Skip to main content

Proxy data

  • Updated

Proxy server data is a type of web data that is generated by a proxy server often hosted on a multi-purpose network security appliance. A network proxy is a software service or appliance device that relays traffic from the origin to the destination. In many implementations of a proxy, a primary purpose of this technology is to mask intranet IP and user information from the public internet, providing a layer of security through obscurity. Proxy technology can also be used similar to a firewall by serving as a filter or redirect for some network activity that falls outside of standard acceptable use. 

Data visibility 

Proxy logs are beneficial in many security use cases, not the least of which include threat hunting, malware and virus detection, and insider threat detection.

Data application

When your Splunk deployment is ingesting proxy data, you can use the data to achieve objectives related to the following use cases:

High-value fields

In the Common Information Model, proxy server data is typically mapped to the Web Data model. This data type has many available fields, but users typically derive the most value out of the fields listed here.

action

Action taken by the server or proxy.

dest

Destination of the network traffic (the remote host). You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name.

response_time

Amount of time, in seconds, it took to receive a response in the authentication event.

src

Source involved in the authentication. In the case of endpoint protection authentication, the source is the client.

status

HTTP response code that indicates the status of the proxy request.

uri_path

Path of the resource served by the web server or proxy.

uri_query

[ath of the resource requested by the client.

url

URL of the requested HTTP resource.

url_length

Length of the URL.

user

User that requested the HTTP resource.

Known data sources and source types

Guidance for onboarding data can be found in the Splunk documentation, Getting Data In.

Data Source

Sourcetype

Recommend Add-Ons

Squid Proxy

sourcetype=”squid:access'

Splunk Add-on for Squid Proxy

Symantec

sourcetype="bluecoat:proxysg:access:syslog"

sourcetype="bluecoat:proxysg:access:file"

sourcetype="bluecoat:proxysg:access:kv"

Splunk Add-on for Symantec Blue Coat ProxySG

 

Related articles

Comments

0 comments

Article is closed for comments.

The information provided in Splunk Lantern is intended for informational and educational purposes only. All information is provided in good faith, however, Splunk disclaims any and all representations and warranties, express and implied, regarding the information provided, including without limitation any warranties and representations regarding the completeness, adequacy or accuracy of the information. You agree to take full responsibility for the results arising from the use of the information provided.