NEXT proxy.squid


The logs generated by Bluecoat proxies are labeled with the proxy.bluecoat.product.type tag.

Tag structure

  • The element product is fixed and it refers to the Bluecoat product type. Currently it can only take the value proxysg.
  • The element type, is also fixed and identifies the type and format of the sent event. It takes the following value: proxysg.bluecoat.proxysg.main.

For more information on how tags work, check the Introduction to tags article.


Bluecoat ProxySG can report the logs to external servers by multiple methods: HTTP, FTP, Syslog, etc. The sending via syslog must be done by TCP. An In-house Relay will be used to label the logs and forward them to Devo.

In-house Relay configuration

First step is to install an In-house Relay for the correct tagging of the logs.

You should define two rules, as described below.

First rule

Is created to discard all the events coming to port (e.g. 13005) containing the character #. You must consider the following fields when creating the rule.

  • Source Port → 13005
  • Source Data → ^#.*
  • Check the following boxes:
    • Stop Processing (The relay doesn't create more rules if the actual is met)
    • Drop Event 

Second rule

Is created to label the rest of the events as proxy.bluecoat.proxysg.main. You must consider the following fields when creating the new rule.

  • Source Port → 13005
  • Target Tag → proxy.bluecoat.proxysg.main
  • Check the following box:
    • The log is sent without tag

Note that the rules order is important. Both rules operate on the same port and the first must always be evaluated before the second.

Bluecoat ProxySG configuration

Bluecoat exports the log in various formats: cifs, mapi, im, main, ncsa, p2p, SmartReporter, squid, ssl, streaming, SurfControl, smartfiter, websense, etc.

Currently, Devo only supports the format main.

Have we answered your question?

If not, please contact our technical support team via email by clicking the button below.



NEXT proxy.squid