Technical Tips: How to configure Epilog Client in FortiSIEM to integrate with BlueCoat WebProxy

This article describes  the further steps required in FortiSIEM Supervisor/Collector in order to integrate properly with BlueCoat web proxy.

Refer to the doc below for the basic configurations required:

https://docs.fortinet.com/document/fortisiem/5.4.0/external-systems-configuration-guide/662685/blue-...

FortiSIEM 5.4 and below

1) Log in to the supervisor or the collector node as root.

2) Set 'incoming_log_cfg=/opt/phoenix/cache/bluecoat' in 'phoenix_config.txt'.

> vi /opt/phoenix/config/phoenix_config.txt
incoming_log_cfg=/opt/phoenix/cache/bluecoat

3) Comment or remove the 'Output' setting under 'epilog.conf'.

> vi /etc/snare/epilog/epilog.conf
Output
# network=localhost:514 <----- Comment this.
# syslog=2 <----- Comment this.

4) Restart epilog and phParser, then wait for few minutes.

> /etc/init.d/epilogd restart
> killall -9 phParser

5) Change ownership or permission of '/<bluecoat IP>' folder to allow file process and deletion.

> cd /opt/phoenix/cache/bluecoat
> chown admin.admin x.x.x.x/
> chmod 777 x.x.x.x/

Whereby 'x.x.x.x' is the bluecoat's IP.