We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see https://campus.barracuda.com/doc/71862301/ for further information on our EoS policy.

How to Configure Syslog Streaming

  • Last updated on

The syslog streaming configuration defines the handling of log files. Log messages of managed NG Firewalls can be transmitted to the NG Control Center Syslog service, but they can just as well be transmitted to any other system designed for log file collection or to another Barracuda NG Firewall.

In this article:

Enable the Syslog Service

Enable the Barracuda NG Firewall to stream log files to external syslog devices like the Barracuda NG Control Center or a 3rd party syslog server. When using SSL for log file streaming, export the certificate and key for SSL based authentication.

  1. Go to CONFIGURATION > Full Configuration > Box > Infrastructure Services > Syslog Streaming.
  2. Click Lock.
  3. Enable the Syslog service.
  4. When using SSL for log file streaming, you may require a certificate different from the key and certificate by which the box is routinely identified:
    1. Select Switch to Advanced View in the left Configuration Mode menu.
    2. Disable Use Box Certificate/Key.
    3. Export the certificate and key. This certificate needs to be imported on the destination server for SSL based authentication.
  5. Click Send Changes and Activate.

Configure Logdata Filters

Define profiles specifying the log file types to be transferred / streamed.

  1. Go to CONFIGURATION > Full Configuration > Box > Infrastructure Services > Syslog Streaming.
  2. In the left menu, select Logdata Filters.
  3. Expand the Configuration Mode menu and select Switch to Advanced View.
  4. Click Lock.
  5. Click the + icon to add a new entry. 
  6. Enter a descriptive name in the Filters dialog and click OK.
  7. In the Data Selection table, add the log files to be streamed. You can select:
    • Fatal_log – Log contents of the fatal log (log instance name: fatal)
    • Firewall_Audit_Log – The log contents of the firewall's machine readable audit data stream. Whether data is streamed into the Firewall_Audit_Log has to be configured in the General Firewall Configuration settings on box-level, section Audit Log Handling > Audit-Delivery: Syslog-Proxy (see: FW Audit). The log instance name corresponding to Syslog-Proxy selected will be trans7.
    • Panic_log – log contents of the panic log (log instance name: panic)

      When Log-File is selected in the firewall's configuration, the data will go into a log file named Box->Firewall->audit (which means the instance is named box_Firewall_audit) and thus this filter setting is not applicable. The pertinent one then would be a selection of category Firewall within the box selection portion of the filter.

  8. In the Affected Box Logdata section, define what kind of box logs are to be affected by the syslog daemon from the Data Selection list.
  9. When chosing Selection (default), 
    1. Click the + icon next to Data Selection to add an entry.
    2. Enter a descriptive name for the group and click OK. The Data Selection window opens.
    3. Add the Log Groups for selection or select Other and specify an explicit selection. For more information, see User Defined Log Groups.
    4. Set a Log Message Filter. When chosing Selection
      • Add the explicit log type to the Selected Message Types table.
    5. Click OK.
  10. In the Affected Service Logdata section, define what kind of logs created by services are to be affected by the syslog daemon from the Data Selection list.
  11. When chosing Selection (default), 
    1. Click the + icon next to Data Selection to add an entry.
    2. Enter a descriptive name for the group and click OK. The Data Selection window opens.
    3. In the Log Groups table, add the server and services where log messages are streamed from, or select Other and specify a more granulated selection. For more information, see User Defined Log Groups
    4. Set a Log Message Filter. When chosing Selection
      • Add the explicit log type to the Selected Message Types table.
    5. Click OK.
  12. Click Send Changes and Activate.

User Defined Log Groups

For selective syslog streaming a configured logstream destination is required. This can either be a Barracuda NG Control Center or a dedicated 3rd party syslog server. For granulated selection, configure logdata filters, using the Data Selection > Log Groups parameter Other and enter a string up to sample:

  • <modulname>_<logfile>

Example (for Affected Service Logdata):

  • virscan_cas
  • firewall_auth
  • firewall_Rule*

This selection would stream:

  • srv_<virscan-servername>_<virscan-servicename>_cas.log
  • srv_<firewall-servername>_<firewall-servicename>_auth.log
  • srv_<firewall-servername>_<firewall-servicename>_Rule*.log

This selection would not stream:

  • srv_<virscan-servername>_<virscan-servicename>.log
  • srv_<virscan-servername>_<virscan-servicename>_clamav.log
  • srv_<firewall-servername>_<firewall-servicename>.log

List of Available Box Module Names

  • Auth: Auth
  • Config: Config
  • Control: Control
  • Event: Event
  • Firewall: Firewall
  • Logs: Logs
  • Network: Network
  • Release: Release
  • Settings: Settings
  • SSH: SSH
  • Statistics: Statistics
  • System: System
  • Watchdog: Watchdog

List of Available CC-managed Box Modules

  • AV-Scanner: virscan
  • DHCP-Enterprise-Server: dhcpe
  • DHCP-Relay: dhcprelay
  • DNS: dns
  • Firewall: firewall
  • FW-Audit-Service: fwaudit
  • C-Firewall: cfirewall
  • FTP-Gateway: ftpgw
  • HTTP-Proxy: proxy
  • HTTP/HTTPS-Proxy: sslprx
  • Mail-Gateway: mailgw
  • OSPFv2-Router: ospf
  • Policy-Service: policyserver
  • Secure-Web-Proxy: sslprx
  • SPAM-Filter: spamfilter
  • SNMP-Service: snmp
  • SSH-Proxy: sshprx
  • ISS-ProventiaWebFilter: cofs
  • VPN-Server: vpnserver

List of Available Single Box Module Names

  • AV-Scanner: virscan
  • DHCP-Enterprise-Server: dhcpe
  • DHCP-Relay: dhcprelay
  • DNS: dns
  • Firewall: firewall
  • FTP-Gateway: ftpgw
  • HTTP-Proxy: proxy
  • HTTP/HTTPS-Proxy: sslprx
  • ISS-ProventiaWebFilter: cofs
  • Mail-Gateway: mailgw
  • OSPFv2-Router: ospf
  • Policy-Service: policyserver
  • Secure-Web-Proxy: sslprx
  • SNMP-Service: snmp
  • SPAM-Filter: spamfilter
  • SSH-Proxy: sshprx
  • VPN-Server: vpnserver

List of Available Control Center-Module Names (CC Box)

  • DNS: dns
  • Firewall: firewall
  • MC-Audit: fwaudit
  • MC-Conf: rangeconf
  • MC-Event: mevent
  • MC-Log: msyslog
  • MC-PKI: pki
  • MC-Entegra: mpolicyserver
  • MC-Reporter: rsdstats
  • MC-StatView: qstatm
  • MC-StatCollect: dstatm
  • MC-VPN: mastervpn

List of Available Reporter Module Names (Reporter Box)

  • Reporter DB: reporter

Configure Logstream Destinations

Define profiles specifying the transfer/streaming destination of log messages. Log lines from remote systems will be added as they are received but also get their creation time in ISODATE format enclosed in parentheses appended at the end, e.g.: (2013-07-01T18:37:17+00:00). Selecting NG-Firewall as destination will stream the log data to another unit in exactly the same file structure as on the sender system.

  1. Go to CONFIGURATION > Full Configuration > Box > Infrastructure Services > Syslog Streaming.
  2. In the left menu, select Logstream Destinations.
  3. Expand the Configuration Mode menu and select Switch to Advanced View.
  4. Click Lock.
  5. Click the + icon to add a new entry.
  6. Enter a descriptive name in the upcoming dialog and click OK. The Destinations window opens.
  7. Select the Remote Loghost. When an external log host is used, 
    1. Select explicit IP (default).
    2. Enter the the destination IP address in the Loghost IP Address field.
  8. Enter the destination port for delivering syslog messages. The Barracuda Networks CC syslog service listens on port TCP 5143 for SSL connections and on TCP and UDP port 5144 for unencrypted streaming. The default is to use encryption for delivery, therefore port 5143 is preconfigured.

    If you change the port assignment to another port, adjusting the local firewall rule set might become necessary.

  9. Select the Transmission Mode (TCP or UDP - default; for SSL connections TCP is automatically set).

    You may specify a particular Sender IP address used for sending the log data. When sending to a Barracuda NG Control Center either the VIP or in the absence of a management tunnel the MIP are selected automatically.

  10. Click OK.
  11. Click Send Changes and Activate.

You may specify a particular address to be used in order to send the log data.

SSL Encapsulation

The option Use SSL Encapsulation may be turned off when the log stream is transmitted to the Barracuda NG Control Center and the box has a management tunnel to the CC. For CC transmission without box tunnel activating SSL encapsulation is recommended. Note also that transmission to a non-Barracuda NG Firewall system should be SSL encapsulated for reasons of privacy. 

SSL Peer Authentication defines the way in which a destination system is authenticated when using SSL based authentication (authentication of the destination server by the box being a client). The list offers the following choices:

  • verify_peer_with_locally_installed_certificate – (default) The destination system is verified against a locally stored certificate either in the respective destination section or the Barracuda NG Control Center's certificate. This setting is useful when log messages are delivered to a system outside the scope of Barracuda NG Control Centers. For centrally administered Barracuda NG Firewalls this is the only applicable option.

      If the destination system is not a Barracuda NG Control Center, t he peer SSL certificate may be required

  • verify_peer_certificate – The destination system is verified against a locally stored CA certificate.
  • no_peer_verification – The peer is considered as trusted without verification. For security reasons this option it is NOT recommended.
Log Data Tagging

The log entities sent to an external log host contain the name and structural information (range/cluster) of the sending box and the name of the log file. With Override Node Name enabled this information can be overridden (default: disabled). If Override Node Name is enabled, specifying an explicit node name is possible. This node name is inserted into each log entity sent to the external log host. The setting Prepend Hierarchy Info allows fine tuning of the prefix which is inserted into each log entity sent to the external log host.

Log files generated on a box are stamped with the local box time. The UTC time offset compared to the local time is recorded though, and can be examined in the TZ column in the log viewer. The UTC time offset information is not included by default when log files are streamed to the Barracuda NG Control Center. Enabling Add UTC Offset adds the UTC time offset information to streamed log files, so that these files may be analyzed uniformly in case the Barracuda NG Control Center collects log files from multiple boxes placed in various time zones.

Configure Logdata Streams

By configuring this section relations between log patterns and log destinations are established. Thus it is possible to make a combination of each log pattern (a sort of filter) and log destination to allow fine granulated target selection.

With Barracuda CC Control selected as Remote Loghost, the streamed log files will be stored under /phion0/mlogs/range/cluster/box on the CC.

  1. Go to CONFIGURATION > Full Configuration > Box > Infrastructure Services > Syslog Streaming.
  2. In the left menu, select Logdata Streams.
  3. Expand the Configuration Mode menu and select Switch to Advanced View.
  4. Click the + icon to add a new entry. 
  5. Enter a descriptive name in the upcoming dialog and click OK.
  6. Configure the following settings:
    • Active Streams – This parameter allows you to activate/deactivate the selected log stream profile. By default, for example when creating a new profile, this parameter is set to yes.
    • Log Destinations – Here the available log destinations (defined in the section Logstream Destinations) can be selected.
    • Log Filters – Here the available log patterns (defined in the section Logdata Filters) can be selected. 
  7. Click Send Changes and Activate.

Last updated on