We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see End-of-Support for CloudGen Firewall Firmware for further information on our EoS policy.

Splunk Integration

  • Last updated on

Splunk is a third-party platform for operational intelligence that allows you to monitor websites, applications servers, and networks. The Barracuda NextGen Firewall F-Series app shows information on matched access rules, detected applications, and applied URL filter polices on various fixed and real-time timelines. Data is imported into Splunk via syslog streaming of the Firewall activity log. Currently, Splunk versions 6.0, 6.1 and 6.2 are supported.

splunk_top.png

In this article

Before you Begin

Step 1. Configure Syslog Streaming on a Barracuda NextGen Firewall F

Configure and enable syslog streaming for every Barracuda NextGen Firewall F-Series you want to include in the Splunk App.

Step 1.1. Enable Syslog Streaming
  1. Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > Syslog Streaming.
  2. Click Lock.
  3. Set Enable the Syslog service to yes.
    splunk_syslog01.png
  4. Click Send Changes and Activate.

Step 1.2. Configure Logdata Filters

Define profiles specifying the log file types to be transferred / streamed.

  1. Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > Syslog Streaming.
  2. In the left menu, select Logdata Filters.
  3. Click Lock.
  4. Click the + icon to add a new filter. 
  5. Enter a Name and click OK. The Filters window opens.
  6. Click + in the Data Selection table and select Firewall_Audit_Log.

    Fatal_log and Panic_log data can also be streamed to the Splunk server, but are currently not processed by the Barracuda NextGen Firewall F Series Splunk app.

  7. In the Affected Box Logdata section select Selection from the Data Selector dropdown.
  8. Click + to add a Data Selection. The Data Selection window opens.
  9. Enter a Name and click OK.
  10. In the Log Groups table, click + and select Firewall-Activity-Only from the list.
    splunk_syslog01a.png

  11. Click OK.
  12. In the Affected Service Logdata section, select None from the Data Selector dropdown.
  13. Click OK.
    splunk_syslog02.png
  14. Click Send Changes and Activate.
Step 1.3 Configure the Logstream Destinations

Configure the data transfer settings for the Splunk server. You can optionally choose to send all syslog data via an SSL-encrypted connection.

  1. Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > Syslog Streaming.
  2. In the left menu, select Logstream Destinations.
  3. Click Lock.    
  4. Click + in the Destinations table. The Destinations window opens.
  5. Configure the Splunk server logstream destination:
    • Remote Loghost – Select explicit-IP
    • Loghost IP Address – Enter the IP address of the Splunk server.   

    • Loghost Port – Enter 5140 for plaintext or 5141 for SSL-encrypted connections.

      The Barracuda NextGen Firewall F-Series app can only process syslog data that is received on port 5140 (not encrypted) or 5141 for SSL-encrypted connections.

    • Transmission Mode – Select TCP or UDP (only for unencrypted connections).

    • (optional) Sender IP – Enter the management IP address of the Barracuda NextGen Firewall F-Series or leave blank for the NextGen Firewall F-Series to do a routing lookup to determine the Sender IP address.
    • (optional) Use SSL Encapsulation – Select yes to send the syslog stream over an SSL-encrypted connection.
    • (optional) Peer SSL Certificate – Import the SSL certificate configured on the Splunk server for this data import. 

      Configure the Splunk server to receive SSL-encrypted connections. For more information, see http://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf.

    • Override Node Name – Select no
  6. Click OK.
    splunk_syslog03.png
  7. Click Send Changes and Activate.
Step 1.4 Configure Logdata Streams

Create a logdata stream configuration combining the previously configured Log Destinations and Log Filters.

  1. Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > Syslog Streaming.
  2. In the left menu, select Logdata Streams.
  3. Click Lock.
  4. Click + in the Streams table.
  5. Enter a Name and click OK. The Streams window opens. 
  6. In the Log Destinations table, click + and select the  Log Destination created in Step 1.3. 
  7. In the Log Filters table, click + and select the Log Filter created in Step 1.2.
    splunk_syslog04.png
  8. Click OK.
  9. Click Send Changes and Activate.

All firewall log data is now being streamed to the Splunk server.

Step 2. Data Data Input on Splunk

The Splunk server must be configured to receive the syslog data. Verify that you have a Data input entry for TCP or UDP port 5140 or TCP port 5141 (SSL) that listens for the incoming syslog streaming connections. You must use port 5140/5141 because the Barracuda NextGen Firewall F-Series Splunk app can only process data received on these ports. For more information, see http://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Monitornetworkports.

Step 3. (optional) Enable SSL Encryption for Barracuda NextGen Firewall F-Series Splunk App

If you want to SSL encrypt connections with Splunk, you must modify the inputs.conf configuration file for the Barracuda NextGen Firewall F-Series Splunk App.

  1. Copy your SSL certificates to /opt/splunk-6.2/etc/auth/server.pem and /opt/splunk-6.2/etc/auth/box-cert.pem.
  2. Login to the Splunk server via SSH.
  3. Edit $SPLUNK_HOME/etc/apps/BarracudaNGFirewall/default/inputs.conf and add a section for SSL:

    [SSL]

    serverCert = /opt/splunk-6.2/etc/auth/server.pem

    password = password

    requireClientCert = true

    rootCA = /opt/splunk-6.2/etc/box-cert.pem

  4. Restart Splunk. 

Certificate Troubleshooting

If you see log messages containing the string "alert bad certificate" in the bsyslog log file, the rootCA certificate is either missing or invalid. Set requireClientCert to false to disable the certificate check.

2014 12 16 09:43:34 Notice   +01:00 Syslog connection established; fd='14', server='AF_INET(127.0.0.1:6224)', local='AF_INET(0.0.0.0:0)' 2014 12 16 09:43:34 Error    +01:00 [18697:4146318224] SSL_connect:14094412: error:14094412:SSL outines:SSL3_READ_BYTES:sslv3 alert bad certificate

Step 4. Enable Application Logging in the Firewall

Application data is collected on a per-access rule basis. Set the Application Log Policy to Log All Applications in the Advanced Firewall Rule Settings for each access rule that matches traffic you want to include in the data collected on the Splunk server. For more information, see Advanced Access Rule Settings.

splunk_app_logging1.png

Step 5. The Barracuda NextGen Firewall F-Series Splunk App

Log into Splunk, and click on the Barracuda NextGen Firewall F-Series app on the Splunk dashboard. Select the Barracuda NextGen Firewall F-Series from the Select Host dropdown menu, and then select the time span for the query.

splunk_select1.png

Barracuda NextGen Firewall F-Series Dashboard

The app allows you to display connection information based on a fixed time period or in real-time via Barracuda NextGen Firewall F-Series host.

splunk_dash1.png

splunk_dash2.png

Barracuda NextGen Firewall F-Series Applications

Click on the Applications tab of the Barracuda NextGen Firewall F-Series Splunk plugin to view Application Control 2.0 data, such as detected and blocked applications and websites blocked by URL Filter policies.

splunk_app1.png

splunk_app2.png

Last updated on