If your device does not support LEEF, you can configure syslog forwarding for Barracuda
Web Application Firewall.
Procedure
-
Log in to the Barracuda Web Application Firewall web interface.
-
Click the Advanced tab.
-
From the Advanced menu, select Export logs.
-
Click Syslog Settings.
-
Configure a syslog facility value for the following options:
| Option |
Description |
|---|
| Web Firewall Logs Facility |
Select a syslog facility between Local0 and
Local7. |
| Access Logs Facility |
Select a syslog facility between Local0 and
Local7. |
| Audit Logs Facility |
Select a syslog facility between Local0 and
Local7. |
| System Logs Facility |
Select a syslog facility between Local0 and
Local7. |
Setting a syslog unique facility for each log type allows the Barracuda Web Application Firewall
to divide the logs in to different files.
-
Click Save Changes.
-
In the Name field, type the name of the syslog server.
-
In the Syslog field, type the IP address of your QRadar®
Console or Event Collector.
-
From the Log Time Stamp option, select Yes.
-
From the Log Unit Name option, select Yes.
-
Click Add.
-
From the Web Firewall Logs Format list box, select Custom
Format.
-
In the Web Firewall Logs Format field, type the following custom event
format:
t=%t|ad=%ad|ci=%ci|cp=%cp|au=%au
-
From the Access Logs Format list box, select Custom
Format.
-
In the Access Logs Format field, type the following custom event
format:
t=%t|p=%p|s=%s|id=%id|ai=%ai|ap=%ap|ci=%ci|cp=%cp|si=%si|sp=%sp|cu=%cu
-
From the Audit Logs Format list box, select Custom
Format.
-
In the Audit Logs Format field, type the following custom event
format:
t=%t|trt=%trt|an=%an|li=%li|lp=%lp
-
Click Save Changes.
-
From the navigation menu, select
-
From the System/Reload/Shutdown pane, click Restart.
Results
The syslog configuration is complete after your Barracuda Web Application Firewall restarts.
Events that are forwarded to QRadar by Barracuda Web
Application Firewall are displayed on the Log Activity tab.