Broadcom ProxySG (Preview)

This package provides a preview parser for Broadcom ProxySG events in JSON format. The resulting Proxy data can be used together with data on users and endpoints to indicate the presence of threat actors in the system and insider threats.

The parser normalizes data to a common schema based on an OpenTelemetry standard. This schema allows you to search the data without knowing Broadcom ProxySG data specifically, as you only need to be familiar with the common schema. It also allows you to combine the data more easily with other data sources which conform to the same schema.

Preview Status

Note that this package is considered a PREVIEW. This means we are seeking feedback on the package, and may make breaking changes to the parser in the future. It means also it may not include all the documentation which usually we publish for packages.

Given the preview status of this package there are some limitations to what the parser is able to do. Please check out the package on Marketplace to see the most recent list of limitations.

Installing the Broadcom ProxySG Package in LogScale

Find the repository where you want to send the Broadcom ProxySG logs, or create a new one.

  1. Navigate to your repository in the LogScale interface, click Settings and then Packages on the left.

  2. Click Marketplace and install the LogScale package (i.e. broadcom/proxysg).

  3. When the package has finished installing, click Ingest tokens on the left still under Settings.

  4. In the right panel, click + Add Token to create a new token. Give the token an appropriate name (e.g. the name of the server the token is ingesting logs for), and leave the parser unassigned.

    Before leaving this page, view the ingest token and copy it to your clipboard — to save it temporarily elsewhere.

    Now that you have a repository set up in LogScale along with an ingest token you're ready to send logs to LogScale.

Getting Broadcom ProxySG Data into LogScale

The following steps must be performed to get ingest data using LogScale.

  • Add the following snippet to your LogScale Collector configuration, see Configuring LogScale Collector for more information on the LogScale Collector.

      type: syslog
      mode: udp
      port: 1514
      sink: logscale
      parser: "broadcom/proxysg::syslog-utc"
  • Configure Broadcom ProxySG to send logs to a Syslog Server. Note that you must not use the port 514.

Verify Data is Arriving in LogScale

Once you have completed the above steps the Broadcom ProxySG data should be arriving in your LogScale repository.

You can verify this by doing a simple search for #Vendor = "broadcom" | Product = "proxysg" to see the Broadcom ProxySG events.


The Broadcom ProxySG output must be formatted as follows:

<111>1 $(date)T$(x-bluecoat-hour-utc):$(x-bluecoat-minute-utc):$(x-bluecoat-second-utc)Z $(s-computername) ProxySG - logscale_format - cIp=$(c-ip) rsContentType=$(quot)$(rs(Content-Type))$(quot) csAuthGroups=$(cs-auth-groups) csBytes=$(cs-bytes) csCategories=$(cs-categories) csHost=$(cs-host) csIp=$(cs-ip) csMethod=$(cs-method) csUriPort=$(cs-uri-port) csUriScheme=$(cs-uri-scheme) csUserAgent=$(quot)$(cs(User-Agent))$(quot) csUsername=$(cs-username) dnslookupTime=$(dnslookup-time) duration=$(duration) rsStatus=$(rs-status) rsVersion=$(rs-version) sAction=$(s-action) sIp=$(s-ip) serviceName=$( serviceGroup=$( sSupplierIp=$(s-supplier-ip) sSupplierName=$(s-supplier-name) scBytes=$(sc-bytes) scFilterResult=$(sc-filter-result) scStatus=$(sc-status) timeTaken=$(time-taken) xExceptionId=$(x-exception-id) xVirusId=$(x-virus-id) cUrl=$(quot)$(url)$(quot) csReferer=$(quot)$(cs(Referer))$(quot) cCpu=$(c-cpu) connectTime=$(connect-time) csAuthGroups=$(cs-auth-groups) csHeaderlength=$(cs-headerlength) csThreatRisk=$(cs-threat-risk) rIp=$(r-ip) rSupplierIp=$(r-supplier-ip) rsTimeTaken=$(rs-time-taken) rsServer=$(rs(server)) sConnectType=$(s-connect-type) sIcapStatus=$(s-icap-status) sSitename=$(s-sitename) sSourcePort=$(s-source-port) sSupplierCountry=$(s-supplier-country) scContentEncoding=$(sc(Content-Encoding)) srAcceptEncoding=$(sr(Accept-Encoding)) xAuthCredentialType=$(x-auth-credential-type) xCookieDate=$(x-cookie-date) xCsCertificateSubject=$(x-cs-certificate-subject) xCsConnectionNegotiatedCipher=$(x-cs-connection-negotiated-cipher) xCsConnectionNegotiatedCipherSize=$(x-cs-connection-negotiated-cipher-size) xCsConnectionNegotiatedSslVersion=$(x-cs-connection-negotiated-ssl-version) xCsOcspError=$(x-cs-ocsp-error) xCsRefererUri=$(x-cs(Referer)-uri) xCsRefererUriAddress=$(x-cs(Referer)-uri-address) xCsRefererUriExtension=$(x-cs(Referer)-uri-extension) xCsRefererUriHost=$(x-cs(Referer)-uri-host) xCsRefererUriHostname=$(x-cs(Referer)-uri-hostname) xCsRefererUriPath=$(x-cs(Referer)-uri-path) xCsRefererUriPathquery=$(x-cs(Referer)-uri-pathquery) xCsRefererUriPort=$(x-cs(Referer)-uri-port) xCsRefererUriQuery=$(x-cs(Referer)-uri-query) xCsRefererUriScheme=$(x-cs(Referer)-uri-scheme) xCsRefererUriStem=$(x-cs(Referer)-uri-stem) xExceptionCategory=$(x-exception-category) xExceptionCategoryReviewMessage=$(x-exception-category-review-message) xExceptionCompanyName=$(x-exception-company-name) xExceptionContact=$(x-exception-contact) xExceptionDetails=$(x-exception-details) xExceptionHeader=$(x-exception-header) xExceptionHelp=$(x-exception-help) xExceptionLastError=$(x-exception-last-error) xExceptionReason=$(x-exception-reason) xExceptionSourcefile=$(x-exception-sourcefile) xExceptionSourceline=$(x-exception-sourceline) xExceptionSummary=$(x-exception-summary) xIcapErrorCode=$(x-icap-error-code) xRsCertificateHostname=$(x-rs-certificate-hostname) xRsCertificateHostnameCategory=$(x-rs-certificate-hostname-category) xRsCertificateObservedErrors=$(x-rs-certificate-observed-errors) xRsCertificateSubject=$(x-rs-certificate-subject) xRsCertificateValidateStatus=$(x-rs-certificate-validate-status) xRsConnectionNegotiatedCipher=$(x-rs-connection-negotiated-cipher) xRsConnectionNegotiatedCipherSize=$(x-rs-connection-negotiated-cipher-size) xRsConnectionNegotiatedSslVersion=$(x-rs-connection-negotiated-ssl-version) xRsOcspError=$(x-rs-ocsp-error) csUriExtension=$(cs-uri-extension) csUriPath=$(cs-uri-path) csUriQuery=$(quot)$(cs-uri-query)$(quot) cUriPathquery=$(c-uri-pathquery)

Package Contents Explained

This package is only for parsing incoming data, and normalizing the data as part of that parsing. The parser normalizes the data to a subset of this schema based on OpenTelemetry standards, while still preserving the original data.

If you want to search using the original field names and values, you can access those in the fields whose names are prefixed with the word "Vendor". Fields which are not prefixed with "Vendor" are standard fields which are either based on the schema (e.g. source.ip) or on LogScale conventions (e.g. @rawstring).

The fields which the parser currently maps the data to, are chosen based on what seems the most relevant, and will potentially be expanded in the future. But the parser won't necessarily normalize every field that has potential to be normalized.

Event Categorisation

As part of the schema, events are categorized into the following field/s:

  • event.category

event.category and is an array, so it needs to be searched like so:

array:contains("event.category[]", value="network")

This will find events where some event.category[n] field contains the value "network", regardless of what `n` is. Note that not all events will be categorized to this level of detail.

Normalized Fields

Here are some of the normalized fields which are being set by this parser:

  • client.* (e.g. client.ip)

  • http.* (e.g. http.request.method, http.response.status_code)