- Elasticsearch is used for search and data analytics
- Logstash is used for centralized logging and parsing
- Kibana is used for data visualizations
This article provides details on how to set up the ELK version 7.2.0 with the Barracuda Web Application Firewall. This integration allows administrators to search and visualize the logs generated by the Barracuda Web Application Firewall systems on ELK.
Step 1: Set up the ELK Stack
Installing the ELK Stack
You can install each of these tools either on different servers/virtual machines or on a single instance. You can also configure them to communicate with your existing applications. For more information on how to install and deploy the ELK Stack, refer to the Elastic website.
A single node ELK deployment running Ubuntu 16.04 server LTS is shown below as an example.
Installing NGinx to front-end Kibana
By default, Kibana runs on 5601. NGinx can be used to proxy this traffic and expose the Kibana UI on port 80.
Installing Java JRE
Java is a prerequisite for running Logstash and must be installed on the server.
Downloading ELK v7.x Latest
Installing ELK
Configuring NGINX
Set up the NGinx conf file under /etc/nginx/sites-available/default as follows:
Configuring Logstash
Logstash pipeline processing is configured through a pipeline configuration file and is placed in the default location /etc/logstash/conf.d/. The file includes input, output, and filter elements to ensure that the Barracuda Web Application Firewall logs are processed by Logstash and sent to the Elasticsearch system. It also allows Elasticsearch to create separate indexes for web firewall logs, access logs, audit logs, system logs, and network firewall logs.
Type of Log | Index Name |
---|---|
Web Firewall Logs (WF) | web_firewall_logs |
Access Logs (TR) | access_logs |
Audit Logs (AUDIT) | audit_logs |
Audit Logs (AUDIT) | audit_logs |
Network Firewall Logs (NF) | network_firewall_logs |
The configuration file is downloaded from "waf.conf". Move the ‘waf.conf’ file to /etc/logstash/conf.d/ location.
The Logstash pipeline configuration file "waf.conf" includes a file output section that is used for debugging or related tasks. Any logs sent by the Barracuda Web Application Firewall should be appended to this file. Create this output file under the location /home/logstash/ and name the file as "output.txt". Ensure that the file has WRITE permissions.
Restart Logstash
Configuring Elasticsearch
Create Index Template for Creating the GEOIP Mapping
Alternatively, the request is sent from the devtools section within the Kibana UI.
Configuring Kibana
Kibana Visualizations are used to create visualization graphs and dashboards for better visibility of the logs. Administrators create Kibana visualizations using the newline delimited JSON file that is downloaded from "kibana.ndjson"
- Log into the Kibana web interface.
- Navigate to Management > Saved Objects and then upload this file.
Restart ELK services
Verify that all the following services are running:
- Logstash listens on UDP 1514
- Elasticsearch listens on TCP 9200
- Kibana listens on TCP 5601
- NGINX listens on port 80
Step 2: Configure the Barracuda Web Application Firewall to Send Logs to Logstash Service
Perform the following steps to configure the Barracuda Web Application Firewall:
- Log into the Barracuda Web Application Firewall web interface.
- Go to the ADVANCED > Export Logs page.
- In the External Log Servers section, click Add Log Server.
- In the Add Syslog Server page, edit the following settings:
- Name– Enter a name for the export log server.
- Log Server Type – Select Syslog NG .
- IP Address or Hostname– Enter the IP address or the hostname of the Logstash or ELK server.
- Port– Enter the port number associated with the IP address of the Logstash or ELK server. By default, Logstash listens on port 1514 over UDP.
- Specify values for other parameters as required and click Add.
- In the Logs Format section, edit the following settings:
- Syslog Header – Select ArcSight Log Header.
- Web Firewall Logs Format – Select Custom Format and add the log format given below:
- Access Logs Format – Select Custom Format and add the log format given below:
- Audit Logs Format – Select Custom Format and add the log format given below:
- Network Firewall Logs Format– Select Custom Format and add the log format given below:
- System Logs Format: Select Custom Format and add the log format given below:
6. Click Save.
With the above configuration, the Barracuda Web Application Firewall will start to send the log events to Logstash. This can be verified by checking the output file, for example, output.txt, under /home/logstash/ on the ELK server.
Step 3: Create the Index Patterns
- Login into the Kibana user interface.
- Navigate to the Management section, and then click Index Patterns.
- Create index patterns for each of the WAF log types.
Step 4: Access the Kibana Web Interface to View the Logs
- Kibana can be accessed through NGINX at http://<server>/app/kibana . The Discover tab displays the logs in detail.
- Navigate to Visualize and the Dashboard tabs to view the following nine saved visualizations:
- Attack_Origins: Displays the geographical location from where the attacks originated.
- Attacks: Displays the attack type and the total count for the attack type in the selected time frame.
- Attacks_Last_Day: Displays all attack types and the count for all attacks in the last day.
- Attacks_Last_Hour: Displays all attack types and the count for all attacks in the last hour.
- Response_Time_Graph: Displays the average response time taken by each service.
- Top_Attacked_Domains: Displays the count of top attacked domains based on the number of times each service has been attacked.
- Top_Attacked_URLs: Displays the count of top attacked URLs based on the number of times each URL has been attacked.
Points to Remember
- By default, Elasticsearch and Kibana are configured to listen on localhost, which should be configured in 'elasticsearch.yml' and 'kibana.yml' as per the requirements.
- By default, Elasticsearch listens on port 9200 with tcp6 protocol for IPv6. In case of IPv4, add the following line in the /etc/elasticsearch/jvm.options file and restart Elasticsearch: Djava.net.preferIPv4Stack=true