Blue Coat app
Major update to app
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.