Configure CloudSOC Audit Support In The ProxySG

book

Article ID: 171054

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

This article describes the steps to take on the ProxySG to send Access Logs to the CloudSOC Elastica Audit application. 
 
The ProxySG supports logs in either of the following two formats:
 
● Access logs (Default)
● Extended Log File Format (Custom)
 
The CloudSOC Audit application supports the “Extended Log File Format” (ELFF) for the ProxySG. 
 
This article assumes the goal is to use ProxySG to FTP logs to a SpanVA instance within the enterprise perimeter. This procedure assumes that the installation and configuration is done on the SpanVA according to the Elastica documents on installing and configuring SpanVA. Perform all of the procedures described in the following subsections to complete the configuration on the ProxySG.

Resolution

Enable access logging

1. If not already done, login to the ProxySG management console.
2. Click the Configuration tab, and navigate to Access Logging > General.
3. Near the upper left corner of Default Logging tab, make sure the Enable Access Logging
checkbox is marked, as shown below.

 

Configure the log format

1. On the Configuration tab, navigate to Access Logging > Formats.

2. On the Log Format tab click New. The Create Format box opens as shown below:

3. Enter a name for the format, for example "Elastica_SpanVA_Format."
4. Mark the W3C Extended Log File Format (ELFF) string radio button.
5. In the ELFF string text box, enter the header fields, separated by spaces, that are desired
 to be exported in the logs. Then click OK. The example above shows a sample set of header
fields.


Make sure to configure all mandatory fields as listed below. Click Test Format to check if all the fields are valid.


Mandatory fields


The following fields must be present in the logs uploaded to Elastica Audit application.

● date and time OR timestamp OR gmttime
● c-ip OR cs-username
● cs-host OR cs-uri
● cs-bytes
● sc-bytes
● cs-uri-scheme OR cs-protocol

 

Optional fields

The following fields provide additional analytics if present.

● c-port
● s-action
● cs(Referer)
● cs(User-Agent) OR c-agent
● cs-uri-path
● r-ip OR s-supplier-ip (required for destinations support)

 

Create an access log for SpanVA

1. On the Configuration tab, navigate to Access Logging > Logs.
2. On the Logs tab, click New as shown below.

3. On the Create Logs box, give the log a name such as "Elastica_SpanVA" and set the Log
Format to Elastica_SpanVA_Format as shown below. Add a unique description of desired.

4. Click OK to create the new log.
5. On the Management Console, click Apply to commit the new configuration.

 

Configure the upload client

1. On the Configuration > Access Logging > Logs tab, click the Upload Client tab.
2. From the Logs menu, choose the SpanVA access log created earlier.

3. For Client type, choose FTP Client and click Settings.
4. Configure the following settings as shown on the CloudSOC Datasource Details panel in
the section Create a CloudSOC datasource for the ProxySG:
● Host
● Path (Destination Directory)
● Username
● Password


 

Note: If the CloudSOC Datasource Details panel shows a path of the form
"/home/ds_xxxxxxxxxxxxxxxxxxxxxxxxx/datasources/yyyyyyyyyyyyyyyyyyyyyy," it's possible
to shorten it to just "datasources/yyyyyyyyyyyyyyyyyyyyyy" in order to stay within the
character limit of the ProxySG Path text box. Do not use a preceding "/" in the shortened
path. This applies to SCP as well as the FTP connections described in this procedure.

5. Leave the Filename box as-is.
6. Mark the Use secure connections checkbox if required for the ProxySG to send logs using
SSL. For this option, make sure that the appropriate certificates are configured on the SpanVA.
7. Click OK , then click Apply to commit the changes.

 

Schedule the upload

1. In Management Console, click the Upload Schedule tab.
2. From the Log menu, choose the access log  configured in the step: Create an access log for
SpanVA.

3. Create an access schedule that meets the requirment. It's recommend to configure the
ProxySG to send logs to SpanVA on 30 minute intervals.

4. Click Apply.

 

Enable Logging

1. In the ProxySG Management Console, navigate to Configuration (tab) > Policy > Visual
Policy Manager.
2. Click Launch.
3. In Visual Policy Manager, choose Policy > Add Web Access Layer.
4. Name the new layer "Elastica SpanVA" or similar.
5. In the one rule row for the new layer, right-click on Action and choose Set.
6. On the Set Action Object box, click New and then choose Modify Access Logging .
7. On the Add Access Logging Object box, click Enable logging to: and choose the entry for
Elastica SpanVA.
8. Click OK to close the Add Access Logging Object box.
9. Click OK to close the Set Action Object box.
10. In Visual Policy Manager, click Install Policy to commit the changes to the device.

The access logs will now be sent in the newly created format by the schedule configured. 

It's possible to configure HTTPS file transfer. For this please find the instructions in the attached TechNote, Tech Note--Audit Support for Blue Coat ProxySG.

Attachments

Tech Note--Audit Support for Blue Coat ProxySG.pdf get_app