Barracuda WAF-as-a-Service generates various types of logs, as described in Log Retention and Location. The Log Export component enables you to export these logs in real-time via the Syslog protocol or Azure event hubs. You can then stream the data from Azure event hubs to SIEM (Security Information and Event Management) tools, like Barracuda XDR, Splunk, ArcSight, and others.
Before You Begin
Regardless of how you will export your logs, be sure to allow the source IPs for the export logs, as described in Restricting Direct Traffic.
34.227.174.172
40.71.30.40
Choose one of the following methods to export logs:
Exporting to Syslog
Preparing to Export Logs
To export logs, you must have a Syslog server. You can set up your server or use a server provided by a cloud service.
If you are running syslog on a UNIX machine, ensure you start the syslog daemon process with the -r option so it can receive messages from external sources.
Windows users require additional software when using syslog, because the Windows OS does not include the syslog capability. There are many syslog solutions available, both free and commercial, including Kiwi Syslog.
If you are using a cloud service, they will provide you with the server hostname, port, and protocol. Barracuda WAF-as-a-Service can export logs via UDP, TCP, or SSL protocols.
Syslog Facility
Syslog receives different types of log messages. To differentiate and store them in distinct log files, log messages contain a logging priority and a logging facility, in addition to the actual message and IP address.
There are eight facility options. All log messages are marked with one of the facility options, labelled local0 through local7. By default, each syslog server is marked with local0.
For each configured syslog server, you can associate a specific facility with each log type, so your syslog server can segregate the log of each type into a different file.
See the instructions below for setting a facility option.
Severity Level
You can set the severity level to export firewall logs and system logs to the configured export log server(s). Barracuda WAF-as-a-Service severity levels, listed from greatest to least severity, are:
Emergency
Alert
Critical
Error
Warning
Notice – Default setting
Information
Debug
Notice is the default setting, indicating normal, but significant conditions.
Barracuda WAF-as-a-Service exports logs based on the selected severity level. For example, if you set the severity to Critical, then logs with a severity level of Critical and above (that is, Emergency, Alert, and Critical) are all sent to the external log server.
Configuring Export Log Information
Within Barracuda WAF-as-a-Service, open the application. In the left navigation panel, select Log Export.
Click Add Export Log Server.
In the Add Export Log Server page, specify the following information:
Name – Enter a name for the new setting.
Log Server Type – Select Syslog NG.
Log Server Communication – (This option is available only when the application is deployed in the custom container) Select how you want the logs to be exported to the external log server.
Send logs to the Log Server from WAF-as-a-Service - Logs are displayed on the WAF-as-a-Service web interface (Logs page) and exported to the external log server simultaneously.
Send logs to the Log Server directly from the WAF Container - Logs are exported to the configured external log server directly from the WAF container.
Server Address and Port – Add the IP address or Hostname and Port for the external log server. The port is automatically entered based on your selection in Connection Type below.
Connection Type – Select how you will connect with the external log server. Based on your selection, the appropriate port is automatically entered in the Server Address and Port field, located directly above.
Syslog Header – Select a standard header or select Custom to specify the header.
Firewall Logs – Specify the export format for Firewall Logs. This typically matches the type of logging server to which you are exporting logs. The following log formats are displayed in the drop-down list:
Default - The default firewall logs format defined by the Barracuda WAF-as-a-Service.
CEF:0 (ArcSight) – The Common Event Format (CEF) log used by ArcSight.
HPE ArcSight CEF:0 - The Common Event Format (CEF) log used by HP ArcSight. This is the updated version of CEF:0 (ArcSight).
LEEF1.0 (QRadar) – The Log Event Enhanced Format (LEEF) log used by QRadar.
Microsoft Azure Log Analytics - The default log format used by Microsoft Azure Log Analytics.
Symantec SIM – The default log format used by Symantec SIM.
RSA enVision – The default log format used by RSA envision.
Splunk – The default log format used by Splunk.
Custom – Define a custom log format using the values displayed in the Log Field Macros section.
If you do not see your log type listed, select Custom and enter the format. See below for the format specifier. If you do not want to export Firewall Logs, select Do Not Export.Severity – Select the severity for log events you want to export. Events with that severity, and higher levels of severity, are exported. The default setting is Notice, described above.
Facility – Specify where you want to store the log file, so logs are kept separate and are easy to retrieve. See the Syslog Facility section.
Access Logs - Specify the export format for Access Logs. This typically matches the type of logging server to which you are exporting logs. The following log formats are displayed in the drop-down list:
Default - The default access logs format defined by the Barracuda WAF-as-a-Service.
Common Log Format – The default format for logged HTTP information.
NCSA Extended Format – The Common Log Format appended with referer and user-agent information.
W3C Extended Format – The default log format used by Microsoft Internet Information Server (IIS).
CEF:0 (ArcSight) – The Common Event Format (CEF) log used by ArcSight.
HPE ArcSight CEF:0 – The Common Event Format (CEF) log used by HP ArcSight. This is the updated version of CEF:0 (ArcSight)
LEEF1.0 (QRadar) – The Log Event Enhanced Format (LEEF) log used by QRadar.
Microsoft Azure Log Analytics – The default log format used by Microsoft Azure Log Analytics.
Symantec SIM – The default log format used by Symantec SIM.
RSA enVision – The default log format used by RSA enVision.
Splunk – The default log format used by Splunk.
Custom – Define the custom log format using the values displayed in the Log Field Macros section.
If you do not see your log type listed, select Custom and enter the format. See below for the format specifier. If you do not want to export Firewall Logs, select Do Not Export.Facility - Specify where you want to store the log file, so logs are kept separate and are easy to retrieve. See the Syslog Facility section.
Event Logs – Specify the export format for Event Logs. This typically matches the type of logging server to which you are exporting logs. The following log formats are displayed in the drop-down list:
Default - The default event logs format defined by the Barracuda WAF-as-a-Service.
Custom - Define the custom log format using the values displayed in the Log Field Macros section.
If you do not see your log type listed, select Custom and enter the format. See below for the format specifier. If you do not want to export Firewall Logs, select Do Not Export.Facility – Specify where you want to store the log file, so logs are kept separate and are easy to retrieve. See the Syslog Facility section.
Click Add to add the above settings.
Exporting to Azure Event Hubs
Configuring Export Log Information for Azure Event Hubs
Exporting log data to Azure event hubs enables you to analyze that data with third-party SIEM (Security Information and Event Management) tools. For more information, refer to this Microsoft document, Stream Azure monitoring data to an event hub or external partner.
Within Barracuda WAF-as-a-Service, open the application. In the left navigation panel, select Log Export.
Click Add Export Log Server.
In the Add Export Log Server page, specify the following information:
Name – Enter a name for the new setting.
Log Server Type – Select Azure Event Hubs.
Event Hub Name – Specify the name of your Azure event hub.
Service Bus Name – Specify the name of the service bus for your Azure event hub.
Policy Name – Specify the policy name for your event hub.
Policy SAS Key – Specify the Microsoft Azure event hub SAS key value.
Send Traffic Logs – Enable to export traffic logs.
Send WAF Firewall Logs – Enable to export Barracuda Web Application Firewall logs.
Send WaaS Event Logs – Enable to export Barracuda WAF-as-a-Service event logs.
Click Add to add the above settings.
Log information is automatically sent to your Azure event hub, and beyond if you choose.
Log Format for Firewall Logs
The default log format for Firewall Logs:
%t %un %lt %sl %ad %ci %cp %ai %ap %ri %rt %at %fa %adl %m %u %p %sid %ua %px %pp %au %r %uid
Example:
Apr 13 08:05:07 Barracuda - 2024-04-13 08:05:07.183 +0000 57fbcbf54f-z6pxk WF ALER TILDE_IN_URL 213.182.115.22 35245 10.125.7.107 31200 security-policy GLOBAL DENY NONE PathInfo="~" GET /index.html TLSv1.2 curl/7.47.0 10.145.7.147 60148 12ed42d1bef-365b5f9
Description
The following table provides information about each element of the firewall logs:
Log Format for Access Logs
The default log format for Firewall Logs:
%t %un %lt %ai %ap %ci %cp %id %cu %m %p %h %v %s %bs %br %ch %tt %si %sp %st %sid %rtf %pmf %pf %wmf %u %q %r %c %ua %px %pp %au %cs1 %cs2 %cs3 %uid
Example:
Apr 13 08:05:07 Barracuda - 2024-04-13 08:05:07.183 +0000 57fbcbf54f-z6pxk TR 10.225.7.211 12290 112.122.137.66 34225 "-" "-" GET TLSv1.2 app201452.azurelab.cudawaas.com HTTP/1.1 404 8011 107 0 0 10.36.45.24 443 0 INTERNAL DEFAULT PROTECTED INVALID /index.html/?name=srea http://10.99.109.2/index.cgi namkrl=sreask curl/7.47.0 10.221.7.155 60168 Peter curl/7.47.0 "-" app201452.azurelab.cudawaas.com 16ed45d1bef-486b5f9
Description
The following table provides information about each element of the access log for the above example:
Log Format for Event Logs
The default log format for Event Logs:
%t %lt %waas_category %si %sp %waas_message
Example:
Aug 22 11:58:14 Barracuda - 2024-08-22 11:58:14.483 +0000 WAAS_EVENT Server Health 10.222.40.71 80 Status Down ,Reason: TCP connection timedout error
Description
The following table provides information about each element of the event log for the above example:
Field Name | Example | Description |
---|---|---|
Timestamp | Aug 22 11:58:14 | The time recorded in the following format: "yyyy-mm-dd hh:mm:ss.s" (one or more digits representing a decimal fraction of a second) TZD (time zone designator, which is either Z or +hh:mm or -hh:mm) |
LogType | WAAS_EVENT | Type of log: Web Firewall Log, Access Log, or Event Log. |
Event Log Categories | Server Health | Category of the event to which the component belongs. |
Server IP | 10.222.40.71 | IP address of the backend web server. |
Server Port | 80 | Port associated with the backend web server. |
Event Message | Status Down ,Reason: TCP connection timedout error | Message displayed for the generated event. |
Log Field Macros
When defining the custom format, use the macros mentioned in the table to insert various fields in the log entry.
Log Field Macros for Web Firewall Logs
Web Firewall Logs | Description |
---|---|
%ai - Application IP | IP address of the application that receives the traffic. |
%ap - Application Port | Port associated with the application IP address. |
%at - Action Taken | The appropriate action applied on the traffic.
|
%ad - Attack Description | Name of the attack triggered by the request. |
%adl - Attack Details | Details of the attack triggered by the request. |
%ag - Attack Group | Name of the attack group as categorized by Barracuda WAF-as-a-Service based on the violations/attacks. |
%aid - Attack ID | Predefined ID assigned to the attack. |
%au - Authenticated User | Username of the currently authenticated client requesting the web page. |
%sn - Application ID | Application ID and the unique ID assigned to the application. |
%ci - Client IP | IP address of the client sending the request. |
%cp - Client Port | Port associated with the client IP address. |
%cc - Country Code | The two-letter country code of the location from where the request originated. |
%cwe - CWE | Common Weakness Enumeration (CWE) ID(s) that provides information about security vulnerabilities. |
%fa - Follow-up Action | The follow-up action as specified by the action policy. It can be either None or Locked in case the lockout is chosen. |
%lt - Log Type | Type of log: Web Firewall Log, Access Log, or Event Log. |
%m - Method | HTTP method used by the request. Values: GET, POST, HEAD, etc. |
%owasp - OWASP | Attack category listed by OWASP. |
%owasp_at - OWASP Automated Threats | Type of automated threat identified by the OWASP Automated Threats. |
%owasp_api - OWASP API | API Security risk category listed by OWASP. |
%owasp_rs - OWASP Risk Score | Risk score assigned by the Barracuda WAF-as-a-Service to the vulnerability. It indicates the severity of the vulnerability in the detected attack. |
%p - Protocol | Protocol used for the request. |
%px - Proxy IP | If the client requests are coming through a proxy or gateway, this field provides the IP address of the proxy. |
%pp - Proxy Port | The port of the proxy server whose IP address has been logged in the Proxy IP field above. |
%r - Referer | The value contained in the Referrer HTTP request header. It identifies the web resource from which the client was “referred” to the requested URL. |
%ri - Rule ID | Name of the policy to which the Barracuda WAF-as-a-Service matched the request. |
%rn - Rule Name | Name of the Traffic Rule. NOTE: |
%rt - Rule Type | Indicates the type of rule that was hit by the request that caused the attack. The following is the list of expected values for Rule Type:
|
%sid - Session ID | Value for this field remains blank. |
%sl - Severity Level | Defines the seriousness of the attack. Values:
|
%t - Time Stamp | The time recorded in the following format: "yyyy-mm-dd hh:mm:ss.s" (one or more digits representing a decimal fraction of a second) TZD (time zone designator, which is either Z or +hh:mm or -hh:mm) |
%u - URL | URL specified in the request. |
%ua - User Agent | The value contained in the User-Agent request header. Normally, this information is submitted by the clients, which details the browser, operating system, software vendor, or software revision, in an identification string. |
%un - Unit Name | Name of the unit. |
%uid - Unique ID | ID generated for the request. A unique ID is generated for every log. |
Log Field Macros for Access Logs
Access Logs | Description |
---|---|
%ai - Application IP | IP address of the application that receives the traffic. |
%ap - Application Port | Port associated with the application IP address. |
%au - Authenticated User | Username of the currently authenticated client requesting the web page. |
%br - Bytes Received | Bytes received from the client as a part of the request. |
%bs - Bytes Sent | Bytes sent as a response by the Barracuda WAF-as-a-Service to the client. |
%ch - Cache Hit | Specifies whether the response is served out of the Barracuda WAF-as-a-Service cache or from the backend server. Values: 0 – if the request is fetched from the server and given to the user. 1 – if the request is fetched from the cache and given to the user. |
%cu - Certificate User | Username as found in the SSL certificate when Client Authentication is enforced by the Barracuda WAF-as-a-Service. |
%ci - Client IP | IP address of the client sending the request. |
%cp - Client Port | Port associated with the client IP address. |
%c - Cookie | Cookie as found in the HTTP request headers. |
%ct - Client Type | Specifies the type of client making the request. Values:
|
%cfp - Client Fingerprint | A unique client fingerprint generated for the client sending the request. |
%crs - Client Risk Score | Risk score assigned to the client fingerprint. |
%cc - Country Code | The two-letter country code of the location from where the request originated. |
%cs1 - Custom Header 1 | The header name for which you want to see the value in the Access Logs. |
%cs2 - Custom Header 2 | The header name for which you want to see the value in the Access Logs. |
%cs3 - Custom Header 3 | The header name for which you want to see the value in the Access Logs. |
%cs4 - Custom Header 4 | The header name for which you want to see the value in the Access Logs. |
%cs5 - Custom Header 5 | The header name for which you want to see the value in the Access Logs. |
%cs6 - Custom Header 6 | The header name for which you want to see the value in the Access Logs. |
%h - Host | IP address of the host or website accessed by the user. |
%s - HTTP Status | The standard response code that helps identify the cause of the problem when a web page or other resource does not load properly. |
%id - Login ID | Login ID used by the client when authentication is set to On for the application. |
%lt - Log Type | Type of log: Web Firewall Log, Access Log, or Event Log. |
%m - Method | HTTP method used by the request. Values: GET, POST, HEAD, etc. |
%p - Protocol | Protocol used for the request. |
%pf - Protected Field | Specifies whether the request went through the Barracuda WAF-as-a-Service rules and policy checks. Values: PASSIVE, PROTECTED, UNPROTECTED. |
%px - Proxy IP | If the client requests are coming through a proxy or gateway, this field provides the IP address of the proxy. |
%pmf - Profile Matched Field | Specifies whether the request matched a defined URL or Parameter Profile. Values: DEFAULT, PROFILED. |
%pp - Proxy Port | Port of the proxy server whose IP address has been logged in the Proxy IP field above. |
%q - Query | Query part of the request. |
%r - Referer | The value contained in the Referrer HTTP request header. It identifies the web resource from which the client was “referred” to the requested URL. |
%rtf - Response Type Field | Specifies whether the response came from the backend server or from the Barracuda WAF-as-a-Service. Values: INTERNAL, SERVER. |
%rrs - Request Risk Score | Risk score assigned to the request. |
%rn - Rule Name | Name of the Traffic Rule. NOTE: |
%sid - Session ID | Value for this field remains blank. |
%si - Server IP | IP address of the backend web server. |
%sp - Server Port | Port associated with the backend web server. |
%st - Server Time | Total time taken (in milliseconds) by the back-end server to serve the request forwarded to it by the Barracuda WAF-as-a-Service. |
%sn - Application ID | Application ID and the unique ID assigned to the application. |
%t - Time | Date and time of the log when it was generated. |
%tt - Time Taken | Total time taken to serve the request from the time the request landed on the Barracuda WAF-as-a-Service until the last byte given out to the client. |
%u - URL | URL of the request without the query part. |
%ua - User Agent | The value contained in the User-Agent request header. Normally, this information is submitted by the clients, which details the browser, operating system, software vendor or software revision, in an identification string. |
%un - Unit Name | Name of the unit, which is same as the default hostname. |
%uid - Unique ID | ID generated for the request. A unique ID is generated for every log. |
%v - Version | HTTP version used by the request. |
%wmf - WF Matched | Specifies whether the request is valid. Values: INVALID, VALID. |
%tarc - Epoch/Unix Timestamp | Time is displayed in the Epoch/Unix timestamp format. |
%ta - American Standard Format Timestamp | Time is displayed in the American Standard timestamp format. |
Log Field Macros for Event Logs
Event Logs | Description |
---|---|
%t - Timestamp | The time recorded in the following format: "yyyy-mm-dd hh:mm:ss.s" (one or more digits representing a decimal fraction of a second) TZD (time zone designator, which is either Z or +hh:mm or -hh:mm) |
%lt - LogType | Type of log: Web Firewall Log, Access Log, or Event Log. |
%si - Server IP | IP address of the backend web server. |
%sp - Server Port | Port associated with the backend web server. |
%waas_category - Event Log Categories | Category of the event to which the component belongs. The event types are:
|
%waas_message - Event Message | Message displayed for the generated event. |