Skip to main content
Sumo Logic

Collect logs for Barracuda WAF App

This page provides instructions for configuring log collection for the Barracuda WAF App for use with the predefined searches and dashboards.

This page shows you how to configure collection for the Barracuda WAF App to use with the predefined searches and dashboards.

The Barracuda WAF App provides detailed analytics on system, firewall, and network security so you can protect your environment from malicious attacks. Security Analysis dashboards provide insights into the types of attacks, severity, malicious IPs, blocked and allowed content, and attacks by services. Traffic Analysis dashboards provide detailed information on client, server, and service traffic, as well as errors, bandwidth trends, and service performance.

Log Types

The Barracuda WAF App uses the following log types:

  • System Logs - Events generated by the Barracuda Web Application Firewall system.
  • Web Firewall Logs - All actions and events on the web firewall. These logs help the administrator to analyze traffic for suspicious activity and fine tune the web firewall policies.
  • Access Logs - All web traffic activities. These logs help the administrator obtain information about website traffic and performance.
  • Audit Logs - The audit logs record the activity of the users logged in to the GUI of the Barracuda Web Application Firewall. These logs are used for administration purposes.
  • Network Firewall Logs - The network traffic passing through the interfaces (WAN, LAN and MGMT) that matches the configured Network ACL rule. These log entries provide information on every packet that is allowed or denied by  Barracuda Web Application Firewall based on the Action specified in the ACL rule. This information helps identify where the network traffic originated, its destination, and the action applied.

For more information on Log formats, visit Barracuda Log Types page.

Configure log collection for Barracuda WAF

This section describes how to configure log collection for the Barracuda WAF App with instructions for the following tasks:

Step 1: Configure a Collector

To create a new Sumo Logic Hosted Collector, perform the steps in Configure a Hosted Collector.

Step 2: Configure a Source

This section shows you how to configure a source for log collection. In this task you specify the Source Category metadata field, which is a fundamental building block for organizing and labeling sources.

To configure a source, do the following:

  1. Perform the steps in Configure a Cloud Syslog Source. and configure the following Source fields:

    1. Name. (Required) Enter a name. The description is optional.

    2. Source Category. (Required) Provide a realistic Source Category for this data type. For example: prod/barracuda/waf. For more information, see Best Practices.

  2. In the Advanced section, specify the following configurations:

    1. Enable Timestamp Parsing. True

    2. Time Zone. Logs are in UTC by default

    3. Timestamp Format. Auto Detect

  3. Click Save.

  4. Copy and paste the token in a secure location. You will need this when you configure Barracuda Cloud Syslog Settings.

Step 3: Configure Logging in Barracuda WAF

This section shows you how to configure logging in Barracuda WAF for use with the preconfigured searches and dashboards of the Sumo Logic App for Barracuda WAF.

To configure logging in Barracuda WAF, do the following:

  1. Log in to your Barracuda account and go to ADVANCED > Export Logs.

BarracudaWAF_login.png

  1. Go to the Add Export Log Server.

BarracudaWAF_Export_Log_Server.png

  1. In the Add Export Log Server window, specify values for the following:

    1. Name - Enter a name for the SumoLogic service.

    2. Log Server Type - Select Cloud Syslog Service.

    3. IP Address or Hostname - Enter the IP address or hostname of the SumoLogic service. For example: syslog.collection.your_deployment.sumologic.com

    4. Port - Enter the port associated with the IP address of the SumoLogic service. The default Port is 6514.

    5. Token - Enter the token for SumoLogic service, such as: 9HFxoa6+lXBmvSM9koPjGzvTaxXDQvJ4POE/ExAMpleTOkenForTAsk3mSEKxPl0Q@41123, where the number "41123" is the sumo PEN and is included as part of the customer token.

    6. Log Timestamp and Hostname - Click Yes to log the date and time of the event, and the hostname configured in the BASIC > IP Configuration > Domain Configuration section.

    7. Comment - (Optional) Enter a comment describing the setting.

BarracudaWAF_Add_Export_Log_Server.png

  1. Click Add.

  2. Go to ADVANCED > Export Logs.

  3. To send all logs to sumologic, in the export log setting, change the settings as shown in the following screenshot.

    1. Export Log Settings - Every Log should be marked as Enable.

    2. Export Log Filters - Select the severity as per the Logs that need to send. For example - if is set to 5-Notice, then logs with 0-5 are sent to the syslog server i.e, 0-Emergency, 1-Alert, 2-Critical, 3-Error, 4-Warning, 5-Notice

  • 0-Emergency: System is unusable (highest priority)
  • 1-Alert: Response must be taken immediately
  • 2-Critical: Critical conditions
  • 3-Error: Error conditions
  • 4-Warning: Warning conditions
  • 5-Notice: Normal but significant condition
  • 6-Information: Informational messages (on ACL configuration changes)
  • 7-Debug: Debug level messages (lowest priority)
  1. Syslog Settings - Keep as default.

BarracudaWAF_Export_Log_Settings.png

  1. Click Save.

  2. Go to ADVANCED > Export Logs.

  3. In the Logs Format tab, make sure every Log format is set to default as the app support Default log formats.

BarracudaWAF_Logs_Format.png

Field Extraction Rules

The following table shows field extraction rules for different log formats.

Log Type

Field Extraction Rule

System Log

parse regex "(?<Unit_Name>[^ ]+) SYS(?<Log>.*)"

| parse field=log " * * * *" as Module_Name, Log_Level, Event_Id, Log_Details

Web Firewall Log

parse regex "(?<Unit_Name>[^ ]+) WF(?<Log>.*)"

| parse field=Log " * * * * * * * * * * [*] * * * * \"*\" * * * * *" as Severity, Attack_Type, Client_Ip, Client_Port, Service_Ip, Service_Port, Rule, Rule_Type, Action, Follow_Up_Action, Attack_Details, Method, URL, Protocol, Session_Id, User_Agent, Proxy_Ip, Proxy_Port, User, Referrer, UID

Access Log

parse regex "(?<Unit_Name>[^ ]+) TR(?<Log>.*)"

| parse field=Log " * * * * * * * * * * * * * * * * * * * * * * * * * * * \"*\" * * * * * * *" as Service_Ip, Service_Port, Client_Ip, Client_Port, Login, Cretificate_User, Http_Method, Http_Protocol, Domain, HttpVersion, Response_Code, Bytes_Sent, Bytes_Received, Cache_Hit, Time_Taken, Backend_Server, Backend_Server_Port, Server_Time, Session_Id, Response_Type, Profile_Matched, Protected, WF_Matched, URL, Query_String, Referrer, Cookie, User_Agent, Proxy_ip, Proxy_Port, Authenticated_User, Custom_Header_1, Custom_Header_2, Custom_Header_3, UID

Audit Log

parse regex "(?<Unit_Name>[^ ]+) AUDIT(?<Log>.*)"

| parse field=Log " * * * * * * * * * * * * * *" as Admin_Name, Client_Type, Login_Ip, Login_Port, Transaction_Type, Transaction_Id, Command_Name, Change_Type, Object_Type, Object_Name, Variable_Name, Old_Value, New_Value, Additional_Data

Network FIrewall Log

parse regex "(?<Unit_Name>[^ ]+) NF(?<Log>.*)"

| parse field=Log " * * * * * * * * *" as Log_Level, Protocol, Source_Ip, Source_Port, Destination_Ip, Destination_Port, ACL_Policy, ACL_Name, Log_Details

Sample Log Message

The following table shows sample log messages for the corresponding log types.

Log Type

Sample

System Log

<129>1 2019-04-19T00:52:58-07:00 WAFNEW 2019-04-19   - 00:52:58.985 -0700 WAFNEW SYS PROCMON ALER 50009 Log storage exceeds 10%

Web Firewall Log

<129>1 2019-04-09T03:57:49-07:00 WAFNEW 2019-04-09   - 03:57:49.304 -0700 WAFNEW WF ALER PYTHON_PHP_ATTACKS_MEDIUM_IN_URL 182.69.208.134 50910 10.0.1.90 80 security-policy GLOBAL DENY NONE [type\="python-php-attacks-medium" pattern\="python-cfm-command-substrings" token\="/exec/"] GET 13.234.142.236/dvwa/vulnerabilities/exec/ HTTP "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36" 182.69.208.134 50910 "-" http://13.234.142.236/dvwa/vulnerabi...ge=include.php 16a01bf34f8-f9a544ae

Access Log

<134>1 2019-04-15T15:46:53.460+0530 WAF 2019-04-15   - 15:46:53.460+0530 -0700 WebSite TR 10.1.1.90 80 141.138.107.86 50915 "-" "-" POST HTTPS 202.191.66.53 HTTP/1.0 403 2411 1609 0 22 10.0.2.200 80 0 "-" SERVER DEFAULT PROTECTED VALID /favicon.ico "-" http://www.bing.com/search?q=sumo%20...ox&FORM=IE11SR "-" "Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1467.0 Safari/537.36" 182.69.208.134 50915 "-" "-" "-" "-" 16a01bf4be9-fca462a6

Audit Log

<13>1 2019-04-16T12:55:10+00:00 ip-10-0-1-200 2019-04-16   - 05:55:10.006 -0700 WAF12 AUDIT sourabh GUI 111.93.54.106 55035 CONFIG 86 config SET user_system_ip Siteminder Session Sync user_system_ip_log "Off" "On" []

Network Firewall Log

<13>1 2019-04-19T06:10:58+00:00 ip-10-0-1-200 2019-04-18   - 23:10:58.647 -0700 WAF12 NF INFO TCP 37.204.127.164 39410 10.0.1.20 22 ALLOW SSH MGMT/LAN/WAN interface traffic:allow

Query sample

Sample Query is from Top Clients by Bandwidth panel of the Barracuda WAF - Client Traffic dashboard.

 _sourceCategory=Labs/loggen/barracuda " TR "
| parse regex "(?<Unit_Name>[^ ]+) TR(?<Log>.*)"
| split Log delim=' ' extract 4 as Client_Ip, 13 as Bytes_Sent, 2 as Service_Ip, 3 as Service_Port
| round((Bytes_Sent / 1024),2) as Bandwidth
| sum(Bandwidth) as Bandwidth_Consumed_KB by Client_Ip
| sort by Bandwidth_Consumed_KB
| limit 5