What log format should be used with my Bluecoat Reporter client?


<< Back to Knowledge Search

Solution

Overview

Can I use a streaming log format to send access log information to Reporter, via the Bluecoat Reporter client?

Can i use SSL log format to send access log information to Reporter, via the Bluecoat Reporter client?

Can i use a Custom log format to sent access log information to Reporter, via the Bluecoat Reporter client?

I'm configuring my Secure Gateway ( SG) appliance to  stream logs to my Reporter server, via the Bluecoat Reporter client;  what type can I send?

Cause
Resolution

The only log format we support  is the Main HTTP and HTTPS  types.  Sending other types of access logs can crash the Reporter server, and consequently corrupt the database.

To check what type of log your SG is sending you, you can open up the logsources.cfg file in a text editor and look for the faculty type as per the below example.  Here, I've highlighted in bold the different types that were being sent to this reporter.  As you can see this server had Main, SSL, and streaming being sent to it, which was causing the server to crash. We only want "main" type logs sent via the Bluecoat Reporter client.   The labels matched the type, but, technically Reporter doesn't care about the label.

 log_sources = {
  assigned = {
    assigned_16f5fa39194f9f01308da3097802aXXX = {
      ipaddr = "10.10.10.254"
      facility = "main"
      proxy = "1.2.3.4 - Blue Coat SG510 Series"
      serial = "4307104150"
      ttl = "12/16/2009 11:17:40"
      database = "database_1b8f9260e96b11de8973f0004d08XXX"
      label = "main"
      type = "sgp"
      state = "enable"
    } # assigned_16f5fa39194f9f01308da3097802aXXX
    assigned_5867e10017c3640131a971811d003ee4 = {
      ipaddr = "10.10.10.254"
      facility = "ssl"
      proxy = "4.3.2.1 - Blue Coat SG510 Series"
      serial = "4307104150"
      ttl = "12/16/2009 11:26:26"
      database = "database_1b8f9260e96b11de8973f0004d08XXX"
      label = "ssl"
      type = "sgp"
      state = "enable"
    } # assigned_5867e10017c3640131a971811d003XXX
    assigned_ed0200711733d5443e5db459303be5c1 = {
      ipaddr = "10.10.10.254"
      facility = "streaming"
      proxy = "6.5.4.3 - Blue Coat SG510 Series"
      serial = "4307104150"
      ttl = "12/16/2009 14:54:56"
      database = "database_1b8f9260e96b11de8973f0004d088XXX"
      label = "streaming"
      type = "sgp"
      state = "enable"
    } # assigned_ed0200711733d5443e5db459303beXXX
  } # assigned
  templates = ""
  unassigned = ""
} # log_sources
 

NOTE1:   The above configuration file was taken off of a reporter server that was configured  to stream logs to it, via the Bluecoat Reporter client SG feature. Below is an example of how this same file would look like if you were pulling the access logs from a local folder.  While we don't' see the 'faclity' option in this file , the result is the same; If we attempt to pull in access logs that are not of the main type we can potentialy crash, and corupt the database.

assigned = {
    assigned_78e70ac0a1df11de9ce4f0004c9098f8 = {
      type = "hfp"
      post = "move"
      process_subdirectories = "false"
      match_compressed = "true"
      state = "disable"
      filename = "*.log"
      label = "UAT"
      database = "database_7d2d34c09d5111de84f6f0004c88e761"
      dirname = "E:/BCRData/SYDN/Inbound"
      move_pathname = "E:/BCRData/Processed"

NOTE2: You find this file either in the diagnostics zip file,  uploaded to the SR, or in the settings folder in the Reporter installed folder.

NOTE2: Streaming access logs are currently not supported by Reporter, version 9.x.

NOTE3: SSL MAIN logs are supported, but only using the FTP upload configuration.  For more details please see these other KB articles:

For information on the right access log to use, and it's required fields see 000021974

For how to configure the SG to send it's access logs up to Reporter via FTP see 000008692

Workaround
Additional Information
Bug Number
InQuira Doc IdKB3682
Attachment

Article Feedback

Hide Properties
First Published      10/01/2014
Last Modified      08/06/2015
Last Published      08/06/2015
Article Audience
Topic      Access Logging, Crash / Restart, Database, Log Processing, Reporting
Article Number      000015481
Summary     
Was this helpful?
Comments:
 
Previous MonthNext Month
SunMonTueWedThuFriSat