Get Your Blue Coat Logs Using Wget for Windows

Logs examination is job which system engineers do very often in their daily work. Blue Coat SWG has detailed access logs which can be used for troubleshooting proxy user access to external resources. But, log view in Blue Coat GUI is hard and not user friendly enough for good analysis. Because of that we can use wget software for acquiring and analyzing Blue Coat access logs. Here I will present way on which I do that in my daily job.

For first it is good to know is that you can acquire Blue Coat logs from web management interface hosted at internal web server which is also used for management. You can view logs in refreshing html page. This is link we use for viwing logs from our Blue Coat:

https://10.10.1.5:8082/Accesslog/tail-f/main

where 10.10.1.5 is IP address of Blue Coat management interface. If you open link you get web page with logs refreshing in real time. But it is not so usable for logs analyzing because you cannot scroll through web page which has hundreds of log lines so easy. For that it is more practically to save all that logs in txt file where you can analyze it on easier way. So, for that task we can use wget tool and here I will show you way to do that.

Tool we will use to acquire logs from Blue Coat appliance is wget application which is nothing else then web client which can use http methods(post, get etc..) for obtaining html pages from web server. It can also save content of pages to txt file and this feature we will use to save Blue Coat access logs to file.

So, first step is to install wget tool to our machine. There are many pages on net where you can find wget for Windows, at the time of writing this article I find this one. When you have done wget folder downloaded to your computer you can use it. Wget is used from Windows command prompt so to use it as command you have to position at folder where is wget.exe from command prompt and use wget command, for example:

1

If you want to use wget command from any folder you should put path to wget.exe to environment variable in your Windows installation. To do that go to Control Panel->System->Advanced System Settings->Advanced->Environment Variables and in the Path system variable enter your wget.exe folder as it is presented at the picture:

2

Now we can get our Blue Coat logs from appliance. To do that, execute next wget command at command prompt:

E:\wget>wget –http-user=username –http-passwd=OurPass  –no-check-certificate https://10.10.1.5:8082/Accesslog/tail-f/main -q -O -FileName

where:

  • username and OurPass are credentials for Blue Coat web console
  • FileName is file where we will save access logs

When command is executed acquiring logs is started and we have population of our file (FileName) with Blue Coat access logs in real time. To stop logs acquiring stop the command executing. When we have our logs acquired we can analyze it from file. File content look like at next picture:

3

I recommend using notepad++ for opening log file because of its best text presentation performances.

In file we created on described way we can find log from all users and IP addresses which tried to access internet during time interval we were doing log acquisition. But what if we want to analyze just one IP address? In that case we can use wgat tool with grep tool for Windows. To use that we should install grep tool for Windows at the same way as wget(but for using grep tool in wget command we have to put path to grep folder in environment variable pat on way described above). When we have grep tool installed we can use this command:

E:\wget>wget -qO- –http-user=username –http-passwd=OurPass  –no-check-certificate https://10.10.1.5:8082/Accesslog/tail-f/main | grep.exe -i 10.0.1.177 > FileName

Where:

  • 0.1.177 is our interesting IP address
  • username and OurPass are credentials for Blue Coat web console
  • FileName is file where we will save access logs

After executing above command we have logs only for our interesting IP address:

4

At this article I presented one way you can analyze your Blue Coat logs. Personally I think that Blue Coat is very powerful secure web gateway product so it is very good to have good knowledge about it. So I tried here to give my contribute by describing part of its logging feature.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s