McAfee Enterprise Security Manager Data Source ... Coat ProxySG Page 1 of 24 McAfee Enterprise Security Manager Data Source Configuration Guide Data Source: Blue Coat ProxySG September

Blue Coat ProxySG Page 1 of 24

McAfee Enterprise Security Manager Data Source Configuration Guide

Data Source: Blue Coat ProxySG

September 22, 2014


Important Note: The information contained in this document is confidential and proprietary.

Please do not redistribute without permission.


Table of Contents 1 Introduction 4 2 Prerequisites 4 3 Specific Data Source Configuration Details 5

3.1 Blue Coat ProxySG Configuration 5 Creating a Custom Log Format 5 Blue Coat Syslog Configuration 7 FileZilla FTP Server Configuration 9 Blue Coat FTP Configuration 10

3.2 McAfee Receiver Configuration 13 Syslog setup 13 FTP Setup 14

4 Data Source Event to McAfee Field Mappings 15 4.1 Log Format 15 4.2 Mappings 17

nFP2P 22 5 Appendix A - Generic Syslog Configuration Details 23 6 Appendix B - Troubleshooting 24


1 Introduction This guide details how to configure Blue Coat ProxySG to send System and Access logs via Syslog or File Retrieval (FTP, SCP, etc.) in the proper format to the ESM. This guide is based on setting up Blue Coat version 7.0 and above.

2 Prerequisites McAfee Enterprise Security Manager Version 8.3.0 and above.

In order to configure the Blue Coat ProxySG Syslog or FTP services, appropriate administrative level access is required to perform the necessary changes documented below.

In order to use FTP, an intermediary server running FTP services (such as FileZilla, vsftpd, etc.) must be used which has sufficient storage to store the Access logs. For the purposes of this guide, FileZilla will be used.


3 Specific Data Source Configuration Details 3.1 Blue Coat ProxySG Configuration

Creating a Custom Log Format McAfee SIEM requires a custom format for the Blue Coat Access Logs.

• Select Configuration | Access Logging | Formats • Click New. The Create Format Dialog will appear.

• Give the format a name. • Choose W3C Extended Log File Format (ELFF) string.

o If you would rather use the log specific formats (shown later in this document) instead of choosing the W3C ELFF string format, choose “Custom format string (specify below)”.

• Enter the following custom format: date time time-‐taken c-‐ip cs-‐username cs-‐auth-‐group x-‐exception-‐id sc-‐filter-‐result cs-‐categories cs(Referer) sc-‐status s-‐action cs-‐method rs(Content-‐Type) cs-‐uri-‐scheme cs-‐host cs-‐uri-‐port cs-‐uri-‐path cs-‐uri-‐query cs-‐uri-‐extension cs(User-‐Agent) s-‐ip sc-‐bytes cs-‐bytes

• If “Custom format string (specify below)” was chosen, instead of the format show above, enter in the desired supported custom string format.


• Click Test Format to ensure that there are no syntax errors. • Choose Log all headers from the Multiple-valued header policy. • Click Ok.

Associating the Custom Log format with a Custom Log • Select Configuration | Access Logging | Logs | Logs • Click New. The Create Log Dialog appears

• Enter a Log Name. • For Log Format, choose your custom format from the pull down. • Add a meaningful Description. • Enter the Maximum size of the remote file.

o This is the maximum file size that the log file will reach before rolling over to a new file.

• Enter an Early Upload file size. • Click Ok.

Associating the above Custom Log to the Web Content Policy • Select Configuration | Policy | Visual Policy Manager | Launch • Once the Visual Policy Manager (VPM) has launched, you can either add a new Web

Content Layer or you can edit the existing. This document will walk you through on how to add a new Web Content Layer.

• In the VPM, Select Policy | Add Web Content Layer. • Enter a name for this new Web Content Layer. • Right Click on the Action column and select Set. • Select New | Modify Access Logging. • Select Enable Logging to: and from the dropdown menu choose the Custom Log you created

above. • Click Ok.


• Click Install Policy.

Blue Coat Syslog Configuration Enable Access Logging Globally • Select Configuration | Access Logging | General | Default Logging • Select Enable Access Logging • Click Apply


Syslog Configuration • Select Configuration | Access Logging | Logs | Upload Client

• In the Log dropdown, choose the Custom Log that was created in Step 5.1. • Select Custom Client from the Client Type dropdown, then click Settings.

o • Fill in the Fields

o Host - Enter the IP Address of the McAfee Event Receiver o Port – Enter 514 o Use Secure Connections (SSL) – Uncheck

• Click Ok • Click Apply • Back at the Upload Client Configuration

• Keep all defaults except for Save the log file as. Here choose text file. • Leave all of the other options as defaults. • Click on the Upload Schedule tab.


• Select Upload Type. • Keep all defaults except for “Upload the access log”. Change this setting to “continuously”.

This will stream the access logs to the McAfee Event Receiver. • Click Ok • Click Apply

FileZilla FTP Server Configuration If you are using FTP as the method you must first setup

• Download the FileZilla FTP Server for Windows from http://filezilla-project.org/download.php?type=server

• Install the FileZilla FTP server on your choice of Windows Server and accept all of the default options.

• Create a directory that will be used to store the BlueCoat ProxySG Access Logs. In this guide, D:\BlueCoatLogs will be used.

• With Filezilla up and running, a Filezilla server window will now open. You will want to click on Edit > Users. Here you will be shown the current users (none) and setup and configure new users.

• On the "General" page (left hand side), click on the "Add" button under the Users section on the right hand side. Type in the FTP account name. In this example, use "proxysg" as the account name. You do not have to make the user a member of a group.

• Make sure "Enable Account" is checked under the account settings section. Also put a check mark next to "Password:" and give the newly created “proxysg” user a password. In this example, the password will be "bluecoat". For security purposes, please make sure that this password is complex.

• Click on the "Shared Folders" page. Click on the "Add" button. Walk the directory tree to D:\BlueCoatLogs\ and click on the OK button. For files and directories, give that user all file rights (Read, Write, Delete, Append) and all directory rights (Create, Delete, List, + Subdirs) to D:\BlueCoatLogs\. Make sure that D:\BlueCoatLogs\ has a capital H next to it. If not, highlight the directory and click on the "Set as home dir" button to make it the home directory for that user. The "H" signifies that D:\BlueCoatLogs is the home directory for that particular user. When the “proxysg” FTP user logs into the FTP server, the root directory will be D:\BlueCoatLogs\ .

• Click on the "OK" button to save the user. • The Filezilla FTP server should be up and running at this point and the “proxysg” user is

ready to go.


Blue Coat FTP Configuration Enable Access Logging Globally • Select Configuration | Access Logging | General | Default Logging • Select Enable Access Logging • Click Apply

FTP Upload Configuration • In the image above you will see all of the Blue Coat Access Logs. • Select Configuration | Access Logging | Logs | Upload Client.

o This is where the access logs are configured to upload their data to the FTP server (in this case the Filezilla Server).


• In the Log dropdown, choose the Custom Log that was created in Step 5.1. • Choose FTP Client from the Upload Client Type dropdown, and click Settings.

• Fill in the Fields o Host: Enter the IP address of the Filezilla FTP server o Port: 21 is the Default FTP port o Path: Enter “/”; without quotes o Username: Enter proxysg (This user was created in Step 4) o Click the Change Primary Password.

! Enter the Password twice, then click Ok.. In this guide, bluecoat would be entered twice (that was the password configured for the user “proxysg” in Section 4)

o Filename: The filename can contain text and/or specifiers. The above files name will include the log name, last octet of the proxy sg, month, day, hour, minute and seconds.

o Uncheck Use Secure Connections (SSL) as the Filezilla Server is not configured for FTPS or SFTP.

o Check Local Time if you would like the Local Time the file was uploaded to be reflected instead of UTC.

o Click Ok o Click Apply

• Back at the Upload Client Configuration


• Keep all defaults except for “Save the log file as”, choose gzip file. This will reduce the log file

size. The McAfee Event Receiver is capable of decompressing a gzipped log file and parsing the logs within.

• Click on the Upload Schedule tab

• In the Log dropdown, choose the Custom Log that was created in Step 5.1 • Under Upload Type, choose periodically • Under Rotate the Log File, Select Every 0 Hours and 5 minutes. The Blue Coat ProxySG will

now upload the access logs to the FTP server every 5 minutes. • Click Apply • Test to make sure the upload is successful. On the Upload Client tab, click Test Upload. Go

to the FTP server (Filezilla Server) and check to make sure the user proxysg logged in and that it had uploaded a file named “main_upload_result” to the FTP server.


3.2 McAfee Receiver Configuration Syslog setup After successfully logging into the McAfee ESM console the data source will need to be added to a McAfee Receiver in the ESM hierarchy.

1. Select the Receiver you are applying the data source setting to 2. Select the Receiver properties 3. From the Receiver Properties listing, select “Data Sources” 4. Select “Add Data Source”

OR 1. Select the Receiver you are applying the data source setting to 2. After selecting the Receiver, select the “Add Data Source” icon

Data Source Screen Settings

1. Data Source Vendor – Blue Coat Systems 2. Data Source Model – ProxySG Access Log (ASP) 3. Data Format – Default 4. Data Retrieval – Default 5. Enabled: Parsing/Logging/SNMP Trap – <Defaults> 6. Name – Name of data source 7. IP Address/Hostname – The IP address and host name associated with the data source

device 8. Syslog Relay – <Enable> 9. Mask – <Default> 10. Require Syslog TLS – Enable to require the Receiver to communicate over TLS 11. Support Generic Syslogs – <Default> 12. Time Zone – Time zone of data being sent


FTP Setup After successfully logging into the McAfee ESM console the data source will need to be added to a McAfee Receiver in the ESM hierarchy.

5. Select the Receiver you are applying the data source setting to 6. Select the Receiver properties 7. From the Receiver Properties listing, select “Data Sources” 8. Select “Add Data Source”

OR 3. Select the Receiver you are applying the data source setting to 4. After selecting the Receiver, select the “Add Data Source” icon

Data Source Screen Settings

13. Data Source Vendor – Blue Coat Systems 14. Data Source Model – ProxySG Access Log (ASP) 15. Data Format – Default 16. Data Retrieval – FTP File Source 17. Enabled: Parsing/Logging/SNMP Trap – <Defaults> 18. Name – Name of data source 19. IP Address/Hostname – The IP address and host name associated with the data source

device. 20. Port – 21 (Default for FTP) 21. Number of Lines per record – <Default> 22. Interval – 5 Minutes 23. File Completion – 60 Seconds 24. Delete processed files – Check this to have the Receiver delete the files from the FTP

Server after they are processed 25. Path – Enter “/” (without quotation marks) 26. Wildcard exression – *.log.gz 27. Userrname – The username for the FTP client 28. Password – The password for the FTP client 29. Encryption – Leave unchecked 30. Support Generic Syslogs – Do nothing 31. Time Zone – Time zone of data being sent

Note – Refer to Appendix A for details on the Data Source Screen options


4 Data Source Event to McAfee Field Mappings 4.1 Log Format

The expected format for this device is as follows:

Access log event v6 log example: date time time-‐taken c-‐ip cs-‐username cs-‐auth-‐group x-‐exception-‐id sc-‐filter-‐result cs-‐categories cs(Referer) sc-‐status s-‐action cs-‐method rs(Content-‐Type) cs-‐uri-‐scheme cs-‐host cs-‐uri-‐port cs-‐uri-‐path cs-‐uri-‐query cs-‐uri-‐extension cs(User-‐Agent) s-‐ip sc-‐bytes cs-‐bytes x-‐virus-‐id

Access log event v5.4.6.1 log example: date time c-‐ip c-‐port r-‐ip r-‐port x-‐cifs-‐uid x-‐cifs-‐tid x-‐cifs-‐fid x-‐cifs-‐method x-‐cifs-‐server x-‐cifs-‐share x-‐cifs-‐path x-‐cifs-‐orig-‐path x-‐cifs-‐client-‐bytes-‐read x-‐cifs-‐server-‐bytes-‐read x-‐cifs-‐bytes-‐written x-‐client-‐connection-‐bytes x-‐server-‐connection-‐bytes x-‐server-‐adn-‐connection-‐bytes x-‐cifs-‐client-‐read-‐operations x-‐cifs-‐client-‐write-‐operations x-‐cifs-‐client-‐other-‐operations x-‐cifs-‐server-‐operations s-‐action x-‐cifs-‐error-‐code cs-‐username cs-‐auth-‐group s-‐ip

The following log formats are supported custom formats:

nFMAIN log example: nFMAIN Date=|$(date)|, Time=|$(time)|, Time-‐Taken=|$(time-‐taken)|, Source=|$(c-‐ip)|, Status=|$(sc-‐status)|, Action=|$(s-‐action)|, IncomingBytes=|$(sc-‐bytes)|, OutgoingBytes=|$(cs-‐bytes)|, Method=|$(cs-‐method)|, Scheme=|$(cs-‐uri-‐scheme)|, Username=|$(cs-‐username)|, Supplier=|$(s-‐supplier-‐name)|, UserAgent=|$(cs(User-‐Agent))|, Result=|$(sc-‐filter-‐result)|, Category=|$(sc-‐filter-‐category)|, Virus=|$(x-‐virus-‐id)|, DeviceIP=|$(s-‐ip)|, DevicePort=|$(s-‐port)|, URL=|$(c-‐uri)|, DestinationIP=|$(r-‐ip)|, DestinationPort=|$(cs-‐uri-‐port)|

nFIM log example: nFIM Date=|$(date)|, Time=|$(time)|, Time-‐Taken=|$(time-‐taken)|, Source=|$(c-‐ip)|, Username=|$(cs-‐username)|, Protocol=|$(cs-‐protocol)|, Method=|$(x-‐im-‐method)|, User-‐Id=|$(x-‐im-‐user-‐id)|, Client=|$(x-‐im-‐client-‐info)|, Buddy=|$(x-‐im-‐buddy-‐id)|, ChatRoom=|$(x-‐im-‐chat-‐room-‐id)|, Action=|$(s-‐action)|, File=|$(x-‐im-‐file-‐path)|, FileSize=|$(x-‐im-‐file-‐size)|, DeviceIP=|$(s-‐ip)|

nFSSL log example: nFSSL Date=|$(date)|, Time=|$(time)|, Time-‐Taken=|$(time-‐taken)|, Source=|$(c-‐ip)|, Action=|$(s-‐action)|, CertStatus=|$(x-‐rs-‐certificate-‐validate-‐status)|, Errors=|$(x-‐rs-‐certificate-‐observed-‐errors)|, DestinationIP=|$(r-‐ip)|, DestinationPort=|$(cs-‐uri-‐port)|, Supplier=|$(s-‐supplier-‐name)|, ClientCipher=|$(x-‐rs-‐connection-‐negotiated-‐ssl-‐version)|, ClientCiphernegotiate=|$(x-‐rs-‐connection-‐negotiated-‐cipher)|, CipherSize=|$(x-‐rs-‐connection-‐negotiated-‐cipher-‐size)|, Category=|$(x-‐rs-‐certificate-‐hostname-‐category)|, ServerCipher=|$(x-‐cs-‐connection-‐negotiated-‐ssl-‐version)|, ServernegotiatedCipher=|$(x-‐cs-‐connection-‐negotiated-‐cipher)|, ServerCipherSize=|$(x-‐cs-‐connection-‐negotiated-‐cipher-‐size)|, Device=|$(s-‐ip)|, IncomingBytes=|$(sc-‐bytes)|, OutgoingBytes=|$(cs-‐bytes)|, Protocol=|$(cs-‐protocol)|, URL=|$(c-‐uri)|


nFSTREAM log example: nFSTREAM Date=|$(date)|, Time=|$(time)|, Scheme=|$(cs-‐uri-‐scheme)|, DestinationPort=|$(cs-‐uri-‐port)|, Status=|$(c-‐status)|, User-‐Agent=|$(cs(User-‐Agent))|, Hostexe=|$(c-‐hostexe)|, Hostexever=|$(c-‐hostexever)|, Filesize=|$(filesize)|, Protocol=|$(transport)|, Bytes1=|$(sc-‐bytes)|, Bytes2=|$(c-‐bytes)|, Device=|$(s-‐ip)|, Source=|$(x-‐client-‐address)|, URL=|$(c-‐uri)|, Method=|$(cs-‐method)|

nFP2P log example: nFP2P Date=|$(date)|, Time=|$(time)|, Source=|$(c-‐ip)|, Username=|$(cs-‐username)|, Protocol=|$(cs-‐protocol)|, ClientType=|$(x-‐p2p-‐client-‐type)|, Bytes1=|$(x-‐p2p-‐client-‐bytes)|, Bytes2=|$(x-‐p2p-‐peer-‐bytes)|, Action=|$(s-‐action)|, DestinationIP=|$(r-‐ip)|, DestinationPort=|$(cs-‐uri-‐port)|, Device=|$(s-‐ip)|


4.2 Mappings Access Log

Those with * indicate compatibility with version 9.2 and above only.

Log Fields McAfee ESM Fields

Date, Time Firsttime, lasttime

c-ip src_ip

cs-username src_username

sc-filter-result Query_Response.Query_Response*

cs-categories Subject.Subject

sc-status Action

s-action Message

cs-method commandname

rs-Content-Type application

cs-host domain

cs-uri-port src_port

cs-uri-path URL.URL

Job_Name.Job_Name*

cs-User-Agent User_Agent.User_Agent*

s-ip dst_ip


Access Log v5.4.6.1 Those with * indicate compatibility with version 9.2 and above only.



c-ip src_ip

s-action Message

cs-bytes Bytes_Sent.Bytes_Sent*

sc-bytes Bytes_Received.Bytes_Received*

cs-method Method.Method

cs-uri-scheme

cs-host domain

cs-uri-port src_port

cs-uri-path URL.URL

cs-username src_username

rs(Content-Type) application

cs(Referer) Referer.Referer*

cs-User-Agent User_Agent.User_Agent*

sc-filter-result Action

cs-categories Object_Type.Object_Type

x-virus-id Object_Type.Object_Type

s-ip dst_ip


nFMAIN Those with * indicate compatibility with version 9.2 and above only.


nfMAIN Application


Source src_ip

Status Response_Code.Response_Code*

Action Action

IncomingBytes Bytes_Received.Bytes_Received*

OutgoingBytes Bytes_Sent.Bytes_Sent*

Method Method.Method

Scheme Protocol

Username src_username

User-Agent User_Agent.User_Agent*

Result Query_Response.Query_Response*

Category Category.Category*

Virus Threat_Name.Threat_Name*

Device_IP Device_IP.Device_IP*

DevicePort src_port

URL URL. URL

DestinationIP dst_ip

DestinationPort dst_port


nFIM Fields with a * indicate compatibility with version 9.2 and above only.


nFIM Application


Source src_ip


Protocol Protocol


Client Client_Version.Client_Version*

Action Action

File Filename.Filename

DeviceIP DeviceIP.DeviceIP*

nFSSL Those with * indicate compatibility with version 9.2 and above only.


nFSSL Application


Source src_ip

Action Action



Supplier URL.URL

Category Category.Category*

DeviceIP DeviceIP.DeviceIP*

IncomingBytes Bytes_Received.Bytes_Received*

OutgoingBytes Bytes_Sent.Bytes_Sent*

Protocol Protocol


nFSTREAM Those with * indicate compatibility with version 9.2 and above only.


nFSTREAM Application



Status Response_Code.Response_Code*

Action Action

User-Agent User_Agent.User_Agent*

Hostexe Client_Version.Client_Version*

Protocol Protocol

Bytes1 Bytes_Received.Bytes_Received*

Bytes2 Bytes_Sent.Bytes_Sent*

Device Device_IP.Device_IP*

Source src_ip

URL URL.URL



nFP2P Those with * indicate compatibility with version 9.2 and above only.


nFP2P Application


Source src_ip


Protocol Protocol

ClientType Message

Bytes1 Bytes_Received.Bytes_Received*

Bytes2 Bytes_Sent.Bytes_Sent*

Action Action



Device Device_IP.Device_IP*


5 Appendix A - Generic Syslog Configuration Details Once you select the option to add a data source, you are taken to the “Add Data Source” menu. The general options for adding a data source are shown. As you select different options, additional parameters may show. Each of these parameters will be examined in more detail.

1. Use System Profiles – System Profiles are a way to use settings that are repetitive in nature, without having to enter the information each time. An example is WMI credentials, which are necessary to retrieve Windows Event Logs if WMI is the chosen mechanism.

2. Data Source Vendor – List of all supported vendors. 3. Data Source Model – List of supported products for a vendor. 4. Data Format – “Data Format” is the format the data is in. Options are “Default”, “CEF”, and

“MEF”. Note – If you choose CEF it will enable the generic rule for CEF and may not parse data source-specific details.

5. Data Retrieval – “Data Retrieval” allows you to select how the Receiver is going to collect the data. Default is over syslog.

6. Enabled: Parsing/Logging/SNMP Trap – Enables parsing of the data source, logging of the data source, and reception of SNMP traps from the data source. If no option is checked, the settings are saved to the ESM, but not written to the Receiver or utilized. Default is to select “Parsing”.

7. Name – This is the name that will appear in the Logical Device Groupings tree and the filter lists.

8. IP Address/Hostname – The IP address and host name associated with the data source device.

9. Syslog Relay – “Syslog Relay” allows data to be collected via relays and bucketed to the correct data source. Enable syslog relay on relay sources such as Syslog-NG.

10. Mask – Enables you to apply a mask to an IP address so that a range of IP addresses can be accepted.

11. Require Syslog TLS – Enable to require the receiver to communicate over TLS. 12. Support Generic Syslog – “Generic Syslog” allows users to select “Parse generic syslog” or

“Log ‘unknown syslog event”. Both these options will create an alert for an auto-learned syslog event if there is no parsing rule.

13. Time Zone - If syslog events are sent in a time zone other than GMT, you need to set the time zone of the data source so the date on the events can be set accordingly.

14. Interface – Opens the receiver interface settings to associate ports with streams of information.

15. Advanced – Opens advanced settings for the data source.


6 Appendix B - Troubleshooting • If a data source is not receiving events, verify that the data source settings have been written out

and that policy has been rolled out to the Receiver. • If you see errors saying events are being discarded because the “Last Time” value is more than

one hour in the future, or the values are incorrect, you may need to adjust the “Time Zone” setting.

The following tips may help with troubleshooting this configuration if events are not seen in the ESM after a period of time.

• Log into the FTP server (FileZilla in this guide) and check the log, make sure that there are entries that state that the ProxySG has uploaded the log files. And check to make sure that there are logs that state that the Receiver connected and downloaded the log files.

• Verify port 514 is open on the receiver. You output will be similar. o netstat –an | grep 514

• Use tcpdump on the receiver to verify receipt of syslog from the server. You can use something as simple as the following command to verify the receipt of data.

o tcpdump –i eth0 source <remote host IP>

Documents

McAfee Enterprise Security Manager Data Source ... Coat ProxySG Page 1 of 24 McAfee Enterprise Security Manager Data Source Configuration Guide Data Source: Blue Coat ProxySG September