Broadcom ProxySG

Collect access logs from Broadcom ProxySG with Elastic Agent.

Version
0.3.1 (View all)
Compatible Kibana version(s)
8.13.0 or higher
Supported Serverless project types

Security
Observability
Subscription level
Basic
Level of support
Elastic

ProxySG is a secure web gateway solution that enhances the security, performance, and management of web traffic for enterprises by providing URL filtering, advanced threat protection, and SSL inspection to identify and block malicious activities. It improves web application performance and reduces bandwidth usage by caching frequently accessed content, while supporting user authentication and access control policies based on various attributes. Additionally, ProxySG offers detailed reporting and analytics tools for insights into web usage patterns, security incidents, and policy compliance. Deployed as a physical or virtual appliance or in the cloud, ProxySG serves as a proxy server that inspects, filters, and manages web traffic to strengthen an organization's network security posture.

Data streams

The ProxySG integration collects access logs from an appliance. Log can be provided with syslog or files uploaded from the appliance.

Log formats supported by ProxySG are available here. Currently the ProxySG integration supports the following formats:

  • main

Requirements

You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware.

Setup

ProxySG access logs can be exported from the appliance via syslog or file upload; the integration supports both.

Syslog

Configure ProxySG to send access logs via syslog to a remote server.

Add the integration, and configure it with "Collect logs from ProxySG via UDP" or "Collect logs from ProxySG via TCP".

In advanced options, select the "Access Log Format" value that matches the configured appliance access log format.

File Upload

Configure ProxySG to upload access logs to a remove server on a schedule.

Add the integration, and configure it with "Collect access logs from ProxySG via logging server file"

In advanced options, set "Paths" to the file pattern that matches the location files will be uploaded to on the remote server. Select the "Access Log Format" value that matches the configured appliance access log format.

Access Logs

An example event for log looks as following:

{
    "@timestamp": "2024-03-22T16:16:01Z",
    "agent": {
        "ephemeral_id": "c62f5fcb-3497-49a3-988a-a076cc2b9dd6",
        "id": "d4460588-94a9-4ddb-8a40-c80a3b7db55a",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.14.1"
    },
    "client": {
        "bytes": 969,
        "ip": "10.82.255.36",
        "user": {
            "name": "aeinstein"
        }
    },
    "data_stream": {
        "dataset": "proxysg.log",
        "namespace": "55535",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "d4460588-94a9-4ddb-8a40-c80a3b7db55a",
        "snapshot": false,
        "version": "8.14.1"
    },
    "event": {
        "agent_id_status": "verified",
        "dataset": "proxysg.log",
        "duration": 48000000,
        "ingested": "2024-09-12T22:16:57Z",
        "original": "2024-03-22 16:16:01 48 10.82.255.36 302 TCP_NC_MISS 1242 969 GET https pixel.tapad.com 443 /idsync/ex/push ?partner_id=2499&partner_device_id=aeb66687-eabe-442e-b11e-79494b740d0d-640ba437-5553&partner_url=https%3A%2F%2Fa.vidoomy.com%2Fapi%2Frtbserver%2Fpbscookie%3Fuid%3Daeb66687-eabe-442e-b11e-79494b740d0d-640ba437-5553%26vid%3D280fa751e99651c4193ef92f6dab0f92%26dspid%3DCEN aeinstein - - pixel.tapad.com - https://vid.vidoomy.com/ OBSERVED \"FastwebRes_CallCntr;Web Ads/Analytics\" - 142.182.19.21 34.111.113.62 \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36\" sha256WithRSAEncryption",
        "timezone": "+00:00"
    },
    "http": {
        "request": {
            "method": "GET",
            "referrer": "-"
        },
        "response": {
            "status_code": 302
        }
    },
    "input": {
        "type": "udp"
    },
    "log": {
        "source": {
            "address": "172.19.0.6:47495"
        },
        "syslog": {
            "appname": "serverd",
            "facility": {
                "code": 1,
                "name": "user-level"
            },
            "hostname": "srvr",
            "priority": 13,
            "severity": {
                "code": 5,
                "name": "Notice"
            },
            "version": "1"
        }
    },
    "observer": {
        "product": "ProxySG",
        "vendor": "Broadcom"
    },
    "proxysg": {
        "client": {
            "ip": "10.82.255.36"
        },
        "client_to_server": {
            "auth_group": "-",
            "bytes": "969",
            "categories": "FastwebRes_CallCntr;Web Ads/Analytics",
            "host": "pixel.tapad.com",
            "method": "GET",
            "referer": "-",
            "uri_path": "/idsync/ex/push",
            "uri_port": 443,
            "uri_query": "?partner_id=2499&partner_device_id=aeb66687-eabe-442e-b11e-79494b740d0d-640ba437-5553&partner_url=https%3A%2F%2Fa.vidoomy.com%2Fapi%2Frtbserver%2Fpbscookie%3Fuid%3Daeb66687-eabe-442e-b11e-79494b740d0d-640ba437-5553%26vid%3D280fa751e99651c4193ef92f6dab0f92%26dspid%3DCEN",
            "uri_scheme": "https",
            "user_agent": "https://vid.vidoomy.com/",
            "username": "aeinstein"
        },
        "remote_to_server": {
            "content_type": "pixel.tapad.com"
        },
        "server": {
            "action": "TCP_NC_MISS",
            "ip": "142.182.19.21",
            "supplier_name": "-"
        },
        "server_to_client": {
            "bytes": "1242",
            "filter_result": "OBSERVED",
            "status": "302"
        },
        "time_taken": 48,
        "x_virus_id": "-"
    },
    "server": {
        "bytes": 1242,
        "ip": "142.182.19.21"
    },
    "tags": [
        "preserve_original_event",
        "forwarded"
    ],
    "url": {
        "domain": "pixel.tapad.com",
        "path": "/idsync/ex/push",
        "port": 443,
        "query": "?partner_id=2499&partner_device_id=aeb66687-eabe-442e-b11e-79494b740d0d-640ba437-5553&partner_url=https%3A%2F%2Fa.vidoomy.com%2Fapi%2Frtbserver%2Fpbscookie%3Fuid%3Daeb66687-eabe-442e-b11e-79494b740d0d-640ba437-5553%26vid%3D280fa751e99651c4193ef92f6dab0f92%26dspid%3DCEN",
        "registered_domain": "tapad.com",
        "scheme": "https",
        "subdomain": "pixel",
        "top_level_domain": "com"
    },
    "user_agent": {
        "device": {
            "name": "Generic Feature Phone"
        },
        "name": "Other",
        "original": "https://vid.vidoomy.com/"
    }
}

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
input.type
Type of input.
keyword
log.file.device_id
Log file device ID.
keyword
log.file.inode
Log file inode.
keyword
log.offset
Log offset.
long
log.source.address
Source address for the log.
keyword
proxysg.client.ip
keyword
proxysg.client_to_server.auth_group
keyword
proxysg.client_to_server.auth_groups
keyword
proxysg.client_to_server.bytes
keyword
proxysg.client_to_server.categories
keyword
proxysg.client_to_server.certificate_subject
keyword
proxysg.client_to_server.connection_negotiated_cipher
keyword
proxysg.client_to_server.connection_negotiated_cipher_size
keyword
proxysg.client_to_server.connection_negotiated_ssl_version
keyword
proxysg.client_to_server.host
keyword
proxysg.client_to_server.icap_error_details
keyword
proxysg.client_to_server.icap_status
keyword
proxysg.client_to_server.method
keyword
proxysg.client_to_server.ocsp_error
keyword
proxysg.client_to_server.referer
keyword
proxysg.client_to_server.rs_content_type
keyword
proxysg.client_to_server.threat_id
keyword
proxysg.client_to_server.threat_risk
keyword
proxysg.client_to_server.threat_source
keyword
proxysg.client_to_server.uri_extension
keyword
proxysg.client_to_server.uri_path
keyword
proxysg.client_to_server.uri_port
long
proxysg.client_to_server.uri_query
keyword
proxysg.client_to_server.uri_scheme
keyword
proxysg.client_to_server.user_agent
keyword
proxysg.client_to_server.userdn
keyword
proxysg.client_to_server.username
keyword
proxysg.client_to_server.x_requested_with
keyword
proxysg.remote.ip
keyword
proxysg.remote.supplier_country
keyword
proxysg.remote_to_server.certificate_hostection_negotname
keyword
proxysg.remote_to_server.certificate_hostection_negotnamecategory
keyword
proxysg.remote_to_server.certificate_hostname
keyword
proxysg.remote_to_server.certificate_hostname_category
keyword
proxysg.remote_to_server.certificate_hostname_threat_risk
keyword
proxysg.remote_to_server.certificate_observed_errors
keyword
proxysg.remote_to_server.certificate_validate_status
keyword
proxysg.remote_to_server.connection_negotiated_cipher
keyword
proxysg.remote_to_server.connection_negotiated_cipher_size
keyword
proxysg.remote_to_server.connection_negotiated_cipher_strength
keyword
proxysg.remote_to_server.connection_negotiated_ssl_version
keyword
proxysg.remote_to_server.content_type
keyword
proxysg.remote_to_server.icap_error_details
keyword
proxysg.remote_to_server.icap_status
keyword
proxysg.remote_to_server.ocsp_error
keyword
proxysg.remote_to_server.threat_id
keyword
proxysg.remote_to_server.threat_source
keyword
proxysg.server.action
keyword
proxysg.server.hierarchy
keyword
proxysg.server.ip
keyword
proxysg.server.sitename
keyword
proxysg.server.supplier_country
keyword
proxysg.server.supplier_failures
keyword
proxysg.server.supplier_ip
keyword
proxysg.server.supplier_name
keyword
proxysg.server_to_client.bytes
keyword
proxysg.server_to_client.filter_result
keyword
proxysg.server_to_client.status
keyword
proxysg.time_taken
long
proxysg.x_bluecoat.access_security_policy_action
keyword
proxysg.x_bluecoat.access_security_policy_reason
keyword
proxysg.x_bluecoat.access_type
keyword
proxysg.x_bluecoat.appliance_name
keyword
proxysg.x_bluecoat.application_groups
keyword
proxysg.x_bluecoat.application_name
keyword
proxysg.x_bluecoat.application_operation
keyword
proxysg.x_bluecoat.location_id
keyword
proxysg.x_bluecoat.location_name
keyword
proxysg.x_bluecoat.placeholder
keyword
proxysg.x_bluecoat.reference_id
keyword
proxysg.x_bluecoat.request_tenant_id
keyword
proxysg.x_bluecoat.transaction_uuid
keyword
proxysg.x_client_agent_sw
keyword
proxysg.x_client_agent_type
keyword
proxysg.x_client_device_id
keyword
proxysg.x_client_device_name
keyword
proxysg.x_client_device_type
keyword
proxysg.x_client_os
keyword
proxysg.x_client_security_posture_details
keyword
proxysg.x_client_security_posture_risk_score
keyword
proxysg.x_cloud_rs
keyword
proxysg.x_cs_certificate_subject
keyword
proxysg.x_cs_client_ip_country
keyword
proxysg.x_cs_connection_negotiated_cipher
keyword
proxysg.x_cs_connection_negotiated_cipher_size
keyword
proxysg.x_cs_connection_negotiated_ssl_version
keyword
proxysg.x_cs_ocsp_error
keyword
proxysg.x_data_leak_detected
keyword
proxysg.x_exception_id
keyword
proxysg.x_icap_reqmod_header_x_icap_metadata
keyword
proxysg.x_icap_respmod_header_x_icap_metadata
keyword
proxysg.x_random_ipv6
keyword
proxysg.x_rs_certificate_hostname
keyword
proxysg.x_rs_certificate_hostname_categories
keyword
proxysg.x_rs_certificate_hostname_threat_risk
keyword
proxysg.x_rs_certificate_observed_errors
keyword
proxysg.x_rs_certificate_signature_algorithm
keyword
proxysg.x_rs_certificate_validate_status
keyword
proxysg.x_rs_connection_negotiated_cipher
keyword
proxysg.x_rs_connection_negotiated_cipher_size
keyword
proxysg.x_rs_connection_negotiated_ssl_version
keyword
proxysg.x_rs_ocsp_error
keyword
proxysg.x_sc_connection_issuer_keyring
keyword
proxysg.x_sc_connection_issuer_keyring_alias
keyword
proxysg.x_virus_id
keyword

Changelog

VersionDetailsKibana version(s)

0.3.1

Bug fix View pull request
Add format config to all inputs

0.3.0

Enhancement View pull request
Do not do syslog parsing by default in TCP and UCP inputs

0.2.0

Enhancement View pull request
Add support for 'bcreportermain_v1', 'bcreporterssl_v1' and 'ssl' formats

0.1.0

Enhancement View pull request
Initial creation of the integration.

On this page