Syslog Integration with Barracuda Content Shield

You can export log information from your BCS Plus account to your custom logging server using the Syslog feature as described below. Syslog data is available for the following traffic:

• Web Filtering Component (WFC) log: Web traffic logs generated by the BCS agent Web Filtering Component (WFC), or when the Barracuda Web Security Gateway is integrated with BCS.
• Chromebook 
• DNS proxy 
  
• ATP

Configure Your On-Site Syslog Server and Firewall

On your syslog server, configure the following:

• Default port is 6514, or whatever port your administrator decides to use
• TLS mode

On your firewall, make sure that traffic from the following IP addresses, depending on your region, are allowed to access the configured port on your syslog server:

• AWS East Region: 18.211.131.227 and  18.211.158.158
• AWS EU Region: 108.128.34.0 and 63.32.36.170

Configure the BCS Syslog Feature

1. Log into your BCS account and go to the ACCOUNT SETTINGS page.
2. On the lower right of the screen, click Configure Syslog.
3. In the Configure Syslog pop-up window:
   1. Set Enable Syslog to ON.
   2. Enter the Server Address and Port of your syslog server.
   3. Click Save.

To edit the above values after you save them, click EDIT SYSLOG CONFIGURATION.

When BCS connects with your syslog server, the page displays this message:

If BCS cannot connect to your syslog server, the page displays this message:

Turn off Syslog

To stop BCS from sending syslog data to your syslog server:

1. On the ACCOUNT SETTINGS page, click EDIT SYSLOG CONFIGURATION.
2. In the confirmation pop-up window, click TURN OFF. You can turn syslogs back on later by reversing the procedure.

After you turn off Syslog, the following message is displayed on the page:

Disconnect BCS From Your Syslog Server

1. On the ACCOUNT SETTINGS page, click REMOVE SYSLOG.
2. In the confirmation pop-up window, click REMOVE SYSLOG.

If you want to connect with your syslog server at a later time, you will need to follow instructions to Configure Syslog as described above.

Logs and Data Formats

Web Access Logs

<timestamp> <src_ip> <host/name> <username> <dst_ip> <action> <url> <::categories> <::supercategories> <content_type> <referrer>

Sample log output for each traffic type:

 Jul 8 18:11:21 bcs-remote chromebook-logs[]: 2020-07-08T18:10:43+00:00 172.13.185.58 - [jdoe@gmail.com] 23.205.64.7 ALLOWED http://news.mit.edu/sites/mit.edu.newsoffice/files/styles/article_cover_image_small/public/images/2020/MIT-Brain-Electro-01_1.jpg?itok=mpBO48Fm [Educational Reference] [Education] http://news.mit.edu
Jun 19 18:16:29 bcs-remote dns-logs[]: 2020-06-19T14:20:35+00:00 198.35.20.112 - [-] - DENIED poker.com [Gambling in General] [Adult Recreation or Illegal] -

These sample logs are described below:

Sample BCS WFC agent log output: The 'wca-logs' in the header portion in the first line signifies log data from the BCS WFC agent.  

• Source IP address = 10.1.2.214
• Host/name = wfdev-PC6
• Username = wfdev
• Destination IP address = 198.185.159.176
• Action =  ALLOWED
• URL = http://www.tekdefense.com/universal/images/overlay-arrow-left.png
• Category = Computing & Internet
  
• Supercategory = Technology
• Referrer = http://www.tekdefense.com/downloads/

Sample BCS with Barracuda Web Security Gateway log output: The 'wsg-logs' in the header portion in the second line signifies log data from Barracuda Content Shield Integrated With the Web Security Gateway.

• Source IP address = 10.42.246.146
• Host/name = cuda229.wfdev.barracuda.com
• Username = anonymous
• Destination IP address = 10.42.246.146
• Action =  ALLOWED
• URL = https://data.cnn.com/
• Category = News
  
• Supercategory = News and Information

• Referrer =  [none]
  
  

• Source IP address = 172.13.185.58
• Host/name = empty (no value, indicated by a dash '-')

• Username = jdoe@gmail.com
• Destination IP address = 23.205.64.7
• Action =  ALLOWED
• URL =  http://news.mit.edu/sites/mit.edu.newsoffice/files/styles/article_cover_image_small/public/images/2020/MIT-Brain-Electro-01_1.jpg?itok=mpBO48Fm
• Category = Educational Reference
  
• Supercategory = Education
• Referer = http://news.mit.edu 

Sample DNS Proxy log output: The 'dns-logs' in the header portion in the fourth line signifies log data from DNS proxy traffic.

• Source IP address = 198.35.20.112
• Host/name =  [this field will be empty or populated with a '-']

• Username =  [this field will be empty or populated with a '-']

• Destination IP address =   [this field will be empty or populated with a '-']
• Action =  DENIED
• URL = poker.com
• Category = Gambling in General
  
• Supercategory = Adult Recreation or Illegal

• Referrer = -  (none listed)

ATP Log: This threat log data comes from the ATP virus scanner and has the following format:

Header Format:

bcs-remote atp-logs[]:

Data Format: