FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
kltam
Staff
Staff
Article Id 200114
Description

This article describes  the further steps required in FortiSIEM Supervisor/Collector in order to integrate properly with BlueCoat web proxy.

 

Refer to the doc below for the basic configurations required:

https://docs.fortinet.com/document/fortisiem/5.4.0/external-systems-configuration-guide/662685/blue-...

Scope

FortiSIEM 5.4 and below

Solution

1) Log in to the supervisor or the collector node as root.

 

2) Set 'incoming_log_cfg=/opt/phoenix/cache/bluecoat' in 'phoenix_config.txt'.

 

> vi /opt/phoenix/config/phoenix_config.txt
incoming_log_cfg=/opt/phoenix/cache/bluecoat


3) Comment or remove the 'Output' setting under 'epilog.conf'.

 

> vi /etc/snare/epilog/epilog.conf
Output
# network=localhost:514 <----- Comment this.
# syslog=2 <----- Comment this.


4) Restart epilog and phParser, then wait for few minutes.


> /etc/init.d/epilogd restart
> killall -9 phParser


5) Change ownership or permission of '/<bluecoat IP>' folder to allow file process and deletion.


> cd /opt/phoenix/cache/bluecoat
> chown admin.admin x.x.x.x/
> chmod 777 x.x.x.x/


Whereby 'x.x.x.x' is the bluecoat's IP.

Comments
premchanderr
Staff
Staff

Hi,

 

Do note that Epilog Snare was earlier a free product and now it has to be purchased.

 

So by default you wouldn't be finding it on recent Linux Distributions. 

 

Regards,

Prem Chander R

Contributors