Blue Coat is a proxy that provides security and monitoring capabilities for Web users. Blue Coat supports multiple log formats, including the SQUID format.
The flat file collection mechanism used by the agent references a file and retains the last log read from the file by state tracking. The following information is required for flat file collection to function properly and should be gathered prior to configuring collection:
- The LogRhythm System Monitor to collect the audit data from the flat file.
- The name of the flat file to be accessed by the agent.
Configure SQUID-1 for Data Collection
By default, the Blue Coat Proxy Appliance is not enabled for audit access.
To enable logging on a Blue Coat Proxy Appliance:
- Select Configuration, click Access Logging, click General, and then click Default Logging.
- Select Enable. Cancel the selection to disable access logging.
- Click Apply to commit the changes to the Blue Coat appliance.
- To configure logging, click Configuration, click Access Logging, click Logs, and then click Logs.
A log source must be configured to Blue Coat Proxy SQUID-1 format to be usable for this log format. Other formats may be available using the ELFF format provided by Blue Coat.
After you configure the device, you must also configure LogRhythm according to the instructions provided on the overview page of this guide. Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.
The name of the log message source is Flat File– Blue Coat Proxy SQUID-1 Format. In addition, when configuring this log source:
- For Log Message Processing Mode, select MPE Processing Enabled, Event Forwarding Enabled.
- For Log Message Processing Engine (MPE) Policy, select LogRhythm Default.
- On the Flat File Settings tab, enter the following:
- File Path. <path to log file, including the file name and extension>
- Date Parsing Format.Select existing Blue Coat Proxy SQUID-1:
- Log Message Start Regex. ^
The file being collected must be viewable on the host with the agent using a standard file name path such as /var/log/logfile.txt or C:\logs\logfile.txt.