bluecoat-proxy.conf

input {
  file {
    type => "bluecoat-proxy"
    start_position => "beginning"
    path => "/Bluecoat/*.log"
  }
}
filter {
  if ([message] =~ /^#/) {
    drop { }
    }
  if [type] == "bluecoat-proxy" {
    csv {
      columns => ["date","time","time-taken","c-ip","sc-status","s-action","sc-bytes","cs-bytes","cs-method","cs-uri-scheme","cs-host","cs-uri-port","cs-uri-path","cs-uri-query","cs-username","cs-auth-group","s-hierarchy","s-supplier-name","rs-content-type","cs-referer","cs-user-agent","sc-filter-result","cs-categories","x-virus-id","s-ip"]
    separator => " "
    remove_field => [ "message" ]
    remove_field => [ "time-taken" ]
    remove_field => [ "x-virus-id" ]
    }
  mutate {
    replace => [ "date", "%{date} %{time}" ]
    remove_field => [ "time" ]
    }
  date {
    match => [ "date", "YYYY-MM-dd HH:mm:ss" ]
    target => [ "datetime"]
    remove_field => [ "date" ]
    }
  geoip {
      source => "s-ip"
    }
  }
}
output {
  elasticsearch {
    embedded => true
    index => "bluecoatlogs"
  }
}