[rsyslog-notify] Forum Thread: Re: BlueCoat SG and Rsyslog - (Mode 'reply')

noreply at adiscon.com noreply at adiscon.com
Thu Dec 31 20:50:57 CET 2015 

User: jefair2 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=26263#p26263

Message: 
----------
Here is a sample of the logs. I don't know how often it "refreshes" the log
file such that BlueCoat repushes out the file headers. But to answer your
question, yes, it is a network socket transmission. What is missed from the
information below is the "carriage return" and "line feed" control
characters, but that is how it shows up at the end of each line. Note this
was taken straight off a packet capture from TCPDump, the only thing
removed from this is the Ethernet Frame up through the TCP frame (with it's
SYN/ACK/etc information)

That being said, what you get from the TCP frame is that it looks to be
sending them in data chunks of 1360 regardless of where that actually cuts
off at. As an example the end of the first packet cuts off on the below
line 8 character 338 and the second packet (after the TCP headers) starts
right at Line 8 Character 339 and resumes. What you see below is actually 1
full packet and then a partial second packet. Occasionally it looks like it
would get an "extra large" packet that would break into two packets so you
would see the first packet show as the standard length of 1360, followed by
a [PSH, ACK] packet of varying size. On some additional occasions (much
more rare) it would send a 3 packet in sequence that was also a [PSH, ACK],
so you would have 2 packets of 1360 and then 1 packet of varying size. What
causes these two situations is unclear, but it must be something with the
way that BlueCoat is dumping their data.

[code:x0jggtlq]#Software: SGOS 6.5.8.1
#Version: 1.0
#Start-Date: 2015-12-31 19:20:58
#Date: 2015-12-10 16:07:58
#Fields: date time time-taken c-ip cs-username cs-auth-group
x-exception-id sc-filter-result cs-categories cs(Referer) sc-status
s-action cs-method rs(Content-Type) cs-uri-scheme cs-host cs-uri-port
cs-uri-path cs-uri-query cs-uri-extension cs(User-Agent) s-ip sc-bytes
cs-bytes x-virus-id x-bluecoat-application-name
x-bluecoat-application-operation
#Remark: 1411140008 "PSR5141SG - Blue Coat SG9000 Series"
"192.168.1.1" "Splunk2"
2015-12-31 19:20:58 90 192.168.22.124 user001 - -
OBSERVED "Shopping"
http://www.amazon.com/JETech%C2%AE-Slim-Fit-Samsung-Galaxy-Feature/dp/B01706OJA8/ref=sr_1_43?s=wireless&ie=UTF8&qid=1451589616&sr=1-43&keywords=galaxy+tab+s2+cases&refinements=p_85%3A2470955011
 200 TCP_MISS GET image/jpeg http ecx.images-amazon.com 80
/images/I/71PNpyU91LL._SY128_.jpg - jpg "Mozilla/5.0 (Windows
NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0"
192.168.1.1 3782 529 - "Amazon" "none"
2015-12-31 19:20:58 94 192.168.22.124 user001 - -
OBSERVED "Shopping"
http://www.amazon.com/JETech%C2%AE-Slim-Fit-Samsung-Galaxy-Feature/dp/B01706OJA8/ref=sr_1_43?s=wireless&ie=UTF8&qid=1451589616&sr=1-43&keywords=galaxy+tab+s2+cases&refinements=p_85%3A2470955011
 200 TCP_MISS GET image/jpeg http ecx.images-amazon.com 80
/images/I/81lFHbc%2BuJL._SY128_.jpg - jpg "Mozilla/5.0 (Windows
NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0"
192.168.1.1 7985 531 - "Amazon" "none"
2015-12-31 19:20:58 111 192.168.22.124 user001 - -
OBSERVED "Shopping"
http://www.amazon.com/JETech%C2%AE-Slim-Fit-Samsung-Galaxy-Feature/dp/B01706OJA8/ref=sr_1_43?s=wireless&ie=UTF8&qid=1451589616&sr=1-43&keywords=galaxy+tab+s2+cases&refinements=p_85%3A2470955011
 200 TCP_MISS GET image/jpeg http ecx.images-amazon.com 80
/images/I/81yWNBlXj8L._SY128_.jpg - jpg "Mozilla/5.0 (Windows
NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0"
192.168.1.1 7397 529 - "Amazon" "none"
2015-12-31 19:20:58 113 192.168.22.124 user001 - -
OBSERVED "Shopping"
http://www.amazon.com/JETech%C2%AE-Slim-Fit-Samsung-Galaxy-Feature/dp/B01706OJA8/ref=sr_1_43?s=wireless&ie=UTF8&qid=1451589616&sr=1-43&keywords=galaxy+tab+s2+cases&refinements=p_85%3A2470955011
 200 TCP_MISS GET image/jpeg http ecx.images-amazon.com 80
/images/I/71hOXyLOXIL._SY128_.jpg - jpg "Mozilla/5.0 (Windows
NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0"
192.168.1.1 5721 529 - "Amazon" "none"[/code:x0jggtlq]

Let me know if I can provide anything further.

More information about the rsyslog-notify mailing list