BlueCoat Proxy – Log Injection For Rule Tracking

Unfortunately BlueCoat doesn’t have a nice and fancy log tracker type utility like CheckPoint has in Smart Tracker. Rules do not have numbers perse – but you can work around this by using some log injection smoke and mirror tricks. There are a few unused (or not very often used) log variables that can be used in conjunction with a specific action on a rule, that when matched, will create a log line with a piece of text of your choosing.

BlueCoat Log injection for rule tracking

1. for action, create a new "Combined Action Object"
 2. Name the combo object based on what its doing (Tag-Allow-RuleNameXYZ)
 3. Add the legacy action (allow/deny/malwareDeny/etc) to the combo object
 4. Click NEW and create a new "Access Log Field Override Object"
 5. Name the object based on what it is doing (log-tag-RuleDescription)
    a. Log Name:  NIC_Format 
    b. Field Name: x-virus-id
    c. Rewrite Value to: filter-rule#

Here is what it looks like in VPM:
This specific one is combined with a force-deny for a malware object.

NOTE: Keep the description as short as possible, as most logging systems (EnVision for one example) only takes a portion of the log, so we don’t want to make our log string too long and risk not having it show in the logs.

After you have configured the X-Virus-ID tag to be included in a compination action for the “Actions” section in the VPM, it will trigger only when matched completely. I normally use this for finding the needle in a haystack – like for a policy audit, perhaps for a network that is supposedly “no longer in use”. If it is still in use, then you can see it pretty quick.

Another NOTE: This is NOT meant to be a replacement for scouring logs, but can merely be used as an alternative method to finding things.