If your device does not support LEEF, you can configure syslog forwarding for Barracuda
Web Application Firewall.
Procedure
-
Log in to the Barracuda Web Application Firewall web interface.
-
Click the Advanced tab.
-
From the Advanced menu, select Export logs.
-
Click Syslog Settings.
-
Configure a syslog facility value for the following options:
Option |
Description |
Web Firewall Logs Facility |
Select a syslog facility between Local0 and
Local7. |
Access Logs Facility |
Select a syslog facility between Local0 and
Local7. |
Audit Logs Facility |
Select a syslog facility between Local0 and
Local7. |
System Logs Facility |
Select a syslog facility between Local0 and
Local7. |
Setting a syslog unique facility for each log type allows the Barracuda Web Application Firewall
to divide the logs in to different files.
-
Click Save Changes.
-
In the Name field, type the name of the syslog server.
-
In the Syslog field, type the IP address of your QRadar
Console or Event Collector.
-
From the Log Time Stamp option, select Yes.
-
From the Log Unit Name option, select Yes.
-
Click Add.
-
From the Web Firewall Logs Format list box, select Custom
Format.
-
In the Web Firewall Logs Format field, type the following custom event
format:
t=%t|ad=%ad|ci=%ci|cp=%cp|au=%au
-
From the Access Logs Format list box, select Custom
Format.
-
In the Access Logs Format field, type the following custom event
format:
t=%t|p=%p|s=%s|id=%id|ai=%ai|ap=%ap|ci=%ci|cp=%cp|si=%si|sp=%sp|cu=%cu
-
From the Audit Logs Format list box, select Custom
Format.
-
In the Audit Logs Format field, type the following custom event
format:
t=%t|trt=%trt|an=%an|li=%li|lp=%lp
-
Click Save Changes.
-
From the navigation menu, select
-
From the System/Reload/Shutdown pane, click Restart.
Results
The syslog configuration is complete after your Barracuda Web Application Firewall restarts.
Events that are forwarded to QRadar® by Barracuda Web
Application Firewall are displayed on the Log Activity tab.