We have a requirement to integrate Bluecoat Reporter with Mcafee SIEM.We have created the ASP parser for the traffic logs and we are able to successfully parse the events except certain fields which we are not able to map.
In this scenario the customer is expecting the following reports to start with:
1:Top 20 Users by bandwidth Usage
2: Top ten sites by Total Bytes
3: Bandwidth Usage per day
Now the catch with Bluecoat logs is that the bytes field is boken into sc-bytes and cs-bytes.The sum of these two fields will give us the total bandwidth.Sample attached in screenshot 1.
My challenge here is :
1: Can I create custom fields for sc-bytes & cs- bytes
2: How to define SUM of sc-bytes & cs-bytes to calculate the TOTAL BYTES
3: How to define the TOTAL BYTES FIELD.
If required I can share the ASP Parser that i had created.
In answer to your questions;
1 Yes you can create custom fields for those at ESM > Properties > Custom Types.
2 Currently there is not a way to do logic or math on captured fields. That would be a very useful feature so please submitt a PER at https://mcafee.acceptondemand.com/index.jsp
3 As there is no math ability that is difficult to do. Maybe you could use an expression to at least put the 2 values in to a field and then you could add them manually?