How to Include SSL Cipher Suites in ProxySG Access Logs

book

Article ID: 169100

calendar_today

Updated On:

Products

Asset Management Solution Data Center Security Monitoring Edition ProxySG Software - SGOS

Issue/Introduction

You want to include the secure cipher suites used to negotiate the SSL connections users initiate into the SSL access logs.

Resolution

Because the default SSL Access Log (called "bcreporterssl_v1") uses a locked log format that does not include the field, "x-cs-connection-negotiated-cipher" which is used to report cipher suites in an SSL connection, Blue Coat recommends adding a new access log and directing SSL log data to it in policy. Steps to accomplish this are below. 

Important notes: This steps provided to display cipher suites on access log is ideal on SGOS 6.5.9.10 or later and SGOS 6.6.x as tested
 

  1. Create a new custom SSL access log format to replace the default SSL access logs.
  • Browse to Management Console > Configuration > Access Logging > Formats > and click New
  • Format Name: ssl_ciphers_v1 (or any name you see fit)
  • Paste this string to replace the original string under "W3C Extended Log File Format (ELFF) String (Specify below)" without quotes:
  • date time time-taken c-ip cs-username cs-auth-group s-supplier-name s-supplier-ip s-supplier-country s-supplier-failures x-exception-id sc-filter-result cs-categories sc-status s-action cs-method rs(Content-Type) cs-uri-scheme cs-host cs-uri-port cs-uri-extension cs(User-Agent) s-ip sc-bytes cs-bytes x-virus-id x-rs-certificate-observed-errors x-cs-ocsp-error x-rs-ocsp-error x-cs-connection-negotiated-cipher x-rs-connection-negotiated-cipher-strength x-rs-certificate-hostname x-rs-certificate-hostname-category cs-threat-risk x-rs-certificate-hostname-threat-risk

 

  1. Create a new custom SSL access log to use the format you created in step 1.
  • Browse to the Management Console > Configuration > Access Logging > Logs > and click New
  • Log Name: ssl_cipher_logs (or any name you see fit) 
  • Log Format: ssl_ciphers_v1 (the new logs format that are created earlier) 
  • Description: "as you see fit" 

 

  1. Define policy to divert SSL traffic to the new access log (Transparent Proxy). If your ProxySG appliance is deployed explicitly, skip this step and go to step 4.
  • ** Transparent proxy - Make sure that Services > Proxy Services > HTTPS is set to intercept.
  • Launch VPM > click Create new Web Access Layer > and click New Rule.
  • Define the rule with the following details:
    • Source: Any 
      Destination: Any
      Service: Set > New > Service Name > HTTPS 
      Action: Set > New > Modify Access Logging > Name the Access Logging Object > Enable logging to: ssl_cipher_logs (the new logs created in step 2) click Ok.
  • Click Install Policy to commit the new rule.

 

  1. Define policy to divert SSL traffic to the new access log (Explicit Proxy)
  • Verify that the ProxySG is configured to identify HTTPS traffic: Management Console > Configuration > Proxy Services > Standard > Edit Explicit HTTP > "check" Detect Protocol should be enabled. If it's not, check the box and click OK > Apply. 
  • Verify that you have an SSL Intercept rule in place: Launch VPM. If no SSL Intercept layer exists, click Create New SSL Intercept Layer and create an SSL Intercept rule (KB article "000021765" for details on this if you don't have one).
  • In the VPM, click Create new Web Access Layer > then New Rule 
  • Define the new rule with the following details:
    • Source: Any 
      Destination: Any
      Service: Set > New > Client Protocol > HTTPS & All HTTPS 
      Action: Set > New > Modify Access Logging > Name the Access Logging Object > Enable logging to: ssl_cipher_logs (the new log created in step 2) > Ok.
  • Click Install Policy to commit the new rule.