Proxy server data is a type of web data that is generated by a proxy server often hosted on a multi-purpose network security appliance. A network proxy is a software service or appliance device that relays traffic from the origin to the destination. In many implementations of a proxy, a primary purpose of this technology is to mask intranet IP and user information from the public internet, providing a layer of security through obscurity. Proxy technology can also be used similar to a firewall by serving as a filter or redirect for some network activity that falls outside of standard acceptable use.
Data visibility
Proxy logs are beneficial in many security use cases, not the least of which include threat hunting, malware and virus detection, and insider threat detection.
Data application
When your Splunk deployment is ingesting proxy data, you can use the data to achieve objectives related to the following use cases:
High-value fields
In the Common Information Model, proxy server data is typically mapped to the Web Data model. This data type has many available fields, but users typically derive the most value out of the fields listed here.
action
Action taken by the server or proxy.
dest
Destination of the network traffic (the remote host). You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name.
response_time
Amount of time, in seconds, it took to receive a response in the authentication event.
src
Source involved in the authentication. In the case of endpoint protection authentication, the source is the client.
status
HTTP response code that indicates the status of the proxy request.
uri_path
Path of the resource served by the web server or proxy.
uri_query
[ath of the resource requested by the client.
url
URL of the requested HTTP resource.
url_length
Length of the URL.
user
User that requested the HTTP resource.
Known data sources and source types
Guidance for onboarding data can be found in the Splunk documentation, Getting Data In.
Data Source |
Sourcetype |
Recommend Add-Ons |
Squid Proxy |
sourcetype=”squid:access' |
|
Symantec |
sourcetype="bluecoat:proxysg:access:syslog" sourcetype="bluecoat:proxysg:access:file" sourcetype="bluecoat:proxysg:access:kv" |
Comments
0 comments
Article is closed for comments.