Documentation Center
AlienVault® USM Anywhere™

Barracuda Web Application Firewall (WAF)

When you configure the Barracuda Web Application Firewall integration to send log data to USM Anywhere, you can use the Barracuda Web Application Firewall plugin to translate the raw log data into normalized events for analysis.

Device Details
Device vendor Barracuda
Device type Web application firewall
Connection type syslog
Vendor link https://www.barracuda.com/

Barracuda WAF Integration

To configure Barracuda WAF to send log data to the USM Anywhere Sensor

  1. Go to the ADVANCED > Export Logs page.
  2. In the Export Logs section, click Add Export Log Server.
  3. In the Add Export Log Server window, specify values for the following

    • Name — a name for the export log server
    • Log Server Type — the server type to export the logs
    • IP Address — the IP address of the export log server
    • Port — the port associated with the IP address of the export log server
    • Log Timestamp and Hostname — to log the date and time of the event and the hostname (configured in BASIC > IP Configuration > Domain Configuration), set this to Yes

  4. Click Add.

To configure facilities for different log types

  1. Go to ADVANCED > Export Logs.
  2. In Export Logs, select Export Log Settings.
  3. In the Syslog Settings section of the Export Log Settings dialog box, select the appropriate facility (Local0 to Local7) from the list for each log type, and click Save.

    Note: You can set the same facility for all log types. For example, you can set Local0 for System Logs, Web Firewall Logs, Access Logs, Audit Logs, and Network Firewall Logs.

    In the Export Log Settings dialog box, you can

    • enable or disable the logs that needs to be exported to the configured export log server(s) in Export Log Settings
    • set the severity level to export web firewall logs and system logs to the configured export log server(s) In Export Log Filters

      The Barracuda Web Application Firewall exports the logs based on the selected severity level. For example, if Web Firewall Log Severity is set to 2-Critical, then logs with 0-2 are sent to the external log server (in other words, 0-Emergency, 1-Alert, and 2-Critical).

Plugin Enablement

The Barracuda Web Filter plugin automatically processes all messages whose syslog tag matches one of the following values:

"?<date>\\d{4}-\\d{2}-\\d{2}\\s+\\d{2}:\\s*\\d{2}:\\d{2}.\\d{3}\\s+(?:-|\\+)\\:d{4})\\s+(?<device>\\S+)\\s+(TR|WF|AUDIT|SYS)".

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • application_protocol
  • authentication_type
  • destination_address
  • destination_port
  • destination_username
  • event_action
  • event_description
  • event_name
  • event_severity
  • http_hostname
  • policy
  • rep_device_address
  • rep_device_hostname
  • rep_device_rule_id
  • request_cookies
  • request_http_version
  • request_method
  • request_referrer
  • request_url
  • request_user_agent
  • response_code
  • session
  • source_address
  • source_port
  • source_process_commandline
  • source_username
  • timestamp_occured
  • customfield_0
  • customfield_1
  • customfield_2
  • customfield_3
  • customfield_4
  • customfield_5
  • customheader_0
  • customheader_1
  • customheader_2
  • customheader_3
  • customheader_4
  • customheader_5

Troubleshooting

For troubleshooting, refer to the vendor documentation: