Details
-
New Feature
-
Status: To Do
-
Minor
-
Resolution: Unresolved
-
None
-
None
Description
Create a parser for Bluecoat proxy logs.
A single line from the a bluecoat log is a whitespace delimited list that looks like the following:
2015-09-02 08:30:43 517 101.21.14.218 200 TCP_NC_MISS 212 1248 POST http 196.156.17.4 80 /idle/aF8mdz02zSLRiX-Z/1669 - abc123 ORG\GR%20GG%20ORG%20USR%20Companyweb - 196.156.17.4 application/x-fcs - "Shockwave Flash" OBSERVED "DestinationAppServers;Audio/Video Clips" - 10.79.11.218 Certificate
...
{"csauthtype" : "Certificate",
"ip_dst_port" : "80",
"cs_username" : "abc123",
"http_uripath" : "/idle/aF8mdz02zSLRiX-Z/1669",
"protocol" : "http",
"http_method" : "POST",
"csauthgroup" : "ORG\GR%20GG%20ORG%20USR%20Companyweb",
"csbytes" : "1248",
"proxy_ip_addr" : "10.79.11.218",
"scbytes" : "212",
"cshost" : "196.156.17.4",
"scfilterresult" : "OBSERVED",
"time_taken" : "517",
"saction" : "TCP_NC_MISS",
"cscategories" : "DestinationAppServers;Audio/Video Clips",
"http_status" : "200",
"http_useragent" : "Shockwave Flash",
"ssupliername" : "196.156.17.4"
}
These fields correspond to the following labels:
date time time-taken c-ip sc-status s-action sc-bytes cs-bytes cs-method cs-uri-scheme cs-host cs-uri-port cs-uri-path cs-uri-query cs-username cs-auth-group s-hierarchy s-supplier-name rs(Content-Type) cs(Referer) cs(User-Agent) sc-filter-result cs-categories x-virus-id s-ip cs-auth-type