Barracuda Web Application Firewall
FortiSIEM Support Added: 6.3.2
Vendor: Barracuda
Product Information: https://www.barracuda.com/products/webapplicationfirewall
What is Discovered and Monitored
The following protocols are used to discover and monitor various aspects of Barracuda Web Application Firewall (WAF).
Protocol |
Metrics Collected |
Used For |
---|---|---|
Syslog |
System logs, Web Firewall logs, Access logs, Audit logs and Network Firewall logs |
Security and Compliance |
Configuration
To configure syslog from your Barracuda WAF, take the following steps:
-
Navigate to Advanced > Export Logs > Syslog.
-
Configure the following fields in the table.
Field
Description
Name Enter the name of the syslog server. Syslog Server Enter the IP address of the syslog server. Log Time Stamp Select "Yes" to log the date and time of system events. Lot Unit Name Select "Yes" to log the name of the Barracuda Web Application Firewall unit. The unit name is the same as the Default Host name located on the BASIC > IP Configuration page. Comment Enter any comments about the syslog server. Select appropriate facility Leave as Local7 or default option. -
When done, click Add to add the settings.
Sample Events
<134>Sep 1 13:10:09 nlb_lab 2021-09-01 13:10:09.163 -0600 nlb_lab NF INFO TCP 192.0.2.105 443 ALLOW traffic:allow <132>Sep 1 13:10:09 nlb_lab 2021-09-01 13:10:09.550 -0600 nlb_lab WF WARN UNRECOGNIZED_COOKIE 98.98.98.22 51415 192.0.2.110 443 global GLOBAL LOG NONE [Cookie\="_derived_epik" Service-created\="1565 days back" Reason\="No valid encrypted pair"] GET test.example.com/random_page TLSv1.2 "-" "Mozilla/5.0 (Linux; Android 11; SAMSUNG SM-G991U) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/15.0 Chrome/90.0.4430.210 Mobile Safari/537.36" 98.98.98.22 51415 "-" https://test.example.com/ <134>Sep 1 13:10:11 nlb_lab 2021-09-01 13:10:11.342 -0600 nlb_lab TR 192.0.2.105 443 192.0.2.134 53619 "-" "-" POST TLSv1.2 test.example.com HTTP/1.1 200 736974 439 0 104 10.20.20.102 443 103 "-" SERVER DEFAULT PASSIVE VALID /json/reply/TicketingEventsGetAvailableByEventTypeName "-" "-" "-" "ServiceStack .NET Client 5.40" 192.0.2.134 53619 "-" "-" "-" "-"