If you did not keep the old log records, you have to run both 8 & 9 in parallel (it is possible to do this on the same box) until you no longer care about the old log records.], "history":, "href": "", "id": "CVE-2018-12237", "lastseen": "T14:28:56", "modified": "T19:23:00", "objectVersion": "1.
The downside is that the "upgrade path" is to install the new application and re-import the log files into the database.
If you have a filtering subscription, it can also report on "possibly infected machines", and email them periodically to your PC support staff. Since it better understands the concept of "web pages" (as opposed to http xfers) and has heuristics to estimate "page view time", it gives reports that management types can handle without too-much explanation. Reporter now has a "real MySQL database" behind it, as opposed to the former flat files in 8.x, so it moves much quicker, at least for me (I generate over a million lines of proxy log each day).Īlso, reports are now pretty easy to generate. There has been significant growth between the major releases. My opinion completely changed when we upgraded from 8.x to 9.2.
I pretty much hated bluecoat reporter (enterprise edition) and ignored it as much as I could. Then, install reporter 9.2 and import the logs that are being generated. Start by going into your bluecoats and verify that they are using the standard bluecoat log format and that the previous technician did not switch to an alternate format (such as the semi-standard squid log format). If you have version 8 or earlier, the best way to get reporter to work well is to throw it away and start over with version 9.
just trying to get best of both worlds if possible! We've been working with bluecoat on that. either not there by default or someone engineered ours to not report it. Use FTP to upload your reports to a local drive. NOTE: Version 9.X Reporter only supports Blue Coat HTTP, HTTPS, and Proxy Client access logs.
That being said I had also hoped to see ip of URL in reporter logs. Bluecoat Reporter 9 User Guide This reference guide describes CPL conditions, properties, actions, Volume 9: Managing the Blue Coat ProxySG Appliance describes how to monitor. I'd like to see clients IP at the least if not even uid. they may give us a ip someone went to that has 'known malicious' content on it and in checkpoint logs all I see is bluecoat IP. So we've been trying to fix the bluecoat situation AND leverage the checkpoint so that I have the best of both worlds.Įssentially we have a company that does intrusion detection monitoring. I compared a night when someone downloaded over 80 gig of content with a bluecoat reporter that showed 125 meg. Not only that I have found that the logging doesn't even reflect correct data transfer quantities (not sure if previous technician did that somehow as well). We inherited a situation from the original technician in which nothing really useful gets logged. in a world where we could get someone effective from bluecoat to actually explain to us how to get reporter to work correctly.
Why wouldn't you just use Authentication on the BlueCoat and their own free Reporting Client? You'd get more accurate and comprehensive information that way. This sounds like what the Check Point Sales Engineer was meaning you could do, however the bluecoat doesn't forward the user id and user ip to the Check Point, it is merely that the Bluecoat doesn't proxy the users ip (which is the standard method) so that the Check Point sees the original IP and then uses Identity Logging to retrieve the username and machine name from the AD system. The Check Point document looks pretty good on how to configure Identity Logging. This way your firewall will see the client IP of the original request, not the Bluecoat IP, and your security policy on the Check Point will need to reflect this.Īt that point then the Firewall will see the PC's IP and the Identity Logging feature of Check Point can then query the AD server to get the Source User Name, and Source Machine Name field information. This apparently forwards the original client IP to the destination rather then the Bluecoats IP. I believe also that you use the Bluecoat in Transparent Mode, but I am sure that Bluecoat can fill you in on that. Look at the Send Client IP feature on the Bluecoat which is I believe the feature that you need to do this. What you have described sounds like Identity Logging, however that is the where the Management Server is querying the AD to map an IP adress of the source IP in the log to an AD Username and AD Machine Name