Barracuda

Overview

Barracuda Firewall allows you to monitor what is happening between your network and the rest of the world, and can monitor things such as how much data is being sent from which computer, where the data is going, and who is receiving the data.

Before You Begin

InsightOps can accept Barracuda data if it is in the form of syslog; therefore, you must configure syslog streaming from the Barracuda Firewall application. Read about how to do so here.

Log Examples

Depending on the kind of Barracuda Firewall you have, your logs will appear a certain way.

Read about the format of Network Firewall logs here.

Read about the format of Web Firewall logs here.

You can also see Barracuda's table of log formats here.

How to Configure This Event Source

  1. From your dashboard, select Data Collection on the left hand menu
  2. At the top right of the page, select the dropdown that says "Setup Event Source" and then choose Add Event Source
  3. Select the Firewall icon from the Security Data section
  4. Select your collector, and optionally name your event source
  5. From the list of event source options, choose Barracuda NG Firewall/VPN
  6. Choose a timezone, or optionally display only US timezones
  7. Optionally choose to send unfiltered logs
  8. Configure any advanced event source settings.
  9. Select either Listen for Syslog or Log Aggregator; both require that you specify a port and a protocol. Optionally choose to Encrypt the event source if choosing TCP
  10. If you are choosing to encrypt, select the button "Download Certificate" which will download Rapid7's certificate. This file will be called Rapid7CA.pem and will allow InsightOps and Barracuda Firewall to "trust" each other during log forwarding.

Advanced Event Source Settings

Fallback Domain(s): If you have event sources running in a multi-domain environment, Rapid7 recommends having a fallback domain in order to resolve any issues with user accounts.

For instance, if your company is the US and in Canada, but both locations have a user named "John Smith" and your main domain is company.com, your fallback domain could be company.ca, which would allow InsightOps to more accurately attribute data to the correct user.