Barracuda Web Application Firewall
The JSA DSM for Barracuda Web Application Firewall collects syslog LEEF and custom events from Barracuda Web Application Firewall devices.
The following table identifies the specifications for the Barracuda Web Application Firewall DSM:
Specification |
Value |
---|---|
Manufacturer |
Barracuda |
DSM name |
Web Application Firewall |
RPM file name |
DSM-BarracudaWebApplicationFirewall-JSA_version-build_number.noarch.rpm |
Supported versions |
V7.0.x and later |
Protocol type |
Syslog |
JSA recorded event types |
System Web Access Audit |
Automatically discovered? |
If LEEF-formatted payloads, the log source is automatically discovered. If custom-formatted payloads, the log source is not automatically discovered. |
Included identity? |
Yes |
More information |
Barracuda Networks website (https://www.barracuda.com) |
To collect syslog events from Barracuda Web Application Firewall, use the following steps:
If automatic updates are not enabled, download the most recent version of the following RPMs from the Juniper Downloads onto your JSA console:
Barracuda Web Application Firewall DSM RPM
DSMCommon RPM
Configure your Barracuda Web Application Firewall device to send syslog events to JSA.
Add a Barracuda Web Application Firewall log source on the JSA Console. The following table describes the parameters that require specific values that are required for Barracuda Web Application Firewall event collection:
Table 2: Barracuda Web Application Firewall Log Source Parameters Parameter
Value
Log Source type
Barracuda Web Application Firewall
Protocol Configuration
Syslog
Configuring Barracuda Web Application Firewall to Send Syslog Events to JSA
Configure your Barracuda Web Application Firewall appliance to send syslog events to JSA.
Verify that firewalls between the Barracuda appliance and JSA allow UDP traffic on port 514.
Log in to the Barracuda Web Application Firewall web interface.
Click the Advanced tab.
From the Advanced menu, select Export Logs.
Click Add Syslog Server.
Configure the parameters:
Option
Description
Name
The name of the JSA Console or Event Collector
Syslog Server
The IP address of your JSA Console or Event Collector.
Port
The port that is associated with the IP address of your JSA Console or Event Collector.
If syslog messages are sent by UDP, use the default port, 514.
Connection Type
The connection type that transmits the logs from the Barracuda Web Application Firewall to the JSA Console or Event Collector. UDP is the default protocol for syslog communication.
Validate Server Certificate
No
In the Log Formats pane, select a format from the list box for each log type.
If you are using newer versions of Barracuda Web Application Firewall, select LEEF 1.0 (JSA).
If you are using older versions of Barracuda Web Application Firewall, select Custom Format.
Click Save Changes.
Configuring Barracuda Web Application Firewall to Send Syslog Events to JSA for Devices That do Not Support LEEF
If your device does not support LEEF, you can configure syslog forwarding for Barracuda Web Application Firewall.
Log in to the Barracuda Web Application Firewall web interface.
Click the Advanced tab.
From the Advanced menu, select Export logs.
Click Syslog Settings.
Configure a syslog facility value for the following options:
Option
Description
Web Firewall Logs Facility
Select a syslog facility between Local0 and Local7.
Access Logs Facility
Select a syslog facility between Local0 and Local7.
Audit Logs Facility
Select a syslog facility between Local0 and Local7.
System Logs Facility
Select a syslog facility between Local0 and Local7.
Setting a syslog unique facility for each log type allows the Barracuda Web Application Firewall to divide the logs in to different files.
Click Save Changes.
In the Name field, type the name of the syslog server.
In the Syslog field, type the IP address of your JSA console or Event Collector.
From the Log Time Stamp option, select Yes.
From the Log Unit Name option, select Yes.
Click Add.
From the Web Firewall Logs Format list box, select Custom Format.
In the Web Firewall Logs Format field, type the following custom event format:
t=%t|ad=%ad|ci=%ci|cp=%cp|au=%au
From the Audit Logs Format list box, select Custom Format.
In the Audit Logs Format field, type the following custom event format:
t=%t|p=%p|s=%s|id=%id|ai=%ai|ap=%ap|ci=%ci|cp=%cp|si=%si|sp=%sp|cu=%cu
From the Access Logs Format list box, select Custom Format.
In the Access Logs Format field, type the following custom event format:
t=%t|trt=%trt|an=%an|li=%li|lp=%lp
Click Save Changes.
From the navigation menu, select Basic >Administration
From the System/Reload/Shutdown pane, click Restart.
The syslog configuration is complete after your Barracuda Web Application Firewall restarts. Events that are forwarded to JSA by Barracuda Web Application Firewall are displayed on the Log Activity tab.