You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@metron.apache.org by "Phil Austin (JIRA)" <ji...@apache.org> on 2016/05/16 18:19:13 UTC

[jira] [Updated] (METRON-162) Create Bluecoat Parser

     [ https://issues.apache.org/jira/browse/METRON-162?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Phil Austin updated METRON-162:
-------------------------------
    Description: 
Create a parser for Bluecoat proxy logs. 

A single line from the a bluecoat log is a whitespace delimited list that looks like the following:

2015-09-02 08:30:43 517 101.21.14.218 200 TCP_NC_MISS 212 1248 POST http 196.156.17.4 80 /idle/aF8mdz02zSLRiX-Z/1669 - abc123 ORG\GR%20GG%20ORG%20USR%20Companyweb - 196.156.17.4 application/x-fcs - "Shockwave Flash" OBSERVED "DestinationAppServers;Audio/Video Clips" - 10.79.11.218 Certificate
...
{"csauthtype" : "Certificate",
"ip_dst_port" : "80",
"cs_username" : "abc123",
"http_uripath" : "/idle/aF8mdz02zSLRiX-Z/1669",
"protocol" : "http",
"http_method" : "POST",
"csauthgroup" : "ORG\GR%20GG%20ORG%20USR%20Companyweb",
"csbytes" : "1248",
"proxy_ip_addr" : "10.79.11.218",
"scbytes" : "212",
"cshost" : "196.156.17.4",
"scfilterresult" : "OBSERVED",
"time_taken" : "517",
"saction" : "TCP_NC_MISS",
"cscategories" : "DestinationAppServers;Audio/Video Clips",
"http_status" : "200",
"http_useragent" : "Shockwave Flash",
"ssupliername" : "196.156.17.4"
}



These fields correspond to the following labels:

date time time-taken c-ip sc-status s-action sc-bytes cs-bytes cs-method cs-uri-scheme cs-host cs-uri-port cs-uri-path cs-uri-query cs-username cs-auth-group s-hierarchy s-supplier-name rs(Content-Type) cs(Referer) cs(User-Agent) sc-filter-result cs-categories x-virus-id s-ip cs-auth-type

  was:
Create a parser for Bluecoat proxy logs. 

A single line from the a bluecoat log is a whitespace delimited list that looks like the following:

2015-09-02 08:30:43 517 101.21.14.218 200 TCP_NC_MISS 212 1248 POST http 196.156.17.4 80 /idle/aF8mdz02zSLRiX-Z/1669 - abc123 ORG\GR%20GG%20ORG%20USR%20Companyweb - 196.156.17.4 application/x-fcs - "Shockwave Flash" OBSERVED "DestinationAppServers;Audio/Video Clips" - 10.79.11.218 Certificate
...
{"csauthtype" : "Certificate",
"ip_dst_port" : "80",
"cs_username" : "abc123",
"http_uripath" : "/idle/aF8mdz02zSLRiX-Z/1669",
"protocol" : "http",
"http_method" : "POST",
"csauthgroup" : "ORG\GR%20GG%20ORG%20USR%20Companyweb",
"csbytes" : "1248",
"proxy_ip_addr" : "10.79.11.218",
"http_uriquery" : "-",
"scbytes" : "212",
"cshost" : "196.156.17.4",
"scfilterresult" : "OBSERVED",
"time_taken" : "517",
"saction" : "TCP_NC_MISS",
"http_referer" : "-",
"cscategories" : "DestinationAppServers;Audio/Video Clips",
"http_status" : "200",
"http_useragent" : "Shockwave Flash",
"ssupliername" : "196.156.17.4"
}



These fields correspond to the following labels:

date time time-taken c-ip sc-status s-action sc-bytes cs-bytes cs-method cs-uri-scheme cs-host cs-uri-port cs-uri-path cs-uri-query cs-username cs-auth-group s-hierarchy s-supplier-name rs(Content-Type) cs(Referer) cs(User-Agent) sc-filter-result cs-categories x-virus-id s-ip cs-auth-type

A null field is represented as a '-'.


> Create Bluecoat Parser
> ----------------------
>
>                 Key: METRON-162
>                 URL: https://issues.apache.org/jira/browse/METRON-162
>             Project: Metron
>          Issue Type: New Feature
>            Reporter: Phil Austin
>            Priority: Minor
>
> Create a parser for Bluecoat proxy logs. 
> A single line from the a bluecoat log is a whitespace delimited list that looks like the following:
> 2015-09-02 08:30:43 517 101.21.14.218 200 TCP_NC_MISS 212 1248 POST http 196.156.17.4 80 /idle/aF8mdz02zSLRiX-Z/1669 - abc123 ORG\GR%20GG%20ORG%20USR%20Companyweb - 196.156.17.4 application/x-fcs - "Shockwave Flash" OBSERVED "DestinationAppServers;Audio/Video Clips" - 10.79.11.218 Certificate
> ...
> {"csauthtype" : "Certificate",
> "ip_dst_port" : "80",
> "cs_username" : "abc123",
> "http_uripath" : "/idle/aF8mdz02zSLRiX-Z/1669",
> "protocol" : "http",
> "http_method" : "POST",
> "csauthgroup" : "ORG\GR%20GG%20ORG%20USR%20Companyweb",
> "csbytes" : "1248",
> "proxy_ip_addr" : "10.79.11.218",
> "scbytes" : "212",
> "cshost" : "196.156.17.4",
> "scfilterresult" : "OBSERVED",
> "time_taken" : "517",
> "saction" : "TCP_NC_MISS",
> "cscategories" : "DestinationAppServers;Audio/Video Clips",
> "http_status" : "200",
> "http_useragent" : "Shockwave Flash",
> "ssupliername" : "196.156.17.4"
> }
> These fields correspond to the following labels:
> date time time-taken c-ip sc-status s-action sc-bytes cs-bytes cs-method cs-uri-scheme cs-host cs-uri-port cs-uri-path cs-uri-query cs-username cs-auth-group s-hierarchy s-supplier-name rs(Content-Type) cs(Referer) cs(User-Agent) sc-filter-result cs-categories x-virus-id s-ip cs-auth-type



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)