While you can do this by adding the r-ip log field to your access log format, the results might be undesirable because Blue Coat Reporter is configured to work with specific access-log fields only. For more details, see: What are the required Main HTTP(s) access log fields for optimal performance using Blue Coat Reporter. Furthermore, if using Reporter's best practice guidelines, the proxy is using the BCReporterMain_v1 access log format, which is not editable.
However, if you're not using Blue Coat Reporter for access log parsing, or if your goal is to output to a different access log than that used by Reporter, then you can create an access log format that encompasses the r-ip log field. Here are the steps to create a new access log format on the ProxySG and log and to get the proxy writing to it:
Step 1: Create a new log facility.
- In the Web-based management console, go to Configuration > Access Logging > Formats.
- Click New.
- Name the new format, (note - spaces are not permitted).
- Select W3C Extended Log File Format string.
- Enter the following for the format string:
date time time-taken c-ip cs-username cs-auth-group x-exception-id sc-filter-result cs-categories cs(Referer) sc-status s-action cs-method rs(Content-Type) cs-uri-scheme cs-host cs-uri-port cs-uri-path r-ip cs-uri-query cs-uri-extension cs(User-Agent) s-ip sc-bytes cs-bytes x-virus-id
- The above can be edited as required, (cs-ip has already been added), but be sure to use the Test Format button before saving.
- Click Apply to save the format.
Step 2: Create a new log.
- Select Access Logging > Logs to create a new log to use the format you've created.
- Click New.
- Name the new log.
- Select the format you created above from the Log Format drop-down list.
- (Optional) Provide a Description.
- Click OK, then Apply.
Step 3: Configure policy to output to the new log.
- The above can be achieved through the VPM (Blue Coat recommends using a new Web Access Layer for only this purpose) with the Modify Access Logging action object configured with Enable logging to set to the new log you've created.
Step 4: Verify access logging outputs the destination IP.
- Open the Statistics tab and click Access Logging.
- From the Log drop-down, select your newly created access log.
- Click Start Tail and monitor the window.
- As client requests are proxied, the access log details displays in this window. Stop the tail for easier reading if information scrolls too quickly (common for busy proxy environments).
- Verify that you see the destination IP immediately following the URL and associated path.
- This new log contributes to the overall size on disk that the proxy has allotted to logging. You might need to lower the size available on disk for thiis new log or configure an access log upload client to offload the log at regular intervals
- For more information on Access Log formats, Local and Visual policy installation, consult the Configuration and Management guide for SGOS, available at: https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/proxysg/7-3/introduction.html.
- Blue Coat Reporter may not incorporate the new field, as it expects only the data in the BCReporterMain_v1 log facility.