Configuring Barracuda Web Application Firewall to send syslog events to QRadar for devices that do not support LEEF

If your device does not support LEEF, you can configure syslog forwarding for Barracuda Web Application Firewall.

Procedure

  1. Log in to the Barracuda Web Application Firewall web interface.
  2. Click the Advanced tab.
  3. From the Advanced menu, select Export logs.
  4. Click Syslog Settings.
  5. Configure a syslog facility value for the following options:
    Option Description
    Web Firewall Logs Facility Select a syslog facility between Local0 and Local7.
    Access Logs Facility Select a syslog facility between Local0 and Local7.
    Audit Logs Facility Select a syslog facility between Local0 and Local7.
    System Logs Facility Select a syslog facility between Local0 and Local7.

    Setting a syslog unique facility for each log type allows the Barracuda Web Application Firewall to divide the logs in to different files.

  6. Click Save Changes.
  7. In the Name field, type the name of the syslog server.
  8. In the Syslog field, type the IP address of your QRadar Console or Event Collector.
  9. From the Log Time Stamp option, select Yes.
  10. From the Log Unit Name option, select Yes.
  11. Click Add.
  12. From the Web Firewall Logs Format list box, select Custom Format.
  13. In the Web Firewall Logs Format field, type the following custom event format:
    t=%t|ad=%ad|ci=%ci|cp=%cp|au=%au
  14. From the Access Logs Format list box, select Custom Format.
  15. In the Access Logs Format field, type the following custom event format:
    t=%t|p=%p|s=%s|id=%id|ai=%ai|ap=%ap|ci=%ci|cp=%cp|si=%si|sp=%sp|cu=%cu
  16. From the Audit Logs Format list box, select Custom Format.
  17. In the Audit Logs Format field, type the following custom event format:
    t=%t|trt=%trt|an=%an|li=%li|lp=%lp
  18. Click Save Changes.
  19. From the navigation menu, select Basic > Administration
  20. From the System/Reload/Shutdown pane, click Restart.

Results

The syslog configuration is complete after your Barracuda Web Application Firewall restarts. Events that are forwarded to QRadar® by Barracuda Web Application Firewall are displayed on the Log Activity tab.