Adding Export Log Servers
To add export log servers, navigate to the ADVANCED > Export Logs page, Export Logs section. You can configure a maximum of five (5) export log servers (i.e., Syslog NG, AMQP, AMQPS, and/or Azure Event Hub). All the logs (that is, system logs, web firewall logs, access logs, audit logs, and network firewall logs) are sent to the configured export log servers. See Steps To Add an Export Log Server.
If you are running syslog on a UNIX machine, be sure to start the syslog daemon process with the “-r” option so it can receive messages from external sources. Windows users require additional software to utilize syslog since the Windows OS does not include the syslog capability. Kiwi Syslog is a popular solution, but there are many others to choose from, both free and commercial.
Log messages are sent over UDP/TCP/SSL ports. If there are any firewalls between the Barracuda Web Application Firewall and the configured export log servers, ensure that the respective port is open on the firewalls.
The Barracuda Web Application Firewall enables you to add the following log servers to export the logs:
- Syslog Server
- Cloud Syslog Service
- AMQP/AMQPS Server
- Event Hub
- Reporting Server
- Microsoft Azure OMS
Add a Syslog Server
- Go to the ADVANCED > Export Logs page.
- In the Export Logs section, click Add Export Log Server. The Add Export Log Server window opens. Specify values for the following::
- Name – Enter a name for the syslog NG server.
- Log Server Type – Select Syslog NG.
- IP Address or Hostname – Enter the IP address or the hostname of the syslog NG server.
- Port – Enter the port associated with the IP address of the syslog NG server.
- Connection Type – Select the connection type to transmit the logs from the Barracuda Web Application Firewall to the syslog server. UDP is the default port for syslog communication. UDP, TCP, or SSL can be used in case of NG syslog server.
- Validate Server Certificate – Set to Yes to validate the syslog server certificate using the internal bundle of Certificate Authority's (CAs) certificates packaged with the system. If set to No, any certificate from the syslog server is accepted.
- Client Certificate – When set to Yes, the Barracuda Web Application Firewall presents the certificate while connecting to the syslog server.
- Certificate – Select a certificate for the Barracuda Web Application Firewall to present when connecting to the syslog server. Certificates can be uploaded on the BASIC > Certificates page. For more information on how to upload a certificate, see How to Add an SSL Certificate.
- Log Timestamp and Hostname – Set to Yes if you want to log the date and time of the event, and the hostname configured on the BASIC > IP Configuration > Domain Configuration section.
- Click Add.
Add a Cloud Syslog Service
Sumo Logic
- Go to the ADVANCED > Export Logs page.
- In the Add Export Log Server window, specify values for the following:
- Name – Enter a name for the Sumo Logic service.
- Log Server Type – Select Cloud Syslog Service.
- IP Address or Hostname – Enter the IP address or the hostname of the Sumo Logic service. For example: syslog.collection.your_deployment.sumologic.com
- Port – Enter the port associated with the IP address of the Sumo Logic service. The default port is 6514.
- Token – Enter the token for Sumo Logic service.
- For example: 9HFxoa6+lXBmvSM9koPjGzvTaxXDQvJ4POE/WCURPAo+w4H7PmZm8H3mSEKxPl0Q@41123, where the number "41123" is the Sumo PEN and is included as part of the customer token.
- Log Timestamp and Hostname – Set to Yes if you want to log the date and time of the event, and the hostname configured on the BASIC > IP Configuration > Domain Configuration section.
- Comment – (Optional) Enter comment about the new setting.
- Click Add.
Loggly
- Go to the ADVANCED > Export Logs page.
- In the Add Export Log Server window, specify values for the following:
- Name – Enter a name for the Loggly service.
- Log Server Type – Select CloudSyslog Service.
- IP Address or Hostname – Enter the IP address or the hostname of the Loggly service. For example: logs-01.loggly.com
- Port – Enter the port associated with the IP address of the Loggly service.
- Token – Enter the token for Loggly service.
- For example: 0a7c8023-92a7-4c9c-90f3-2d18453fdafa@41058, where 41058 is the Loggly ID that should be mentioned after the token.
- Log Timestamp and Hostname – Set to Yes if you want to log the date and time of the event, and the hostname configured on the BASIC > IP Configuration > Domain Configuration section.
- Comment – (Optional) Enter comment about the new setting.
- Click Add.
Add an AMQP/AMQPS Server
- Go to the ADVANCED > Export Logs page.
- In the Export Logs section, click Add Export Log Server. The Add Export Log Server window opens. Specify values for the following:
- Name – Enter a name for the AMQP server.
- Log Server Type – Select AMQP/AMQPS.
- IP Address or Hostname – Enter the IP address or the hostname of the AMQP/AMQPS server.
- Port – Enter the port associated with the IP address of the AMQP/AMQPS server.
- Username – Enter the username to be used to authenticate to the AMQP/AMQPS server.
- Password – Enter the password to be used for the above user account.
- Event Queue Name – Enter the queue name configured on the AMQP/AMQPS server to which logs needs to be exported.
- Log Timestamp and Hostname – Set to Yes if you want to log the date and time of the event, and the hostname configured on the BASIC > IP Configuration > Domain Configuration section.
- Click Add.
Add an Azure Event Hub
- Go to the ADVANCED > Export Logs page.
- In the Export Logs section, click Add Export Log Server. The Add Export Log Server window opens. Specify values for the following:
- Name – Enter a name for the Azure Event Hub.
- Log Server Type – Select Azure Event Hub.
- Policy Name – Enter the Microsoft Azure Event Hub policy name. Example: sendRule
- Policy SAS Key – Enter the Microsoft Azure Event Hub SAS key value. Example: d874XRvDafW2WdCJxb56jLfROE6d3ypdv307OvZwsvY=
- Service Bus Name – Enter the Microsoft Azure Event Hub service bus name.
- Event Hub Name – Enter the Microsoft Azure Event Hub name.
- Log Timestamp and Hostname – Set to Yes if you want to log the date and time of the event, and the hostname configured on the BASIC > IP Configuration > Domain Configuration section.
- Click Add.
Add a Microsoft Azure OMS Server
- In the Add Export Log Server window, specify values for the following:
- Name – Enter a name for the Microsoft Azure OMS server.
Log Server Type – Select Microsoft Azure OMS to export the logs to Microsoft Azure OMS.
- OMS Workspace ID – Enter the workspace ID of the Microsoft Azure OMS portal. (The workspace ID is available in the Microsoft Operations Management Suite portal, Settings > Connected Sources > Linux Servers page).
- OMS Primary Key – Enter the primary key of the Microsoft Azure OMS portal. (The primary Key is available in the Microsoft Operations Management Suite portal, Settings > Connected Sources > Linux Servers page).
- Log Event Type – Select the log events that need to be sent as custom logs to the Microsoft Azure OMS portal.
- All: When selected, the Barracuda Web Application Firewall sends all logs (Access Logs, Audit Logs, Web Firewall Logs, Network Firewall Logs, and System Logs) as custom logs to the Microsoft Azure OMS portal. In this case, Web Firewall Logs are also sent as CommonSecurityEvents logs.
- Web Firewall Logs: When selected, the Barracuda Web Application Firewall sends only Web Firewall Logs as CommonSecurityEvents logs to the Microsoft Azure OMS portal.
- Click Add.
Add the Barracuda Reporting Service
- In the Add Export Log Server window, specify values for the following:
- Name – Enter a name for the reporting service.
- Log Server Type – Select Barracuda Reporting Service to export the logs to the reporting server.
- IP Address or Hostname – Enter the IP address or the hostname of the reporting service.
- Password – Enter the password to be used for the above user account.
- Click Add.
Syslog Facility
Syslog receives different types of log messages. In order to differentiate and store them in distinct log files, log messages contain a logging priority and a logging facility in addition to the actual message and IP address.
All log messages are marked with one of the following facilities:
- local0
- local1
- |ocal2
- local3
- local4
- local5
- local6
- local7
For each configured syslog server, you can associate a specific facility (default = local0) with each log type, so your syslog server can segregate the log of each type into a different file.
Configure Facilities for Different Log Types
- Navigate to the ADVANCED > Export Logs page.
- In the Export Logs section, click Export Log Settings. The Export Log Settings window opens.
- In the Syslog Settings section, select the appropriate facility (Local0 to Local7) from the drop-down list for each log type and click Save.
In the Export Log Settings window, you can do the following:
- Enable or disable the logs that needs to be exported to the configured export log server(s) in the Export Log Settings section.
- Set the severity level to export web firewall logs and system logs to the configured export log server(s) in the Export Log Filters section. The Barracuda Web Application Firewall exports the logs based on the selected severity level. For example, if Web Firewall Log Severity is set to 2-Critical, then logs with 0-2 (i.e., 0-Emergency, 1-Alert and 2-Critical) are sent to the external log server.
Configure Log Levels for Different Modules
- Navigate to the ADVANCED > Export Logs page.
- In the Module Log Levels section, specify values for the following fields:
- Name – Enter a name for the new setting.
- Module – Select a module name from the drop-down list.
- Log Level – Select a log level for the module from the drop-down list. By default, the log level is set to 0-Emergency. Note that the lower the level, the higher the priority and the more attention the log entry demands. For example, log levels 0-Emergency and 1-Alert are the highest priority situations, demanding more immediate response than 5-Notice or 6-Information.
- Comment – (Optional). Enter comment about the new setting.
- Click Add to add the above settings.
Log Formats
You can customize the Web Firewall Logs, Access Logs, and Audit Logs formats sent to the syslog sever. You can choose from the predefined log formats (Common Log Format, NCSA Extended Format, W3C Extended Format, or Default), or you can create a custom format. Given below are the steps to specify the custom format.
Custom Log Format
Customize the Log Format for any Log Type (except System Logs)
- Navigate to ADVANCED > Export Logs page.
- In the Logs Format section, select Custom Format for any of the log types. The Custom Format can be defined in two ways:
- Specify "%" followed by the alphabet. The alphabets and its meaning are given in the Table of Log Formats for different log types. For example, if you configure " %h %u %t %r %ua %ci" as the custom format, the output will be " Jan 13 16:19:22 wsf 192.168.132.211 /cgi-bin/process.cgi 2010-01-13 05:49:22.350 -0500 "-" "Wget/1.10.2 (Red Hat modified)" 192.168.128.7". OR,
- Specify "name=value" format. For example, if you configure " host=%h url=%u time=%t ref=%r uagent=%ua src=%ci" as the custom format, the output will be " Jan 13 16:19:22 wsf host=192.168.132.211 url=/cgi-bin/process.cgi time=2010-01-13 05:49:22.350 -0500 ref="-" uagent="Wget/1.10.2 (Red Hat modified)" src=192.168.128.7". This format is used by some SEIM vendors such as ArchSight.
- Click Save to save the settings.
Log Format Separators
When defining log formats, you can use space as a separator between each log format for Web Firewall Logs Format, Access Logs Format and Audit Logs Format.
For Access Logs Format, you could also use pipe (|) or semicolon (;) separators. Log formats can be separated by a single separator or a combination of space, pipe, and semicolon separators.
For information on how to manage these logs please, see the documentation available for your syslog server.
Configure Logs Format
- Go to the ADVANCED > Export Logs page.
- In the Logs Format section, specify values for the following fields:
- Syslog Header – Specify a header format, which will be displayed when %header is used in the logs format. For example, consider the header format is "Barracuda", and the defined custom format is "%header %h %u %t %r %ua %ci". The output will be "Barracuda Jan 13 16:19:22 wsf 192.168.132.211 /cgi-bin/process.cgi 2010-01-13 05:49:22.350 -0500 "-" "Wget/1.10.2 (Red Hat modified)" 192.168.128.7". Values:
- ArcSight Log Header – Uses this header format in the logs format.
- QRadar Log Header – Uses this header format in the logs format.
- Custom Header – Define a custom header format to be used in the logs format.
- Web Firewall Logs Format – Select the format in which the Web firewall logs should be sent to the export log server. Values:
- Default – The default Web firewall log format defined by the Barracuda Web Application Firewall
- CEF:0 (ArcSight) – The Common Event Format (CEF) log used by ArcSight.
- HPE ArcSight CEF:0 - The Common Event Format (CEF) log used by HP ArcSight. This is the updated version of CEF:0 (ArcSight).
- LEEF1.0 (QRadar) – The Log Event Enhanced Format (LEEF) log used by QRadar.
- Symantec SIM – The default log format used by Symantec SIM.
- RSA enVision – The default log format used by RSA envision.
- Microsoft Azure OMS - The default log format used by Microsoft Azure OMS.
- Splunk – The default log format used by Splunk.
- Custom Format– Define a custom log format using the values displayed under Web Firewall Logs in the Table of Log Formats
- Access Logs Format – Select the format in which the access logs should be sent to the export log server. Values:
- Default – The default access log format defined by the Barracuda Web Application Firewall.
- Common Log Format – The default format for logged HTTP information.
- NCSA Extended Format – The Common Log Format appended with referer and agent information.
- W3C Extended Format – The default log format used by Microsoft Internet Information Server (IIS).
- CEF:0 (ArcSight) – The Common Event Format (CEF) log used by ArcSight.
- HPE ArcSight CEF:0 - The Common Event Format (CEF) log used by HP ArcSight. This is the updated version of CEF:0 (ArcSight)
- LEEF1.0 (QRadar) – The Log Event Enhanced Format (LEEF) log used by QRadar.
- Symantec SIM – The default log format used by Symantec SIM.
- RSA enVision – The default log format used by RSA enVision.
- Splunk – The default log format used by Splunk.
- Microsoft Azure OMS - The default log format used by Microsoft Azure OMS.
- Custom Format – Define a custom log format using the values displayed under Access Logs in Table of Log Formats.
- Audit Logs Format – Select the format in which the audit logs should be sent to the export log server. Values:
- Default– The default audit logs format defined by the Barracuda Web Application Firewall.
- CEF:0 (ArcSight) – The Common Event Format (CEF) log used by ArcSight.
- HPE ArcSight CEF:0 - The Common Event Format (CEF) log used by HP ArcSight. This is the updated version of CEF:0 (ArcSight)
- LEEF1.0 (QRadar) – The Log Event Enhanced Format (LEEF) log used by QRadar.
- Symantec SIM – The default log format used by Symantec SIM.
- RSA envision – The default log format used by RSA envision.
- Splunk – The default log format used by Splunk.
- Microsoft Azure OMS - The default log format used by Microsoft Azure OMS.
- Custom Format – Define a custom log format using the values displayed under Audit Logs in the Table of Log Formats.
- Network Firewall Logs Format - Select the format in which the network firewall logs should be sent to the export log server. Values:
- Default - The default network firewall logs format defined by the Barracuda Web Application Firewall.
- HPE ArcSight CEF:0 - The Common Event Format (CEF) log used by HP ArcSight. This is the updated version of CEF:0 (ArcSight)
- Custom Format - Define a custom log format using the values displayed under Network Firewall Logs in the Table of Log Formats.
- System Logs Format - Select the format in which the system logs should be sent to the export log server. Values:
- Default - The default system logs format defined by the Barracuda Web Application Firewall.
- CEF:0 (ArcSight) - The Common Event Format (CEF) log used by ArcSight.
- HPE ArcSight CEF:0 - The Common Event Format (CEF) log used by HP ArcSight. This is the updated version of CEF:0 (ArcSight)
- LEEF1.0 (QRadar) - The Log Event Enhanced Format (LEEF) log used by QRadar.
- Symantec SIM - The default log format used by Symantec SIM.
- RSA enVision - The default log format used by RSA envision.
- Splunk - The default log format used by Splunk.
- Microsoft Azure OMS - The default log format used by Microsoft Azure OMS.
- Custom Format - Define a custom log format using the values displayed under System Logs in the Table of Log Formats.
- Syslog Header – Specify a header format, which will be displayed when %header is used in the logs format. For example, consider the header format is "Barracuda", and the defined custom format is "%header %h %u %t %r %ua %ci". The output will be "Barracuda Jan 13 16:19:22 wsf 192.168.132.211 /cgi-bin/process.cgi 2010-01-13 05:49:22.350 -0500 "-" "Wget/1.10.2 (Red Hat modified)" 192.168.128.7". Values:
- Click Save.
The sections below describe the formats of the logs and elements sent over in each type of the event generated by the Barracuda Web Application Firewall. Please be aware that syslog implementations vary, and may not display the messages in this exact format. However, these sections should be present in the syslog lines.
System Logs
The default log format for the events generated by the Barracuda Web Application Firewall system is as follows:
%t %un %lt %md %ll %ei %ms
For information on default log formats and their meanings, see the table below.
Example:
2014-05-20 00: 54:44.627 -0700 WAF1 SYS ADMIN_M ALER 51001 Account has been locked for user Kevin because the number of consecutive log-in failures exceeded the maximum allowed
Detailed Description
The following table describes each element of a system log with respect to the above example:
Web Firewall Logs
All the actions/events on the web firewall are logged under Web Firewall Logs. These logs help the administrator to analyze the traffic for suspicious activity and also fine-tune the web firewall policies.
Navigate to the BASIC > Web Firewall Logs page to view the generated log messages. This log data is obtained from the log database on the Barracuda Web Application Firewall itself. As noted above, the external syslog server IP for these logs is specified under ADVANCED > Export Logs > Syslog. Over syslog, every log in the Barracuda Web Application Firewall has a level associated with it, which indicates the severity of the logs. An administrator can configure what level of logs should be recorded for each service by editing the service under the BASIC > Services page.
The default log format for Web Firewall Logs:
%t %un %lt %sl %ad %ci %cp %ai %ap %ri %rt %at %fa %adl %m %u %p %sid %ua %px %pp %au %r
IPv4 Example:
2014-04-11 10:50:30.411 +0530 wafbox1 WF ALER PRE_1_0_REQUEST 99.99.1.117 34006 99.99.109.2 80 global GLOBAL LOG NONE [POST /index.cgi] POST 99.99.109.2/index.cgi HTTP REQ-0+RES-0 “Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0” 99.99.1.117 34005 Kevin http://99.99.109.2/index.cgi
IPv6 Example:
2014-04-11 10:52:01.579 +0530 wafbox1 WF ALER PRE_1_0_REQUEST 2001::117 43655 2001::1:109 80 global GLOBAL LOG NONE [POST /index.cgi] POST 2001::1:109/index.cgi HTTP REQ-0+RES-0 " Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0" 2001::117 43654 Kevin http://2001::109/index.cgi
Detailed Description
The following table describes each element of a web firewall log with respect to the above example:
Access Logs
All web traffic activities are logged under the Access Logs. These logs help the administrator to obtain information about the website traffic and performance.
The BASIC > Access Logs page allows you to view the generated log messages stored on the Barracuda Web Application Firewall in a log database.
The default log format for Access Logs:
%t %un %lt %ai %ap %ci %cp %id %cu %m %p %h %v %s %bs %br %ch %tt %si %sp %st
%sid %rtf %pmf %pf %wmf %u %q %r %c %ua %px %pp %au %cs1 %cs2 %cs3
IPv4 Example:
2014-04-11 12:04:04.735 +0530 wafbox1 TR 99.99.109.2 80 99.99.1.117 34065 "-" "-" GET HTTP 99.99.106.25 HTTP/1.1 200 2829 232 0 1127 10.11.25.117 80 21 REQ-0+RES-0 SERVER DEFAULT PASSIVE VALID /index.html name=srawat http://99.99.109.2/index.cgi namdksih=askdj "Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0" 99.99.1.117 34065 John gzip,deflate 99.99.1.128 keep-alive
IPv6 Example:
2014-04-11 12:11:24.964 +0530 wafbox1 TR 2001::1:109 80 2001::117 43740 "-" "-" GET HTTP 2001::1:109 HTTP/1.1 200 2837 232 0 1008 2001::117 80 10 REQ-0+RES-0 SERVER DEFAULT PASSIVE VALID /index.html name=srawat http://2001::1:109/index.cgi namdksih=askdj "Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0" 2001::117 43740 John gzip,deflate 2001::128 keep-alive
Detailed Description
The table below describes each element of an access log with respect to the above example:
Audit Logs
The audit logs record the activity of the users logged in to the GUI of the Barracuda Web Application Firewall for the purpose of administration. These logs are visible on the BASIC > Audit Logs page and are also stored on the Barracuda Web Application Firewall in its native database. Additionally, when the administrator chooses an external remote syslog server through the configuration available at ADVANCED > Export Logs, these logs are streamed to the remote syslog servers with the priority as INFO.
The default log format for Audit Logs:
%t %un %lt %an %ct %li %lp %trt %tri %cn %cht %ot %on %var %ov %nv %add
IPv4 Example:
2014-02-24 09:05:17.764 -0800 wafbox1 AUDIT Adam GUI 10.11.18.121 24784 CONFIG 166 config SET virtual_ip_config_address 99.99.130.45 virtual_ip_config_interface "" "WAN" []
IPv6 Example:
2014-02-24 10:05:17.764 -0800 wafbox1 AUDIT Adam GUI 2001::117 23390 CONFIG 196 config SET virtual_ip_config_address 2001::2:109 virtual_ip_config_interface "" "WAN" []
Detailed Description
The table below describes each element of an audit log with respect to the above example:
Network Firewall Logs
The network traffic passing through the interfaces (WAN, LAN, and MGMT) that matches the configured Network ACL rule are logged under Network Firewall Logs. The log entries provide information about every packet that the Barracuda Web Application Firewall has allowed or denied based on the Action specified in the ACL rule. Using this information, you can identify where the network traffic originated and where it was destined for, and the action applied. These log entries can be viewed on the ADVANCED > Network Firewall Logs page.
The default log format for Network Firewall Logs:
%t %un %lt %sl %p %si %sp %di %dp %act %an %dsc
IPv4 Example:
2014-05-20 00: 56:42.195 -0700 WAF1 NF INFO TCP 99.99.1.117 52676 99.99.79.2 80 ALLOW testacl MGMT/LAN/WAN interface traffic:allow
IPv6 Example:
2014-05-20 02: 51:36.455 -0700 WAF1 NF INFO TCP 2001:4528::231 46739 2001:4528:2::79 80 ALLOW testacl MGMT/LAN/WAN interface traffic:allow
Detailed Description
The table below describes each element of a network firewall log with respect to the above example:
Table of Log Formats
The following table describes names and values for each log: