Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Barracuda Web Application Firewall

The JSA DSM for Barracuda Web Application Firewall collects syslog LEEF and custom events from Barracuda Web Application Firewall devices.

The following table identifies the specifications for the Barracuda Web Application Firewall DSM:

Table 1: Barracuda Web Application Firewall DSM Specifications

Specification

Value

Manufacturer

Barracuda

DSM name

Web Application Firewall

RPM file name

DSM-BarracudaWebApplicationFirewall-JSA_version-build_number.noarch.rpm

Supported versions

V7.0.x and later

Protocol type

Syslog

JSA recorded event types

System

Web

Access

Audit

Automatically discovered?

If LEEF-formatted payloads, the log source is automatically discovered.

If custom-formatted payloads, the log source is not automatically discovered.

Included identity?

Yes

More information

Barracuda Networks website (https://www.barracuda.com)

To collect syslog events from Barracuda Web Application Firewall, use the following steps:

  1. If automatic updates are not enabled, download the most recent version of the following RPMs from the Juniper Downloads onto your JSA console:

    • Barracuda Web Application Firewall DSM RPM

    • DSMCommon RPM

  2. Configure your Barracuda Web Application Firewall device to send syslog events to JSA.

  3. Add a Barracuda Web Application Firewall log source on the JSA Console. The following table describes the parameters that require specific values that are required for Barracuda Web Application Firewall event collection:

    Table 2: Barracuda Web Application Firewall Log Source Parameters

    Parameter

    Value

    Log Source type

    Barracuda Web Application Firewall

    Protocol Configuration

    Syslog

Configuring Barracuda Web Application Firewall to Send Syslog Events to JSA

Configure your Barracuda Web Application Firewall appliance to send syslog events to JSA.

Verify that firewalls between the Barracuda appliance and JSA allow UDP traffic on port 514.

  1. Log in to the Barracuda Web Application Firewall web interface.

  2. Click the Advanced tab.

  3. From the Advanced menu, select Export Logs.

  4. Click Add Syslog Server.

  5. Configure the parameters:

    Option

    Description

    Name

    The name of the JSA Console or Event Collector

    Syslog Server

    The IP address of your JSA Console or Event Collector.

    Port

    The port that is associated with the IP address of your JSA Console or Event Collector.

    If syslog messages are sent by UDP, use the default port, 514.

    Connection Type

    The connection type that transmits the logs from the Barracuda Web Application Firewall to the JSA Console or Event Collector. UDP is the default protocol for syslog communication.

    Validate Server Certificate

    No

  6. In the Log Formats pane, select a format from the list box for each log type.

    • If you are using newer versions of Barracuda Web Application Firewall, select LEEF 1.0 (JSA).

    • If you are using older versions of Barracuda Web Application Firewall, select Custom Format.

  7. Click Save Changes.

Configuring Barracuda Web Application Firewall to Send Syslog Events to JSA for Devices That do Not Support LEEF

If your device does not support LEEF, you can configure syslog forwarding for Barracuda Web Application Firewall.

  1. Log in to the Barracuda Web Application Firewall web interface.

  2. Click the Advanced tab.

  3. From the Advanced menu, select Export logs.

  4. Click Syslog Settings.

  5. Configure a syslog facility value for the following options:

    Option

    Description

    Web Firewall Logs Facility

    Select a syslog facility between Local0 and Local7.

    Access Logs Facility

    Select a syslog facility between Local0 and Local7.

    Audit Logs Facility

    Select a syslog facility between Local0 and Local7.

    System Logs Facility

    Select a syslog facility between Local0 and Local7.

    Setting a syslog unique facility for each log type allows the Barracuda Web Application Firewall to divide the logs in to different files.

  6. Click Save Changes.

  7. In the Name field, type the name of the syslog server.

  8. In the Syslog field, type the IP address of your JSA console or Event Collector.

  9. From the Log Time Stamp option, select Yes.

  10. From the Log Unit Name option, select Yes.

  11. Click Add.

  12. From the Web Firewall Logs Format list box, select Custom Format.

  13. In the Web Firewall Logs Format field, type the following custom event format:

    t=%t|ad=%ad|ci=%ci|cp=%cp|au=%au

  14. From the Audit Logs Format list box, select Custom Format.

  15. In the Audit Logs Format field, type the following custom event format:

    t=%t|p=%p|s=%s|id=%id|ai=%ai|ap=%ap|ci=%ci|cp=%cp|si=%si|sp=%sp|cu=%cu

  16. From the Access Logs Format list box, select Custom Format.

  17. In the Access Logs Format field, type the following custom event format:

    t=%t|trt=%trt|an=%an|li=%li|lp=%lp

  18. Click Save Changes.

  19. From the navigation menu, select Basic >Administration

  20. From the System/Reload/Shutdown pane, click Restart.

The syslog configuration is complete after your Barracuda Web Application Firewall restarts. Events that are forwarded to JSA by Barracuda Web Application Firewall are displayed on the Log Activity tab.