Barracuda CG Firewall Activity Log Parsing

esqu · February 15, 2023, 7:01pm

Hey Community,
I’m completly new into this things, but I have the challenge to parse a firewall activity log of a barracuda CG Firewall, and I have absolutley no idea, how to do that.
Maybe there is someone out there, who can give me a hands on in this topic

my syslog message looks like this
XXX-01 XXX-01/box_Firewall_Activity: Info XXX-01 Allow: LIN|TCP||10.105.9.144|51320|00:00:00:00:00:00|10.200.200.199|8080|webcache|bond0.999|OP-SRV-PX|0|10.105.9.144|10.200.200.199|0|1|0|0|0|0|mm1_user|||||

And the challenge is to seperate all the terms, seperated by a pipe, into different fields - like this

Firewall Name XXX-01
Action Allow
Type LIN
Protocoll TCP
srcIF
srcIP 10.105.9.144
srcPort 51320
srcMAC 00:00:00:00:00:00
dstIP 10.200.200.199
dstPort 8080
Service webcache
dstIF bond0.999
RULE OP-SRV-PX
info 0
srcNAT 10.105.9.144
dstNAT 10.200.200.199
duration 0
count 1
RXBytes 0
TXBytes 0
RXPackets 0
TXPackets 0
User mm1_user
Protocoll
App Target
Content
URL Category

br esqu

gsmith · February 15, 2023, 10:34pm

Hello && welcome @esqu

I found another post while back, maybe this might help.

Problems parsing pipe delimited log file with pipeline rules

Or here is another one using Key_value

Pipeline rule to split log messages into key-value fields not working - #3 by tmacgbay

And another good example here.

Issue with Key=Value Parser Pipeline for specific log-messages - #2 by shoothub

Hope that helps.

Joel_Duffield · February 19, 2023, 4:03am

If you can grab out just the part using the | seperators, using regex etc (and may need to use the same to grab some of those first fields)

But then i think you should be able to use the split function to turn it into an array stored in a variable like

Let var = split(…

And then once its in that variable you should be able to do something like

Set_field(“field1”, var[0])
Set_field(“field2”, var[1])
Etc.

Thats all from memory, so make sure to check the format of those pipeline functions, but that general idea should work.

Also if you want to normalize your data (so that fields match between device types, helpful for dashboards etc) you may want to name your fields to match the Graylog schema
https://schema.graylog.org/en/stable/schema/entites.html

system · March 5, 2023, 4:03am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Barracuda (Email Security Gateway) Graylog Add-ons	1	1401	March 6, 2017
Configuration of an Extractor on a WAF Graylog Central (peer support) documentation , basic-configuration	10	1255	June 3, 2022
Need help with extractor grok pattern Graylog Tech Challenges pipeline-rules	6	1393	May 24, 2022
Working with multiple messages Graylog Central (peer support)	5	2586	October 13, 2017
Troubles writing a pipeline for Firepower Management Center logs Graylog Central (peer support)	7	1320	April 27, 2019

Barracuda CG Firewall Activity Log Parsing

Related topics