Technical Tips: How to configure Epilog Client in FortiSIEM to integrate with BlueCoat WebProxy

kltam · ‎12-02-2021

Description

This article describes the further steps required in FortiSIEM Supervisor/Collector in order to integrate properly with BlueCoat web proxy.

Refer to the doc below for the basic configurations required:

Scope

FortiSIEM 5.4 and below

Solution

1) Log in to the supervisor or the collector node as root.

2) Set 'incoming_log_cfg=/opt/phoenix/cache/bluecoat' in 'phoenix_config.txt'.

> vi /opt/phoenix/config/phoenix_config.txt
incoming_log_cfg=/opt/phoenix/cache/bluecoat

3) Comment or remove the 'Output' setting under 'epilog.conf'.

> vi /etc/snare/epilog/epilog.conf
Output
# network=localhost:514 <----- Comment this.
# syslog=2 <----- Comment this.

4) Restart epilog and phParser, then wait for few minutes.

> /etc/init.d/epilogd restart
> killall -9 phParser

5) Change ownership or permission of '/<bluecoat IP>' folder to allow file process and deletion.

> cd /opt/phoenix/cache/bluecoat
> chown admin.admin x.x.x.x/
> chmod 777 x.x.x.x/

Whereby 'x.x.x.x' is the bluecoat's IP.

premchanderr · ‎06-07-2022

Hi,

Do note that Epilog Snare was earlier a free product and now it has to be purchased.

So by default you wouldn't be finding it on recent Linux Distributions.

Regards,

Prem Chander R