[ https://issues.apache.org/jira/browse/METRON-162?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
James Sirota updated METRON-162: -------------------------------- Labels: ParserExtension (was: ) > Create Bluecoat Parser > ---------------------- > > Key: METRON-162 > URL: https://issues.apache.org/jira/browse/METRON-162 > Project: Metron > Issue Type: New Feature > Reporter: Phil Austin > Priority: Minor > Labels: ParserExtension > > Create a parser for Bluecoat proxy logs. > A single line from the a bluecoat log is a whitespace delimited list that > looks like the following: > 2015-09-02 08:30:43 517 101.21.14.218 200 TCP_NC_MISS 212 1248 POST http > 196.156.17.4 80 /idle/aF8mdz02zSLRiX-Z/1669 - abc123 > ORG\GR%20GG%20ORG%20USR%20Companyweb - 196.156.17.4 application/x-fcs - > "Shockwave Flash" OBSERVED "DestinationAppServers;Audio/Video Clips" - > 10.79.11.218 Certificate > ... > {"csauthtype" : "Certificate", > "ip_dst_port" : "80", > "cs_username" : "abc123", > "http_uripath" : "/idle/aF8mdz02zSLRiX-Z/1669", > "protocol" : "http", > "http_method" : "POST", > "csauthgroup" : "ORG\GR%20GG%20ORG%20USR%20Companyweb", > "csbytes" : "1248", > "proxy_ip_addr" : "10.79.11.218", > "scbytes" : "212", > "cshost" : "196.156.17.4", > "scfilterresult" : "OBSERVED", > "time_taken" : "517", > "saction" : "TCP_NC_MISS", > "cscategories" : "DestinationAppServers;Audio/Video Clips", > "http_status" : "200", > "http_useragent" : "Shockwave Flash", > "ssupliername" : "196.156.17.4" > } > These fields correspond to the following labels: > date time time-taken c-ip sc-status s-action sc-bytes cs-bytes cs-method > cs-uri-scheme cs-host cs-uri-port cs-uri-path cs-uri-query cs-username > cs-auth-group s-hierarchy s-supplier-name rs(Content-Type) cs(Referer) > cs(User-Agent) sc-filter-result cs-categories x-virus-id s-ip cs-auth-type -- This message was sent by Atlassian JIRA (v6.3.4#6332)