Solutions

What log format should be used with my Bluecoat Reporter client?

Solutions ID:    KB3682
Version:    5.0
Status:    Published
Published date:    01/28/2010
Updated:    05/21/2010
 

Problem Description

Can I use a streaming log format to send access log information to Reporter, via the Bluecoat Reporter client?

Can i use SSL log format to send access log information to Reporter, via the Bluecoat Reporter client?

Can i use a Custom log format to sent access log information to Reporter, via the Bluecoat Reporter client?

I'm configuring my Secure Gateway ( SG) appliance to  stream logs to my Reporter server, via the Bluecoat Reporter client;  what type can I send?

Resolution

The only log format we support  is the Main HTTP and HTTPS  types.  Sending other types of access logs can crash the Reporter server, and consequently corrupt the database.

To check what type of log your SG is sending you, you can open up the logsources.cfg file in a text editor and look for the faculty type as per the below example.  Here, I've highlighted in bold the different types that were being sent to this reporter.  As you can see this server had Main, SSL, and streaming being sent to it, which was causing the server to crash. We only want "main" type logs sent via the Bluecoat Reporter client.   The labels matched the type, but, technically Reporter doesn't care about the label.

 log_sources = {
  assigned = {
    assigned_16f5fa39194f9f01308da3097802aXXX = {
      ipaddr = "10.10.10.254"
      facility = "main"
      proxy = "1.2.3.4 - Blue Coat SG510 Series"
      serial = "4307104150"
      ttl = "12/16/2009 11:17:40"
      database = "database_1b8f9260e96b11de8973f0004d08XXX"
      label = "main"
      type = "sgp"
      state = "enable"
    } # assigned_16f5fa39194f9f01308da3097802aXXX
    assigned_5867e10017c3640131a971811d003ee4 = {
      ipaddr = "10.10.10.254"
      facility = "ssl"
      proxy = "4.3.2.1 - Blue Coat SG510 Series"
      serial = "4307104150"
      ttl = "12/16/2009 11:26:26"
      database = "database_1b8f9260e96b11de8973f0004d08XXX"
      label = "ssl"
      type = "sgp"
      state = "enable"
    } # assigned_5867e10017c3640131a971811d003XXX
    assigned_ed0200711733d5443e5db459303be5c1 = {
      ipaddr = "10.10.10.254"
      facility = "streaming"
      proxy = "6.5.4.3 - Blue Coat SG510 Series"
      serial = "4307104150"
      ttl = "12/16/2009 14:54:56"
      database = "database_1b8f9260e96b11de8973f0004d088XXX"
      label = "streaming"
      type = "sgp"
      state = "enable"
    } # assigned_ed0200711733d5443e5db459303beXXX
  } # assigned
  templates = ""
  unassigned = ""
} # log_sources
 

NOTE1:   The above configuration file was taken off of a reporter server that was configured  to stream logs to it, via the Bluecoat Reporter client SG feature.  (See KB3489 for details on how to do this.) Below is an example of how this same file would look like if you were pulling the access logs from a local folder.  While we don't' see the 'faclity' option in this file , the result is the same; If we attempt to pull in access logs that are not of the main type we can potentialy crash, and corupt the database.

assigned = {
    assigned_78e70ac0a1df11de9ce4f0004c9098f8 = {
      type = "hfp"
      post = "move"
      process_subdirectories = "false"
      match_compressed = "true"
      state = "disable"
      filename = "*.log"
      label = "UAT"
      database = "database_7d2d34c09d5111de84f6f0004c88e761"
      dirname = "E:/BCRData/SYDN/Inbound"
      move_pathname = "E:/BCRData/Processed"

NOTE2: You find this file either in the diagnostics zip file,  uploaded to the SR, or in the settings folder in the Reporter installed folder.

NOTE2: Streaming access logs are currently not supported by Reporter, version 9.x.

NOTE3: SSL MAIN logs are supported, but only using the FTP upload configuration.  For more details please see these other KB articles:

For information on the right access log to use, and it's required fields , see:

https://kb.bluecoat.com/index?page=content&id=FAQ282

For how to configure the SG to send it's access logs up to Reporter, via FTP , see:

https://kb.bluecoat.com/index?page=content&id=KB2983


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question