BlueCoat Proxy – Log Injection For Rule Tracking

Unfortunately BlueCoat doesn’t have a nice and fancy log tracker type utility like CheckPoint has in Smart Tracker, so the rules do not have numbers.  However, you can work around this by using some log injection smoke and mirror tricks. There are a few unused (or not very often used) log variables that can be used in conjunction with a specific action on a rule, that when matched, will create a log line with a piece of text of your choosing.

BlueCoat Log injection for rule tracking

1. for action, create a new "Combined Action Object"
 2. Name the combo object based on what its doing (Tag-Allow-RuleNameXYZ)
 3. Add the legacy action (allow/deny/malwareDeny/etc) to the combo object
 4. Click NEW and create a new "Access Log Field Override Object"
 5. Name the object based on what it is doing (log-tag-RuleDescription)
    a. Log Name:  NIC_Format 
    b. Field Name: x-virus-id
    c. Rewrite Value to: filter-rule#

Here is what it looks like in VPM:
This specific one is combined with a force-deny for a malware object.

NOTE: Keep the description as short as possible, as most logging systems (EnVision for one example) only takes a portion of the log, so we don’t want to make our log string too long and risk not having it show in the logs.

After you have configured the X-Virus-ID tag to be included in a compination action for the “Actions” section in the VPM, it will trigger only when matched completely. I normally use this for finding the needle in a haystack – like for a policy audit, perhaps for a network that is supposedly “no longer in use”. If it is still in use, then you can see it pretty quick.

Another NOTE: This is NOT meant to be a replacement for scouring logs, but can merely be used as an alternative method to finding things.