Barracuda CloudGen Firewall
Overview
Barracuda NextGen Firewall is a unified network‐security appliance that combines stateful, application‐aware firewalling with intrusion prevention, malware protection, web‐filtering and full-mesh VPN/SD-WAN.
Warning
Important note - This format is currently in beta. We highly value your feedback to improve its performance.
- Vendor: Barracuda
- Supported environment: OnPrem
- Detection based on: Telemetry
- Supported application or feature: Network device logs
Prerequisites
- Resource:
- Self-managed syslog forwarder
- Network:
- Outbound traffic allowed
- Permissions:
- Administrator or Root access to the Barracuda device
- Root access to the Linux server with the syslog forwarder
Transport Protocol/Method
- Indirect Syslog
Configure
Configure audit and reporting
- Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > General Firewall Configuration.
- In the left menu, select Audit and Reporting.
- Expand the Configuration Mode menu and select Switch to Advanced View.
- Click Lock.
- In the LogPolicy section, configure the following settings:
- For Activity Log Mode choose Log-Pipe-Separated-Value-List
-
For Activity Log Data choose Log-Info-Code
-
To activate changes made to the audit and reporting configuration, you must perform a firmware restart.
- Click Send Changes and Activate.
- Go to the CONTROL > Box.
- Expand the Operating System section.
- Click Firmware Restart.
How to set up syslog forwarding
- Go to CONFIGURATION > Full Configuration > Box > Infrastructure Services > Syslog Streaming.
- Click Lock
- Set Enable Syslog Streaming to yes.
- Click Send Changes and Activate.
- In the left menu, select Logstream Destinations.
- Expand the Configuration Mode menu and select Switch to Advanced View.
- Click Lock.
- Click the + icon to add a new entry.
- Enter a descriptive name in the upcoming dialog and click OK. The Destinations window opens.
- Select the Logstream Destination - Explicit IP.
- Enter the concentrator's IP address in the Destination IP Address field.
- Enter the concentrator's port to Destination Port for delivering syslog messages.
- Select the Transmission Mode (TCP or UDP - default; for TLS connections TCP is automatically set).
- Click OK.
- Click Send Changes and Activate.
Configure Your Intake
This section will guide you through creating the intake object in Sekoia, which provides a unique identifier called the "Intake key." The Intake key is essential for later configuration, as it references the Community, Entity, and Parser (Intake Format) used when receiving raw events on Sekoia.
- Go to the Sekoia Intake page.
- Click on the
+ New Intakebutton at the top right of the page. - Search for your Intake by the product name in the search bar.
- Give it a Name and associate it with an Entity (and a Community if using multi-tenant mode).
- Click on
Create.
Note
For more details on how to use the Intake page and to find the Intake key you just created, refer to this documentation.
Configure a forwarder
To forward events using syslog to Sekoia.io, you need to update the syslog header with the intake key you previously created. Here is an example of your message before the forwarder
<%pri%>1 %timestamp:::date-rfc3339% %hostname% %app-name% %procid% LOG RAW_MESSAGE
<%pri%>1 %timestamp:::date-rfc3339% %hostname% %app-name% %procid% LOG [SEKOIA@53288 intake_key=\"YOUR_INTAKE_KEY\"] RAW_MESSAGE
To achieve this you can:
- Use the Sekoia.io forwarder which is the official supported way to collect data using the syslog protocol in Sekoia.io. In charge of centralizing data coming from many equipments/sources and forwarding them to Sekoia.io with the apporpriated format, it is a prepackaged option. You only have to provide your intake key as parameter.
- Use your own Syslog service instance. Maybe you already have an intance of one of these components on your side and want to reuse it in order to centralize data before forwarding them to Sekoia.io. When using this mode, you have to configure and maintain your component in order to respect the expected Sekoia.io format.
Warning
Only the Sekoia.io forwarder is officially supported. Other options are documented for reference purposes but do not have official support.
Raw Events Samples
In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured.
Info EXAMPLE LOGIN ATTEMPT: boxconfig[50357]: Login localhost_EXAMPLE from 127.0.0.1 : Allowed.
Info EXAMPLE boxconfig[50512]: Session localhost_EXAMPLE: Closed
Security MACHINE-F380 LOGIN ATTEMPT: Login from 1.2.3.4: Denied: Firewall Rule RULENAME
Info MACHINE-F380 Received 3 users from EXAMPLEVPN (DC1 IP = 1.2.3.4).
Info MACHINE-F380 phibs: Authentication Login for peer=5.6.7.8 origin=DCCLIENT server=box service=dcclient box=MACHINE-F380 startport=0 endport=0 user=jdoe
Info MACHINE-F380 phibs: Authentication Login for peer=1.2.3.4 origin=DCCLIENT server=box service=dcclient box=MACHINE-F380 startport=0 endport=0 user=jdoe
Info MACHINE-F380 phibs: Authentication Timeout(28800) for peer=1.2.3.4 origin=DCCLIENT server=box service=dcclient box=MACHINE-F380 jdoe|||||||CN=VPN-ALL,OU=Groups,OU=Shared,OU=Business,DC=example,DC=com|1740086783|28800||msad||
Info EXAMPLE MSAD-Offline-Groups Setting MSAD offline group sync cache to 178.64 MByte (auto-calculated)
Info MACHINE-F380 MSAD-Offline-Groups Start sync for msad-groups for domain EXAMPLEDC04 on 1.2.3.4.
Info MACHINE-F380 MSAD-Offline-Groups Start sync for domain EXAMPLEDC04 on 1.2.3.4.
Info MACHINE-F380 Session from 127.0.0.1:15743 mode=0
Info MACHINE-F380 challenge sent for localhost_MACHINE-F380_5-4_1
Notice MACHINE-F380 127.0.0.1:15743 login succeeded: localhost_MACHINE-F380_5-4_1 Valid password and valid challenge
Info MACHINE-F380 New Session GCSID_localhost_MACHINE-F380_5-4_1_127.0.0.1_15743_25308
Info EXAMPLE New Session GCSID_localhost_EXAMPLE_127.0.0.1_34031_56301
Info MACHINE-F380 Process: Session(127.0.0.1:15743) exits normally
Info MACHINE-F380 [master@1.2.3.4_36778] Download File /var/phion/mcdownload/firmwareupdates/files/9.0 received size=71731 mode=100644
Info MACHINE-F380 [master@1.2.3.4_29010] Commit operation: 0 Copy: bsyslog.conf from boxsrv
Info MACHINE-F380 [master@1.2.3.4_29010] Commit operation: 0 Execute: /opt/phion/modules/box/boxsrv/bsyslog/bin/activate /opt/phion/config/active/bsyslog.conf
Info MACHINE-F380 event: [1071065] Insert Event from 127.0.0.1:56405 - (D|3|boxfw|3|firewall|4015|9.10.11.12:443|MACHINE-F380_5-4_1|1740029102|TCP 5.6.7.8:80 (bond0.21) -> 9.10.11.12:443)
Info MACHINE-F380 event: [1071065] Drop Event from 127.0.0.1:11703 - (D|3|MACHINE-F380MVPN|2|vpnserver|3002|IPSEC-EXAMPLE-1.2.3.4-5.6.7.8|MACHINE-F380_5-4_1)
Info MACHINE-F380 event: [1071032] Send Event (D|2|NGAdmin|2|Login|2420|root|MACHINE-F380_5-4_1) to Control Center 1.2.3.4
Info MACHINE-F380 event: [1071032] Send Event (D|2|control|2|controld|62|1.2.3.4/32 gateway table default dev bond0.23 via 13.14.15.16 proto 3|MACHINE-F380_5-4_1) to Control Center 5.6.7.8
Security MACHINE-F380 firewall: [Timer] SecurityEvent: (Address-Port Scan) 149 unallowed requests for source IP 5.6.7.8 within 60 seconds
Info MACHINE-F380 Allow: LOUT|UDP|bond0.603|1.2.3.4|61988|00:11:22:33:44:55|5.6.7.8|53|domain||RULENAME|0|9.10.11.12|5.6.7.8|0|1|0|0|0|0||||||
Security EXAMPLE LocalBlock: <cumulative>|UDP|eth0|5.6.7.8|0|00:00:00:00:00:00|9.10.11.12|811|||<no-match>|4003|||0|24|0|0|0|0||||||
Warning MACHINE-F380 firewall: [Request] Allow: IPS ALLIP(0) 9.10.11.12 -> 1.2.3.4:0 |[ID: 5000002 TCPIP Port or IP Address Scan]||3|Probing
Info MACHINE-F380 update|MACHINE-F380|PGRP-AUTH-jdoe-ABCD||||||1740020807|1740115598|116377688|1219271687|5.6.7.8|||jdoe
Warning MACHINE-F380 [5647250.628103] KTINA-WARN: IPSEC-v2-EXAMPLE doesn't have a transport
Info MACHINE-F380 control: Send status poll request status to Control Center 1.2.3.4
Info MACHINE-F380 Log wrapping is enabled, log caching is enabled
Info MACHINE-F380 was able to ping process 1126 (/var/run/syslogd.pid).
Info MACHINE-F380 still alive after 23523 interval(s)
Info MACHINE-F380 current load is 1 0 0
Info MACHINE-F380 currently there are 3387184 kB of free memory available (209780 buffered, 1507836, cached)
Detection section
The following section provides information for those who wish to learn more about the detection capabilities enabled by collecting this intake. It includes details about the built-in rule catalog, event categories, and ECS fields extracted from raw events. This is essential for users aiming to create custom detection rules, perform hunting activities, or pivot in the events page.
No related built-in rules was found. This message is automatically generated.
Event Categories
The following table lists the data source offered by this integration.
| Data Source | Description |
|---|---|
Network device logs |
None |
In details, the following table denotes the type of events produced by this integration.
| Name | Values |
|---|---|
| Kind | `` |
| Category | authentication, file, network, process, session |
| Type | allowed, end, info, start |
Transformed Events Samples after Ingestion
This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.
{
"message": "Info EXAMPLE LOGIN ATTEMPT: boxconfig[50357]: Login localhost_EXAMPLE from 127.0.0.1 : Allowed.",
"event": {
"category": [
"authentication"
],
"outcome": "success",
"type": [
"start"
]
},
"log": {
"level": "Info"
},
"observer": {
"type": "firewall"
},
"process": {
"name": "boxconfig",
"pid": 50357
},
"related": {
"ip": [
"127.0.0.1"
],
"user": [
"localhost"
]
},
"source": {
"address": "127.0.0.1",
"ip": "127.0.0.1"
},
"user": {
"name": "localhost"
}
}
{
"message": "Info EXAMPLE boxconfig[50512]: Session localhost_EXAMPLE: Closed",
"event": {
"category": [
"authentication"
],
"outcome": "success",
"type": [
"end"
]
},
"log": {
"level": "Info"
},
"observer": {
"type": "firewall"
},
"process": {
"name": "boxconfig",
"pid": 50512
},
"related": {
"user": [
"localhost"
]
},
"user": {
"name": "localhost"
}
}
{
"message": "Security MACHINE-F380 LOGIN ATTEMPT: Login from 1.2.3.4: Denied: Firewall Rule RULENAME",
"event": {
"category": [
"authentication"
],
"outcome": "failure",
"type": [
"start"
]
},
"error": {
"message": "Firewall Rule RULENAME"
},
"log": {
"level": "Security"
},
"observer": {
"type": "firewall"
},
"related": {
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
}
}
{
"message": "Info MACHINE-F380 Received 3 users from EXAMPLEVPN (DC1 IP = 1.2.3.4).",
"event": {
"category": [
"authentication"
],
"type": [
"info"
]
},
"dns": {
"answers": [
{
"data": "1.2.3.4",
"name": "EXAMPLEVPN"
}
],
"question": {
"name": "EXAMPLEVPN"
}
},
"log": {
"level": "Info"
},
"observer": {
"type": "firewall"
},
"related": {
"hosts": [
"EXAMPLEVPN"
]
}
}
{
"message": "Info MACHINE-F380 phibs: Authentication Login for peer=5.6.7.8 origin=DCCLIENT server=box service=dcclient box=MACHINE-F380 startport=0 endport=0 user=jdoe",
"event": {
"action": "Login",
"category": [
"authentication"
],
"type": [
"start"
]
},
"barracuda": {
"box": {
"name": "MACHINE-F380"
},
"server": {
"type": "box"
},
"service": {
"name": "dcclient"
}
},
"log": {
"level": "Info"
},
"observer": {
"type": "firewall"
},
"related": {
"ip": [
"5.6.7.8"
],
"user": [
"jdoe"
]
},
"source": {
"address": "5.6.7.8",
"ip": "5.6.7.8"
},
"user": {
"name": "jdoe"
}
}
{
"message": "Info MACHINE-F380 phibs: Authentication Login for peer=1.2.3.4 origin=DCCLIENT server=box service=dcclient box=MACHINE-F380 startport=0 endport=0 user=jdoe",
"event": {
"action": "Login",
"category": [
"authentication"
],
"type": [
"start"
]
},
"barracuda": {
"box": {
"name": "MACHINE-F380"
},
"server": {
"type": "box"
},
"service": {
"name": "dcclient"
}
},
"log": {
"level": "Info"
},
"observer": {
"type": "firewall"
},
"related": {
"ip": [
"1.2.3.4"
],
"user": [
"jdoe"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
},
"user": {
"name": "jdoe"
}
}
{
"message": "Info MACHINE-F380 phibs: Authentication Timeout(28800) for peer=1.2.3.4 origin=DCCLIENT server=box service=dcclient box=MACHINE-F380 jdoe|||||||CN=VPN-ALL,OU=Groups,OU=Shared,OU=Business,DC=example,DC=com|1740086783|28800||msad||",
"event": {
"action": "Timeout(28800)",
"category": [
"authentication"
],
"type": [
"start"
]
},
"barracuda": {
"box": {
"name": "MACHINE-F380"
},
"server": {
"type": "box"
},
"service": {
"name": "dcclient"
}
},
"log": {
"level": "Info"
},
"observer": {
"type": "firewall"
},
"related": {
"ip": [
"1.2.3.4"
],
"user": [
"jdoe"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
},
"user": {
"name": "jdoe"
}
}
{
"message": "Info EXAMPLE MSAD-Offline-Groups Setting MSAD offline group sync cache to 178.64 MByte (auto-calculated)",
"event": {
"category": [
"authentication"
],
"reason": "Setting MSAD offline group sync cache to 178.64 MByte (auto-calculated)",
"type": [
"info"
]
},
"log": {
"level": "Info"
},
"observer": {
"type": "firewall"
}
}
{
"message": "Info MACHINE-F380 MSAD-Offline-Groups Start sync for msad-groups for domain EXAMPLEDC04 on 1.2.3.4.",
"event": {
"category": [
"authentication"
],
"reason": "Start sync for msad-groups for domain EXAMPLEDC04 on 1.2.3.4.",
"type": [
"info"
]
},
"log": {
"level": "Info"
},
"observer": {
"type": "firewall"
}
}
{
"message": "Info MACHINE-F380 MSAD-Offline-Groups Start sync for domain EXAMPLEDC04 on 1.2.3.4.",
"event": {
"category": [
"authentication"
],
"reason": "Start sync for domain EXAMPLEDC04 on 1.2.3.4.",
"type": [
"info"
]
},
"log": {
"level": "Info"
},
"observer": {
"type": "firewall"
}
}
{
"message": "Info MACHINE-F380 Session from 127.0.0.1:15743 mode=0",
"event": {
"category": [
"session"
],
"type": [
"start"
]
},
"barracuda": {
"mode": {
"type": "0"
}
},
"log": {
"level": "Info"
},
"observer": {
"type": "firewall"
},
"related": {
"ip": [
"127.0.0.1"
]
},
"source": {
"address": "127.0.0.1",
"ip": "127.0.0.1",
"port": 15743
}
}
{
"message": "Info MACHINE-F380 challenge sent for localhost_MACHINE-F380_5-4_1",
"event": {
"category": [
"session"
],
"type": [
"start"
]
},
"host": {
"name": "localhost"
},
"log": {
"level": "Info"
},
"observer": {
"type": "firewall"
}
}
{
"message": "Notice MACHINE-F380 127.0.0.1:15743 login succeeded: localhost_MACHINE-F380_5-4_1 Valid password and valid challenge",
"event": {
"category": [
"authentication"
],
"type": [
"start"
]
},
"host": {
"name": "localhost"
},
"log": {
"level": "Notice"
},
"observer": {
"type": "firewall"
},
"related": {
"ip": [
"127.0.0.1"
]
},
"source": {
"address": "127.0.0.1",
"ip": "127.0.0.1",
"port": 15743
}
}
{
"message": "Info MACHINE-F380 New Session GCSID_localhost_MACHINE-F380_5-4_1_127.0.0.1_15743_25308",
"event": {
"category": [
"session"
],
"type": [
"start"
]
},
"barracuda": {
"session": {
"id": "25308"
}
},
"host": {
"name": "localhost"
},
"log": {
"level": "Info"
},
"observer": {
"type": "firewall"
},
"related": {
"ip": [
"127.0.0.1"
]
},
"source": {
"address": "127.0.0.1",
"ip": "127.0.0.1",
"port": 15743
}
}
{
"message": "Info EXAMPLE New Session GCSID_localhost_EXAMPLE_127.0.0.1_34031_56301",
"event": {
"category": [
"session"
],
"type": [
"start"
]
},
"barracuda": {
"session": {
"id": "56301"
}
},
"host": {
"name": "localhost"
},
"log": {
"level": "Info"
},
"observer": {
"type": "firewall"
},
"related": {
"ip": [
"127.0.0.1"
]
},
"source": {
"address": "127.0.0.1",
"ip": "127.0.0.1",
"port": 34031
}
}
{
"message": "Info MACHINE-F380 Process: Session(127.0.0.1:15743) exits normally",
"event": {
"category": [
"session"
],
"type": [
"end"
]
},
"log": {
"level": "Info"
},
"observer": {
"type": "firewall"
},
"related": {
"ip": [
"127.0.0.1"
]
},
"source": {
"address": "127.0.0.1",
"ip": "127.0.0.1",
"port": 15743
}
}
{
"message": "Info MACHINE-F380 [master@1.2.3.4_36778] Download File /var/phion/mcdownload/firmwareupdates/files/9.0 received size=71731 mode=100644",
"event": {
"category": [
"file"
],
"reason": "Download File /var/phion/mcdownload/firmwareupdates/files/9.0 received size=71731 mode=100644",
"type": [
"info"
]
},
"barracuda": {
"mode": {
"type": "100644"
}
},
"file": {
"directory": "/var/phion/mcdownload/firmwareupdates/files",
"name": "9.0",
"path": "/var/phion/mcdownload/firmwareupdates/files/9.0",
"size": 71731
},
"log": {
"level": "Info"
},
"observer": {
"type": "firewall"
},
"related": {
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"port": 36778
}
}
{
"message": "Info MACHINE-F380 [master@1.2.3.4_29010] Commit operation: 0 Copy: bsyslog.conf from boxsrv",
"event": {
"category": [
"file"
],
"reason": "Commit operation: 0 Copy: bsyslog.conf from boxsrv",
"type": [
"info"
]
},
"barracuda": {
"commit": {
"operation": {
"id": "0"
}
}
},
"file": {
"directory": "boxsrv",
"name": "bsyslog.conf"
},
"log": {
"level": "Info"
},
"observer": {
"type": "firewall"
},
"related": {
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"port": 29010
}
}
{
"message": "Info MACHINE-F380 [master@1.2.3.4_29010] Commit operation: 0 Execute: /opt/phion/modules/box/boxsrv/bsyslog/bin/activate /opt/phion/config/active/bsyslog.conf",
"event": {
"category": [
"process"
],
"reason": "Commit operation: 0 Execute: /opt/phion/modules/box/boxsrv/bsyslog/bin/activate /opt/phion/config/active/bsyslog.conf",
"type": [
"info"
]
},
"barracuda": {
"commit": {
"operation": {
"id": "0"
}
}
},
"log": {
"level": "Info"
},
"observer": {
"type": "firewall"
},
"process": {
"command_line": "/opt/phion/modules/box/boxsrv/bsyslog/bin/activate /opt/phion/config/active/bsyslog.conf"
},
"related": {
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"port": 29010
}
}
{
"message": "Info MACHINE-F380 event: [1071065] Insert Event from 127.0.0.1:56405 - (D|3|boxfw|3|firewall|4015|9.10.11.12:443|MACHINE-F380_5-4_1|1740029102|TCP 5.6.7.8:80 (bond0.21) -> 9.10.11.12:443)",
"event": {
"action": "Insert",
"category": [
"network"
],
"reason": "Insert Event from 127.0.0.1:56405",
"severity": 3,
"type": [
"info"
]
},
"barracuda": {
"event": {
"category": "firewall",
"class": "D",
"code": "4015",
"id": "1071065",
"internal_id": "1740029102",
"sub_category_id": "3"
}
},
"destination": {
"address": "9.10.11.12",
"ip": "9.10.11.12",
"port": 443
},
"log": {
"level": "Info"
},
"network": {
"ingress": {
"interface": "bond0.21"
},
"transport": "TCP"
},
"observer": {
"type": "firewall"
},
"process": {
"thread": {
"name": "MACHINE-F380_5-4_1"
}
},
"related": {
"ip": [
"5.6.7.8",
"9.10.11.12"
]
},
"service": {
"address": "127.0.0.1",
"name": "boxfw"
},
"source": {
"address": "5.6.7.8",
"ip": "5.6.7.8",
"port": 80
}
}
{
"message": "Info MACHINE-F380 event: [1071065] Drop Event from 127.0.0.1:11703 - (D|3|MACHINE-F380MVPN|2|vpnserver|3002|IPSEC-EXAMPLE-1.2.3.4-5.6.7.8|MACHINE-F380_5-4_1)",
"event": {
"action": "Drop",
"category": [
"network"
],
"reason": "Drop Event from 127.0.0.1:11703",
"severity": 3,
"type": [
"info"
]
},
"barracuda": {
"event": {
"category": "vpnserver",
"class": "D",
"code": "3002",
"id": "1071065",
"sub_category_id": "2"
}
},
"destination": {
"address": "IPSEC-EXAMPLE-1.2.3.4-5.6.7.8"
},
"log": {
"level": "Info"
},
"observer": {
"type": "firewall"
},
"process": {
"thread": {
"name": "MACHINE-F380_5-4_1"
}
},
"service": {
"address": "127.0.0.1",
"name": "MACHINE-F380MVPN"
}
}
{
"message": "Info MACHINE-F380 event: [1071032] Send Event (D|2|NGAdmin|2|Login|2420|root|MACHINE-F380_5-4_1) to Control Center 1.2.3.4",
"event": {
"action": "Send",
"category": [
"network"
],
"severity": 2,
"type": [
"info"
]
},
"barracuda": {
"event": {
"category": "Login",
"class": "D",
"code": "2420",
"id": "1071032",
"sub_category_id": "2"
}
},
"destination": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
},
"log": {
"level": "Info"
},
"observer": {
"type": "firewall"
},
"process": {
"thread": {
"name": "MACHINE-F380_5-4_1"
}
},
"related": {
"ip": [
"1.2.3.4"
]
},
"service": {
"name": "NGAdmin"
}
}
{
"message": "Info MACHINE-F380 event: [1071032] Send Event (D|2|control|2|controld|62|1.2.3.4/32 gateway table default dev bond0.23 via 13.14.15.16 proto 3|MACHINE-F380_5-4_1) to Control Center 5.6.7.8",
"event": {
"action": "Send",
"category": [
"network"
],
"severity": 2,
"type": [
"info"
]
},
"barracuda": {
"event": {
"category": "controld",
"class": "D",
"code": "62",
"id": "1071032",
"sub_category_id": "2"
}
},
"destination": {
"address": "5.6.7.8",
"ip": "5.6.7.8"
},
"log": {
"level": "Info"
},
"observer": {
"type": "firewall"
},
"process": {
"thread": {
"name": "MACHINE-F380_5-4_1"
}
},
"related": {
"ip": [
"5.6.7.8"
]
},
"service": {
"name": "control"
}
}
{
"message": "Security MACHINE-F380 firewall: [Timer] SecurityEvent: (Address-Port Scan) 149 unallowed requests for source IP 5.6.7.8 within 60 seconds",
"event": {
"category": [
"network"
],
"type": [
"info"
]
},
"barracuda": {
"unallowed_requests": {
"count": 149
}
},
"log": {
"level": "Security"
},
"observer": {
"type": "firewall"
},
"related": {
"ip": [
"5.6.7.8"
]
},
"source": {
"address": "5.6.7.8",
"ip": "5.6.7.8"
}
}
{
"message": "Info MACHINE-F380 Allow: LOUT|UDP|bond0.603|1.2.3.4|61988|00:11:22:33:44:55|5.6.7.8|53|domain||RULENAME|0|9.10.11.12|5.6.7.8|0|1|0|0|0|0||||||",
"event": {
"action": "Allow",
"category": [
"network"
],
"duration": 0,
"type": [
"info"
]
},
"destination": {
"address": "5.6.7.8",
"bytes": 0,
"ip": "5.6.7.8",
"nat": {
"ip": "5.6.7.8"
},
"packets": 0,
"port": 53
},
"log": {
"level": "Info"
},
"network": {
"transport": "UDP"
},
"observer": {
"ingress": {
"interface": {
"name": "bond0.603"
}
},
"type": "firewall"
},
"related": {
"ip": [
"1.2.3.4",
"5.6.7.8",
"9.10.11.12"
]
},
"rule": {
"name": "RULENAME"
},
"service": {
"target": {
"name": "domain"
}
},
"source": {
"address": "1.2.3.4",
"bytes": 0,
"ip": "1.2.3.4",
"mac": "00:11:22:33:44:55",
"nat": {
"ip": "9.10.11.12"
},
"packets": 0,
"port": 61988
}
}
{
"message": "Security EXAMPLE LocalBlock: <cumulative>|UDP|eth0|5.6.7.8|0|00:00:00:00:00:00|9.10.11.12|811|||<no-match>|4003|||0|24|0|0|0|0||||||",
"event": {
"action": "LocalBlock",
"category": [
"network"
],
"duration": 0,
"type": [
"info"
]
},
"destination": {
"address": "9.10.11.12",
"bytes": 0,
"ip": "9.10.11.12",
"packets": 0,
"port": 811
},
"log": {
"level": "Security"
},
"network": {
"transport": "UDP"
},
"observer": {
"ingress": {
"interface": {
"name": "eth0"
}
},
"type": "firewall"
},
"related": {
"ip": [
"5.6.7.8",
"9.10.11.12"
]
},
"rule": {
"name": "<no-match>"
},
"source": {
"address": "5.6.7.8",
"bytes": 0,
"ip": "5.6.7.8",
"mac": "00:00:00:00:00:00",
"packets": 0,
"port": 0
}
}
{
"message": "Warning MACHINE-F380 firewall: [Request] Allow: IPS ALLIP(0) 9.10.11.12 -> 1.2.3.4:0 |[ID: 5000002 TCPIP Port or IP Address Scan]||3|Probing",
"event": {
"action": "Allow",
"category": [
"network"
],
"severity": 3,
"type": [
"allowed"
]
},
"barracuda": {
"detection": {
"info": "ID: 5000002 TCPIP Port or IP Address Scan"
},
"ips": {
"classification": "Probing"
},
"request": {
"policy": "ALLIP(0)",
"type": "IPS"
}
},
"destination": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"port": 0
},
"log": {
"level": "Warning"
},
"observer": {
"type": "firewall"
},
"related": {
"ip": [
"1.2.3.4",
"9.10.11.12"
]
},
"source": {
"address": "9.10.11.12",
"ip": "9.10.11.12"
}
}
{
"message": "Info MACHINE-F380 update|MACHINE-F380|PGRP-AUTH-jdoe-ABCD||||||1740020807|1740115598|116377688|1219271687|5.6.7.8|||jdoe",
"event": {
"action": "update",
"category": [
"network"
],
"type": [
"info"
]
},
"client": {
"address": [
"5.6.7.8"
],
"ip": [
"5.6.7.8"
],
"user": {
"name": "jdoe"
}
},
"destination": {
"bytes": 116377688
},
"log": {
"level": "Info"
},
"observer": {
"type": "firewall"
},
"related": {
"ip": [
"5.6.7.8"
],
"user": [
"jdoe"
]
},
"source": {
"bytes": 1219271687
}
}
{
"message": "Warning MACHINE-F380 [5647250.628103] KTINA-WARN: IPSEC-v2-EXAMPLE doesn't have a transport",
"event": {
"category": [
"network"
],
"reason": "[5647250.628103] KTINA-WARN: IPSEC-v2-EXAMPLE doesn't have a transport",
"type": [
"info"
]
},
"log": {
"level": "Warning"
},
"observer": {
"type": "firewall"
}
}
{
"message": "Info MACHINE-F380 control: Send status poll request status to Control Center 1.2.3.4",
"event": {
"category": [
"network"
],
"reason": "control: Send status poll request status to Control Center 1.2.3.4",
"type": [
"info"
]
},
"log": {
"level": "Info"
},
"observer": {
"type": "firewall"
}
}
{
"message": "Info MACHINE-F380 Log wrapping is enabled, log caching is enabled",
"event": {
"category": [
"network"
],
"reason": "Log wrapping is enabled, log caching is enabled",
"type": [
"info"
]
},
"log": {
"level": "Info"
},
"observer": {
"type": "firewall"
}
}
{
"message": "Info MACHINE-F380 was able to ping process 1126 (/var/run/syslogd.pid).",
"event": {
"category": [
"process"
],
"reason": "was able to ping process 1126 (/var/run/syslogd.pid).",
"type": [
"info"
]
},
"file": {
"directory": "/var/run",
"name": "syslogd.pid",
"path": "/var/run/syslogd.pid"
},
"log": {
"level": "Info"
},
"observer": {
"type": "firewall"
},
"process": {
"pid": 1126
}
}
{
"message": "Info MACHINE-F380 still alive after 23523 interval(s)",
"event": {
"category": [
"process"
],
"reason": "still alive after 23523 interval(s)",
"type": [
"info"
]
},
"barracuda": {
"intervals_alive": 23523
},
"log": {
"level": "Info"
},
"observer": {
"type": "firewall"
}
}
{
"message": "Info MACHINE-F380 current load is 1 0 0",
"event": {
"category": [
"process"
],
"reason": "current load is 1 0 0",
"type": [
"info"
]
},
"barracuda": {
"load_average": "1 0 0"
},
"log": {
"level": "Info"
},
"observer": {
"type": "firewall"
}
}
{
"message": "Info MACHINE-F380 currently there are 3387184 kB of free memory available (209780 buffered, 1507836, cached)",
"event": {
"category": [
"process"
],
"reason": "currently there are 3387184 kB of free memory available (209780 buffered, 1507836, cached)",
"type": [
"info"
]
},
"barracuda": {
"memory_size": {
"buffered": 209780,
"cached": 1507836,
"total": 3387184
}
},
"log": {
"level": "Info"
},
"observer": {
"type": "firewall"
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
| Name | Type | Description |
|---|---|---|
barracuda.box.name |
keyword |
|
barracuda.commit.operation.id |
keyword |
|
barracuda.detection.info |
keyword |
|
barracuda.event.category |
keyword |
|
barracuda.event.class |
keyword |
|
barracuda.event.code |
keyword |
|
barracuda.event.id |
keyword |
|
barracuda.event.internal_id |
keyword |
|
barracuda.event.sub_category_id |
keyword |
|
barracuda.intervals_alive |
number |
|
barracuda.ips.categories |
keyword |
|
barracuda.ips.classification |
keyword |
|
barracuda.load_average |
keyword |
|
barracuda.memory_size.buffered |
number |
|
barracuda.memory_size.cached |
number |
|
barracuda.memory_size.total |
number |
|
barracuda.mode.type |
keyword |
|
barracuda.request.policy |
keyword |
|
barracuda.request.type |
keyword |
|
barracuda.server.type |
keyword |
|
barracuda.service.name |
keyword |
|
barracuda.session.id |
keyword |
|
barracuda.unallowed_requests.count |
number |
|
client.ip |
ip |
IP address of the client. |
client.user.name |
keyword |
Short name or login of the user. |
destination.address |
keyword |
Destination network address. |
destination.bytes |
long |
Bytes sent from the destination to the source. |
destination.ip |
ip |
IP address of the destination. |
destination.nat.ip |
ip |
Destination NAT ip |
destination.packets |
long |
Packets sent from the destination to the source. |
destination.port |
long |
Port of the destination. |
dns.answers |
object |
Array of DNS answers. |
dns.question.name |
keyword |
The name being queried. |
error.message |
match_only_text |
Error message. |
event.action |
keyword |
The action captured by the event. |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.duration |
long |
Duration of the event in nanoseconds. |
event.outcome |
keyword |
The outcome of the event. The lowest level categorization field in the hierarchy. |
event.reason |
keyword |
Reason why this event happened, according to the source |
event.severity |
long |
Numeric severity of the event. |
event.type |
keyword |
Event type. The third categorization field in the hierarchy. |
file.directory |
keyword |
Directory where the file is located. |
file.name |
keyword |
Name of the file including the extension, without the directory. |
file.path |
keyword |
Full path to the file, including the file name. |
file.size |
long |
File size in bytes. |
host.name |
keyword |
Name of the host. |
log.level |
keyword |
Log level of the log event. |
network.ingress.interface |
keyword |
|
network.protocol |
keyword |
Application protocol name. |
network.transport |
keyword |
Protocol Name corresponding to the field iana_number. |
observer.egress.interface.name |
keyword |
Interface name |
observer.ingress.interface.name |
keyword |
Interface name |
observer.type |
keyword |
The type of the observer the data is coming from. |
process.command_line |
wildcard |
Full command line that started the process. |
process.name |
keyword |
Process name. |
process.pid |
long |
Process id. |
process.thread.name |
keyword |
Thread name. |
rule.name |
keyword |
Rule name |
service.address |
keyword |
Address of this service. |
service.name |
keyword |
Name of the service. |
service.target.name |
keyword |
Name of the service. |
source.address |
keyword |
Source network address. |
source.bytes |
long |
Bytes sent from the source to the destination. |
source.ip |
ip |
IP address of the source. |
source.mac |
keyword |
MAC address of the source. |
source.nat.ip |
ip |
Source NAT ip |
source.packets |
long |
Packets sent from the source to the destination. |
source.port |
long |
Port of the source. |
user.name |
keyword |
Short name or login of the user. |
For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.