Creating a Custom Event Format for Blue Coat SG
To collect events from Blue Coat SG, create a custom event format.
- Log in to the Blue Coat Management Console.
- Select >Configuration > Access Logging > Formats.
- Select New.
- Type a format name for the custom format.
- Select Custom format string.
- Type the following custom format:Note:
The line breaks in these examples will cause this configuration to fail. Copy the code blocks into a text editor, remove the line breaks, and paste as a single line in the Custom Format column.
Bluecoat|src=$(c-ip)|srcport=$(c-port)|dst=$(cs-uri-address) |dstport=$(cs-uri-port)|username=$(cs-username)|devicetime=$(gmttime) |s-action=$(s-action)|sc-status=$(sc-status)|cs-method=$(cs-method) |time-taken=$(time-taken)|sc-bytes=$(sc-bytes)|cs-bytes=$(cs-bytes) |cs-uri-scheme=$(cs-uri-scheme)|cs-host=$(cs-host)|cs-uri-path=$(cs-uri-path) |cs-uri-query=$(cs-uri-query)|cs-uri-extension=$(cs-uri-extension) |cs-auth-group=$(cs-auth-group)|rs(Content-Type)=$(rs(Content-Type)) |cs(User-Agent)=$(cs(User-Agent))|cs(Referer)=$(cs(Referer)) |sc-filter-result=$(sc-filter-result)|filter-category=$(sc-filter-category) |cs-uri=$(cs-uri)
- Select Log Last Header from the list.
- Click OK.
- Click Apply. Note:
The custom format for JSA supports more key-value pairs by using the Blue Coat ELFF format. For more information, see Creating Extra Custom Format Key-value Pairs.
Create a log facility on your Blue Coat device.