Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1263
Views
0
Helpful
1
Replies

Stealthwatch Proxy Log Error

scvvuuren
Level 1
Level 1

‎11-02-2020 02:55 AM

Good Day

 

I recently enabled syslogs from a bluecoat proxy into Stealthwatch.

I can see some URL data for users so on the surface it does seem good.

I did notice in the log file though some errors.

 

FC01:~# tail -f /lancope/var/sw-flow-proxyparser/logs/syslogprocessor.log
2020-11-02 10:41:19,954 INFO pool-2-thread-1 com.lancope.sws.syslogprocess.Metrics - Listeners: c:645078 rate:122.13 rate1:192.03 rate5:142.146 rate15:123.941
2020-11-02 10:41:19,955 INFO pool-2-thread-1 com.lancope.sws.syslogprocess.Metrics - Handlers: c:645078 min:.001 max:.044 mean:.003
2020-11-02 10:41:19,955 INFO pool-2-thread-1 com.lancope.sws.syslogprocess.Metrics - Emitters: c:644405
2020-11-02 10:41:57,073 ERROR pool-1-thread-1 com.lancope.sws.syslogprocess.handlers.Proxy - Parse error: Error: line 11: String contents mismatch
2020-11-02 10:42:19,955 INFO pool-2-thread-1 com.lancope.sws.syslogprocess.Metrics - Listeners: c:655347 rate:122.68 rate1:183.028 rate5:148.184 rate15:127.241
2020-11-02 10:42:19,956 INFO pool-2-thread-1 com.lancope.sws.syslogprocess.Metrics - Handlers: c:655347 min:.001 max:.044 mean:.003
2020-11-02 10:42:19,956 INFO pool-2-thread-1 com.lancope.sws.syslogprocess.Metrics - Emitters: c:654673
2020-11-02 10:42:47,176 ERROR pool-1-thread-1 com.lancope.sws.syslogprocess.handlers.Proxy - Parse error: Error: line 11: String contents mismatch
2020-11-02 10:42:47,176 ERROR pool-1-thread-1 com.lancope.sws.syslogprocess.handlers.Proxy - Parse error: Error: line 11: String contents mismatch

When I do a packet capture I can see the logs coming in, I am making the assumption that line 11 in the error translates to the 11th field in the log which is the user field. Not all proxy connections requires user authentication.

1604307455.660 0 172.X.Y.Z 62327 13.35.Y.Z 443 W.X.Y.Z 8080 815 5015 DOMAIN\user url.com tcp://url.com:443/
1604307455.660 0 10.X.Y.Z 53688 104.16.Y.Z 443 W.X.Y.Z 8080 549 221 - url.com tcp://url.com:443/
1604307455.661 0 172.X.Y.Z 59714 172.67.Y.Z 443 W.X.Y.Z 8080 1442 634 DOMAIN\user images.url.com tcp://images.url.com:443/
1604307455.662 0 10.X.Y.Z 53689 104.16.Y.Z 443 W.X.Y.Z 8080 221 528 - url.com tcp://url.com:443/
1604307455.663 88 172.X.Y.Z 54392 2.17.Y.Z 443 W.X.Y.Z 8080 5345 6583 - url.com tcp://url.com:443/

My question here really is if my assumption is correct firstly, then what are the implications of this errors. Is it more notification or will the system not store that log file due to it expecting user information?

 

 

1 person had this problem
0 Helpful
1 Reply 1

bmcinnis
Cisco Employee
Cisco Employee

‎11-04-2020 04:02 PM

Your assumption is correct. The "-" character in the 11th field of the syslog is causing this error. It appears to be sent when no username is provided. You should still see an associated proxy log entry for this flow record in the WebUI.

If you do not or experience any other issues with this proxy ingest please reach out to the Stealthwatch TAC.

0 Helpful
Customers Also Viewed These Support Documents