Barracuda Firewall allows you to monitor what is happening between your network and the rest of the world, and can monitor things such as how much data is being sent from which computer, where the data is going, and who is receiving the data.
This event source does not work with the Barracuda Web Application Firewall (WAF).
Before You Begin
InsightIDR can accept Barracuda data if it is in the form of syslog; therefore, you must configure syslog streaming from the Barracuda Firewall application. Read about how to do so here: https://campus.barracuda.com/product/nextgenfirewallf/doc/48202999/how-to-configure-syslog-streaming/?sl=AWFYFc8BWVWOJEbewYp2&so=3.
Depending on the kind of Barracuda Firewall you have, your logs will appear a certain way.
Read about the format of Network Firewall logs here: https://campus.barracuda.com/product/webapplicationfirewall/doc/4259935/how-to-configure-syslog-and-other-logs/#h4_f39f4861.
You can also see Barracuda's table of log formats here: https://campus.barracuda.com/product/webapplicationfirewall/doc/4259935/how-to-configure-syslog-and-other-logs/#h4_cf724fa7.
An example of a parsable log looks like the following:
1<14>2018-06-04T09:33:09-07:00 BarracudaFirewall600-HA BarracudaFirewall600-HA/FW_Activity: Info BarracudaFirewall600-HA type=FWD|proto=TCP|srcIF=p7|srcIP=220.127.116.11|srcPort=45432|srcMAC=4c:96:14:72:d5:d3|dstIP=18.104.22.168|dstPort=80|dstService=http|dstIF=p1|rule=RedirectTimeclockdotcom|info=TF-Sync|srcNAT=22.214.171.124|dstNAT=10.0.25.191|duration=0|count=1|receivedBytes=0|sentBytes=0|receivedPackets=0|sentPackets=0|user=|protocol=|application=|target=|content=|urlcat=
How to Configure This Event Source
- From your dashboard, select Data Collection on the left hand menu.
- When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
- From the “Security Data” section, click the Firewall icon. The “Add Event Source” panel appears.
- Choose your collector and event source. You can also name your event source if you want.
- Choose the timezone that matches the location of your event source logs.
- Optionally choose to send unparsed logs.
- Configure your default domain and any Advanced Event Source Settings.
- Select a collection method and specify a port and a protocol.
- Optionally choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
- Click Save.