Unfortunately BlueCoat doesn’t have a nice and fancy log tracker type utility like CheckPoint has in Smart Tracker. Rules do not have numbers perse – but you can work around this by using some log injection smoke and mirror tricks. There are a few unused (or not very often used) log variables that can be used in conjunction with a specific action on a rule, that when matched, will create a log line with a piece of text of your choosing.
BlueCoat Log injection for rule tracking
1. for action, create a new "Combined Action Object" 2. Name the combo object based on what its doing (Tag-Allow-RuleNameXYZ) 3. Add the legacy action (allow/deny/malwareDeny/etc) to the combo object 4. Click NEW and create a new "Access Log Field Override Object" 5. Name the object based on what it is doing (log-tag-RuleDescription) a. Log Name: NIC_Format b. Field Name: x-virus-id c. Rewrite Value to: filter-rule#
Here is what it looks like in VPM:
This specific one is combined with a force-deny for a malware object.
NOTE: Keep the description as short as possible, as most logging systems (EnVision for one example) only takes a portion of the log, so we don’t want to make our log string too long and risk not having it show in the logs.
After you have configured the X-Virus-ID tag to be included in a compination action for the “Actions” section in the VPM, it will trigger only when matched completely. I normally use this for finding the needle in a haystack – like for a policy audit, perhaps for a network that is supposedly “no longer in use”. If it is still in use, then you can see it pretty quick.
Another NOTE: This is NOT meant to be a replacement for scouring logs, but can merely be used as an alternative method to finding things.