AlienVault® USM Anywhere™

Blue Coat W3C

When you configure Symantec (formerly Blue Coat) ProxySG to send log data to USM Anywhere, you can use the Bluecoat W3C plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin:

Plugin Information
Device Details
Vendor Symantec (formerly Blue Coat)
Device Type Proxy
Connection Type Syslog

Integrating ProxySG

Before you configure the ProxySG integration, you must have the IP Address of the USM Anywhere Sensor.

Follow the KB article from Symantec, How do I write Access Log entries to a SYSLOG server?, to configure ProxySG to send log data to USM Anywhere. From ProxySG's perspective, the USM Anywhere Sensor acts as the syslog server. The TCP port number is 601. Make sure the log file format is W3C.

Plugin Enablement

For plugin enablement information, see Manual Integration Management.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. The USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • application_protocol
  • bytes_in
  • bytes_out
  • destination_address
  • destination_port
  • event_name
  • malware_variant
  • rep_device_address
  • request_content_type
  • request_method
  • request_url
  • request_user_agent
  • response_code
  • source_address
  • source_username
  • timestamp_occured
  • timestamp_received

Additional Resources and Troubleshooting

For troubleshooting, refer to the vendor documentation:

How do I enable Syslog on the ProxySG?

Symantec Technical Support