You want to include the secure cipher suites used to negotiate the SSL connections users initiate into the SSL access logs.

Because the default SSL Access Log (called "bcreporterssl_v1") uses a locked log format that does not include the field, "x-cs-connection-negotiated-cipher" which is used to report cipher suites in an SSL connection, Blue Coat recommends adding a new access log and directing SSL log data to it in policy. Steps to accomplish this are below. 

Important notes: This steps provided to display cipher suites on access log is ideal on SGOS 6.5.9.10 or later and SGOS 6.6.x as tested
 

1. Create a new custom SSL access log format to replace the default SSL access logs.

• Browse to Management Console > Configuration > Access Logging > Formats > and click New
• Format Name: ssl_ciphers_v1 (or any name you see fit)
• Paste this string to replace the original string under "W3C Extended Log File Format (ELFF) String (Specify below)" without quotes:
• date time time-taken c-ip cs-username cs-auth-group s-supplier-name s-supplier-ip s-supplier-country s-supplier-failures x-exception-id sc-filter-result cs-categories sc-status s-action cs-method rs(Content-Type) cs-uri-scheme cs-host cs-uri-port cs-uri-extension cs(User-Agent) s-ip sc-bytes cs-bytes x-virus-id x-rs-certificate-observed-errors x-cs-ocsp-error x-rs-ocsp-error x-cs-connection-negotiated-cipher x-rs-connection-negotiated-cipher-strength x-rs-certificate-hostname x-rs-certificate-hostname-category cs-threat-risk x-rs-certificate-hostname-threat-risk

2. Create a new custom SSL access log to use the format you created in step 1.

• Browse to the Management Console > Configuration > Access Logging > Logs > and click New
• Log Name: ssl_cipher_logs (or any name you see fit) 
• Log Format: ssl_ciphers_v1 (the new logs format that are created earlier) 
• Description: "as you see fit" 

3. Define policy to divert SSL traffic to the new access log (Transparent Proxy). If your ProxySG appliance is deployed explicitly, skip this step and go to step 4.

• ** Transparent proxy - Make sure that Services > Proxy Services > HTTPS is set to intercept.
• Launch VPM > click Create new Web Access Layer > and click New Rule.
• Define the rule with the following details:
  • Source: Any 
    Destination: Any
    Service: Set > New > Service Name > HTTPS 
    Action: Set > New > Modify Access Logging > Name the Access Logging Object > Enable logging to: ssl_cipher_logs (the new logs created in step 2) click Ok.
• Click Install Policy to commit the new rule.

4. Define policy to divert SSL traffic to the new access log (Explicit Proxy)

• Verify that the ProxySG is configured to identify HTTPS traffic: Management Console > Configuration > Proxy Services > Standard > Edit Explicit HTTP > "check" Detect Protocol should be enabled. If it's not, check the box and click OK > Apply. 
• Verify that you have an SSL Intercept rule in place: Launch VPM. If no SSL Intercept layer exists, click Create New SSL Intercept Layer and create an SSL Intercept rule (KB article "000021765" for details on this if you don't have one).
• In the VPM, click Create new Web Access Layer > then New Rule 
• Define the new rule with the following details:
  • Source: Any 
    Destination: Any
    Service: Set > New > Client Protocol > HTTPS & All HTTPS 
    Action: Set > New > Modify Access Logging > Name the Access Logging Object > Enable logging to: ssl_cipher_logs (the new log created in step 2) > Ok.
• Click Install Policy to commit the new rule.