[rsyslog-notify] Forum Thread: Re: BlueCoat SG and Rsyslog - (Mode 'reply')

[noreply at adiscon.com]

User: jefair2 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=26264#p26264

Message: 
----------
FYI here is the Gartner Magic Quadriant on Secure Web Gateways, since you
hadn't heard of BlueCoat before. I don't have the 2015 one off hand, but it
looks basically the same in the leader category (Intel's product has fallen
off and so has Cisco's but I think the other three are in around the same
placings).


[img:22r5rlkj]https://www.zscaler.com/images/gartner-2014-mq-graph.jpg[/img:22r5rlkj]

I guess the point on this is that it should be popular enough that someone
has had to deal with this before and finally gotten it working correctly
(or I guess they could have given up and tried to go a different route?)

As for other sources that read "syslog" type traffic straight from the
wire, the only product I can speak for is Splunk, and best I can tell
anything you feed it through it's "TCP/UDP" monitoring just takes the raw
packets and sticks them in a log. It is then up to you (the user) to write
the regex/parsing necessary to translate those logs appropriately.
Conveniently though, and of the major products coming in over syslog has
the regex data prebuilt so you don't have to figure it out yourself. If
there was essentially an option in Rsyslog to just take the incoming data
and direct it to a file without doing anything to it, then that would be
most ideal. If this is not going to be possible with Rsyslog any other
software suggestions would be appreciated, I just can't feed it directly
into Splunk as that causes issues any time I have to restart Splunk I lose
logs (and a service restart can take a number of minutes to happen).