Broadcom ProxySG
Collect access logs from Broadcom ProxySG with Elastic Agent.
Version | 0.3.1 (View all) |
Compatible Kibana version(s) | 8.13.0 or higher |
Supported Serverless project types | Security Observability |
Subscription level | Basic |
Level of support | Elastic |
ProxySG is a secure web gateway solution that enhances the security, performance, and management of web traffic for enterprises by providing URL filtering, advanced threat protection, and SSL inspection to identify and block malicious activities. It improves web application performance and reduces bandwidth usage by caching frequently accessed content, while supporting user authentication and access control policies based on various attributes. Additionally, ProxySG offers detailed reporting and analytics tools for insights into web usage patterns, security incidents, and policy compliance. Deployed as a physical or virtual appliance or in the cloud, ProxySG serves as a proxy server that inspects, filters, and manages web traffic to strengthen an organization's network security posture.
Data streams
The ProxySG integration collects access logs from an appliance. Log can be provided with syslog or files uploaded from the appliance.
Log formats supported by ProxySG are available here. Currently the ProxySG integration supports the following formats:
- main
Requirements
You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware.
Setup
ProxySG access logs can be exported from the appliance via syslog or file upload; the integration supports both.
Syslog
Configure ProxySG to send access logs via syslog to a remote server.
Add the integration, and configure it with "Collect logs from ProxySG via UDP" or "Collect logs from ProxySG via TCP".
In advanced options, select the "Access Log Format" value that matches the configured appliance access log format.
File Upload
Configure ProxySG to upload access logs to a remove server on a schedule.
Add the integration, and configure it with "Collect access logs from ProxySG via logging server file"
In advanced options, set "Paths" to the file pattern that matches the location files will be uploaded to on the remote server. Select the "Access Log Format" value that matches the configured appliance access log format.
Access Logs
An example event for log
looks as following:
{
"@timestamp": "2024-03-22T16:16:01Z",
"agent": {
"ephemeral_id": "c62f5fcb-3497-49a3-988a-a076cc2b9dd6",
"id": "d4460588-94a9-4ddb-8a40-c80a3b7db55a",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.14.1"
},
"client": {
"bytes": 969,
"ip": "10.82.255.36",
"user": {
"name": "aeinstein"
}
},
"data_stream": {
"dataset": "proxysg.log",
"namespace": "55535",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "d4460588-94a9-4ddb-8a40-c80a3b7db55a",
"snapshot": false,
"version": "8.14.1"
},
"event": {
"agent_id_status": "verified",
"dataset": "proxysg.log",
"duration": 48000000,
"ingested": "2024-09-12T22:16:57Z",
"original": "2024-03-22 16:16:01 48 10.82.255.36 302 TCP_NC_MISS 1242 969 GET https pixel.tapad.com 443 /idsync/ex/push ?partner_id=2499&partner_device_id=aeb66687-eabe-442e-b11e-79494b740d0d-640ba437-5553&partner_url=https%3A%2F%2Fa.vidoomy.com%2Fapi%2Frtbserver%2Fpbscookie%3Fuid%3Daeb66687-eabe-442e-b11e-79494b740d0d-640ba437-5553%26vid%3D280fa751e99651c4193ef92f6dab0f92%26dspid%3DCEN aeinstein - - pixel.tapad.com - https://vid.vidoomy.com/ OBSERVED \"FastwebRes_CallCntr;Web Ads/Analytics\" - 142.182.19.21 34.111.113.62 \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36\" sha256WithRSAEncryption",
"timezone": "+00:00"
},
"http": {
"request": {
"method": "GET",
"referrer": "-"
},
"response": {
"status_code": 302
}
},
"input": {
"type": "udp"
},
"log": {
"source": {
"address": "172.19.0.6:47495"
},
"syslog": {
"appname": "serverd",
"facility": {
"code": 1,
"name": "user-level"
},
"hostname": "srvr",
"priority": 13,
"severity": {
"code": 5,
"name": "Notice"
},
"version": "1"
}
},
"observer": {
"product": "ProxySG",
"vendor": "Broadcom"
},
"proxysg": {
"client": {
"ip": "10.82.255.36"
},
"client_to_server": {
"auth_group": "-",
"bytes": "969",
"categories": "FastwebRes_CallCntr;Web Ads/Analytics",
"host": "pixel.tapad.com",
"method": "GET",
"referer": "-",
"uri_path": "/idsync/ex/push",
"uri_port": 443,
"uri_query": "?partner_id=2499&partner_device_id=aeb66687-eabe-442e-b11e-79494b740d0d-640ba437-5553&partner_url=https%3A%2F%2Fa.vidoomy.com%2Fapi%2Frtbserver%2Fpbscookie%3Fuid%3Daeb66687-eabe-442e-b11e-79494b740d0d-640ba437-5553%26vid%3D280fa751e99651c4193ef92f6dab0f92%26dspid%3DCEN",
"uri_scheme": "https",
"user_agent": "https://vid.vidoomy.com/",
"username": "aeinstein"
},
"remote_to_server": {
"content_type": "pixel.tapad.com"
},
"server": {
"action": "TCP_NC_MISS",
"ip": "142.182.19.21",
"supplier_name": "-"
},
"server_to_client": {
"bytes": "1242",
"filter_result": "OBSERVED",
"status": "302"
},
"time_taken": 48,
"x_virus_id": "-"
},
"server": {
"bytes": 1242,
"ip": "142.182.19.21"
},
"tags": [
"preserve_original_event",
"forwarded"
],
"url": {
"domain": "pixel.tapad.com",
"path": "/idsync/ex/push",
"port": 443,
"query": "?partner_id=2499&partner_device_id=aeb66687-eabe-442e-b11e-79494b740d0d-640ba437-5553&partner_url=https%3A%2F%2Fa.vidoomy.com%2Fapi%2Frtbserver%2Fpbscookie%3Fuid%3Daeb66687-eabe-442e-b11e-79494b740d0d-640ba437-5553%26vid%3D280fa751e99651c4193ef92f6dab0f92%26dspid%3DCEN",
"registered_domain": "tapad.com",
"scheme": "https",
"subdomain": "pixel",
"top_level_domain": "com"
},
"user_agent": {
"device": {
"name": "Generic Feature Phone"
},
"name": "Other",
"original": "https://vid.vidoomy.com/"
}
}
Exported fields
Field | Description | Type |
---|---|---|
@timestamp | Event timestamp. | date |
data_stream.dataset | Data stream dataset. | constant_keyword |
data_stream.namespace | Data stream namespace. | constant_keyword |
data_stream.type | Data stream type. | constant_keyword |
input.type | Type of input. | keyword |
log.file.device_id | Log file device ID. | keyword |
log.file.inode | Log file inode. | keyword |
log.offset | Log offset. | long |
log.source.address | Source address for the log. | keyword |
proxysg.client.ip | keyword | |
proxysg.client_to_server.auth_group | keyword | |
proxysg.client_to_server.auth_groups | keyword | |
proxysg.client_to_server.bytes | keyword | |
proxysg.client_to_server.categories | keyword | |
proxysg.client_to_server.certificate_subject | keyword | |
proxysg.client_to_server.connection_negotiated_cipher | keyword | |
proxysg.client_to_server.connection_negotiated_cipher_size | keyword | |
proxysg.client_to_server.connection_negotiated_ssl_version | keyword | |
proxysg.client_to_server.host | keyword | |
proxysg.client_to_server.icap_error_details | keyword | |
proxysg.client_to_server.icap_status | keyword | |
proxysg.client_to_server.method | keyword | |
proxysg.client_to_server.ocsp_error | keyword | |
proxysg.client_to_server.referer | keyword | |
proxysg.client_to_server.rs_content_type | keyword | |
proxysg.client_to_server.threat_id | keyword | |
proxysg.client_to_server.threat_risk | keyword | |
proxysg.client_to_server.threat_source | keyword | |
proxysg.client_to_server.uri_extension | keyword | |
proxysg.client_to_server.uri_path | keyword | |
proxysg.client_to_server.uri_port | long | |
proxysg.client_to_server.uri_query | keyword | |
proxysg.client_to_server.uri_scheme | keyword | |
proxysg.client_to_server.user_agent | keyword | |
proxysg.client_to_server.userdn | keyword | |
proxysg.client_to_server.username | keyword | |
proxysg.client_to_server.x_requested_with | keyword | |
proxysg.remote.ip | keyword | |
proxysg.remote.supplier_country | keyword | |
proxysg.remote_to_server.certificate_hostection_negotname | keyword | |
proxysg.remote_to_server.certificate_hostection_negotnamecategory | keyword | |
proxysg.remote_to_server.certificate_hostname | keyword | |
proxysg.remote_to_server.certificate_hostname_category | keyword | |
proxysg.remote_to_server.certificate_hostname_threat_risk | keyword | |
proxysg.remote_to_server.certificate_observed_errors | keyword | |
proxysg.remote_to_server.certificate_validate_status | keyword | |
proxysg.remote_to_server.connection_negotiated_cipher | keyword | |
proxysg.remote_to_server.connection_negotiated_cipher_size | keyword | |
proxysg.remote_to_server.connection_negotiated_cipher_strength | keyword | |
proxysg.remote_to_server.connection_negotiated_ssl_version | keyword | |
proxysg.remote_to_server.content_type | keyword | |
proxysg.remote_to_server.icap_error_details | keyword | |
proxysg.remote_to_server.icap_status | keyword | |
proxysg.remote_to_server.ocsp_error | keyword | |
proxysg.remote_to_server.threat_id | keyword | |
proxysg.remote_to_server.threat_source | keyword | |
proxysg.server.action | keyword | |
proxysg.server.hierarchy | keyword | |
proxysg.server.ip | keyword | |
proxysg.server.sitename | keyword | |
proxysg.server.supplier_country | keyword | |
proxysg.server.supplier_failures | keyword | |
proxysg.server.supplier_ip | keyword | |
proxysg.server.supplier_name | keyword | |
proxysg.server_to_client.bytes | keyword | |
proxysg.server_to_client.filter_result | keyword | |
proxysg.server_to_client.status | keyword | |
proxysg.time_taken | long | |
proxysg.x_bluecoat.access_security_policy_action | keyword | |
proxysg.x_bluecoat.access_security_policy_reason | keyword | |
proxysg.x_bluecoat.access_type | keyword | |
proxysg.x_bluecoat.appliance_name | keyword | |
proxysg.x_bluecoat.application_groups | keyword | |
proxysg.x_bluecoat.application_name | keyword | |
proxysg.x_bluecoat.application_operation | keyword | |
proxysg.x_bluecoat.location_id | keyword | |
proxysg.x_bluecoat.location_name | keyword | |
proxysg.x_bluecoat.placeholder | keyword | |
proxysg.x_bluecoat.reference_id | keyword | |
proxysg.x_bluecoat.request_tenant_id | keyword | |
proxysg.x_bluecoat.transaction_uuid | keyword | |
proxysg.x_client_agent_sw | keyword | |
proxysg.x_client_agent_type | keyword | |
proxysg.x_client_device_id | keyword | |
proxysg.x_client_device_name | keyword | |
proxysg.x_client_device_type | keyword | |
proxysg.x_client_os | keyword | |
proxysg.x_client_security_posture_details | keyword | |
proxysg.x_client_security_posture_risk_score | keyword | |
proxysg.x_cloud_rs | keyword | |
proxysg.x_cs_certificate_subject | keyword | |
proxysg.x_cs_client_ip_country | keyword | |
proxysg.x_cs_connection_negotiated_cipher | keyword | |
proxysg.x_cs_connection_negotiated_cipher_size | keyword | |
proxysg.x_cs_connection_negotiated_ssl_version | keyword | |
proxysg.x_cs_ocsp_error | keyword | |
proxysg.x_data_leak_detected | keyword | |
proxysg.x_exception_id | keyword | |
proxysg.x_icap_reqmod_header_x_icap_metadata | keyword | |
proxysg.x_icap_respmod_header_x_icap_metadata | keyword | |
proxysg.x_random_ipv6 | keyword | |
proxysg.x_rs_certificate_hostname | keyword | |
proxysg.x_rs_certificate_hostname_categories | keyword | |
proxysg.x_rs_certificate_hostname_threat_risk | keyword | |
proxysg.x_rs_certificate_observed_errors | keyword | |
proxysg.x_rs_certificate_signature_algorithm | keyword | |
proxysg.x_rs_certificate_validate_status | keyword | |
proxysg.x_rs_connection_negotiated_cipher | keyword | |
proxysg.x_rs_connection_negotiated_cipher_size | keyword | |
proxysg.x_rs_connection_negotiated_ssl_version | keyword | |
proxysg.x_rs_ocsp_error | keyword | |
proxysg.x_sc_connection_issuer_keyring | keyword | |
proxysg.x_sc_connection_issuer_keyring_alias | keyword | |
proxysg.x_virus_id | keyword |
Changelog
Version | Details | Kibana version(s) |
---|---|---|
0.3.1 | Bug fix View pull request | — |
0.3.0 | Enhancement View pull request | — |
0.2.0 | Enhancement View pull request | — |
0.1.0 | Enhancement View pull request | — |