AlienVault® USM Anywhere™

Barracuda Web Security Gateway

When you configure the Barracuda Web Security Gateway to send log data to USM Anywhere, you can use the Barracuda Web Filter plugin to translate the raw log data into normalized events for analysis.

Device Details
Device vendor Barracuda
Device type Web Filter
Connection type syslog
Vendor link https://www.barracuda.com/

Barracuda Web Security Gateway Integration

Before you configure the integration, you must have the IP address of the USM Anywhere Sensor.

To send log data from Barracuda Web Security Gateway to USM Anywhere

  1. Log in to the Barracuda Web Security Gateway.
  2. Go to the Advanced tab and click Syslog.

  3. (If using Barracuda Web Security Gateway version 14 or later) Change Enable W3C Logs to Yes.

    Important: When sending logs in the World Wide Web Consortium (W3C) format, Barracuda does not include any tags in the syslog header. Therefore, you must manually enable the Barracuda Web Filter plugin in USM Anywhere. See Manual Plugin Management for assistance.

  4. Specify the IP address of the USM Anywhere Sensor in both the Web Traffic Syslog and Web Interface Syslog fields.
  5. Click Save.

Note: In some instances, users with older firmware have reported event information being improperly parsed from syslog messages. As of the Web Security Gateway version 12.0 firmware update, syslog messages are correctly parsed.

Plugin Enablement

If not sending W3C logs, the Barracuda Web Filter plugin automatically processes all messages whose syslog tag matches one of the following values "httpscan,http_scan,sniff".

If sending W3C logs, as the case in Barracuda Web Security Gateway version 14 or later, you must manually enable the Barracuda Web Filter plugin in USM Anywhere. See Manual Plugin Management for assistance.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. The USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • audit_reason
  • bytes_in
  • bytes_out
  • content_category
  • destination_address
  • event_action
  • event_name
  • file_hash
  • matched_value
  • plugin_rule
  • request_content_type
  • request_url
  • source_address
  • source_username
  • timestamp_occured
  • timestamp_received

Troubleshooting

For troubleshooting, refer to the vendor documentation:

https://www.barracuda.com/support/knowledgebase