Barracuda CG Firewall Activity Log Parsing

esqu · February 15, 2023, 7:01pm

Hey Community,
I’m completly new into this things, but I have the challenge to parse a firewall activity log of a barracuda CG Firewall, and I have absolutley no idea, how to do that.
Maybe there is someone out there, who can give me a hands on in this topic

my syslog message looks like this
XXX-01 XXX-01/box_Firewall_Activity: Info XXX-01 Allow: LIN|TCP||10.105.9.144|51320|00:00:00:00:00:00|10.200.200.199|8080|webcache|bond0.999|OP-SRV-PX|0|10.105.9.144|10.200.200.199|0|1|0|0|0|0|mm1_user|||||

And the challenge is to seperate all the terms, seperated by a pipe, into different fields - like this

Firewall Name XXX-01
Action Allow
Type LIN
Protocoll TCP
srcIF
srcIP 10.105.9.144
srcPort 51320
srcMAC 00:00:00:00:00:00
dstIP 10.200.200.199
dstPort 8080
Service webcache
dstIF bond0.999
RULE OP-SRV-PX
info 0
srcNAT 10.105.9.144
dstNAT 10.200.200.199
duration 0
count 1
RXBytes 0
TXBytes 0
RXPackets 0
TXPackets 0
User mm1_user
Protocoll
App Target
Content
URL Category

br esqu

gsmith · February 15, 2023, 10:34pm

Hello && welcome @esqu

I found another post while back, maybe this might help.

Problems parsing pipe delimited log file with pipeline rules

Or here is another one using Key_value

Pipeline rule to split log messages into key-value fields not working - #3 by tmacgbay

And another good example here.

Issue with Key=Value Parser Pipeline for specific log-messages - #2 by shoothub

Hope that helps.

Joel_Duffield · February 19, 2023, 4:03am

If you can grab out just the part using the | seperators, using regex etc (and may need to use the same to grab some of those first fields)

But then i think you should be able to use the split function to turn it into an array stored in a variable like

Let var = split(…

And then once its in that variable you should be able to do something like

Set_field(“field1”, var[0])
Set_field(“field2”, var[1])
Etc.

Thats all from memory, so make sure to check the format of those pipeline functions, but that general idea should work.

Also if you want to normalize your data (so that fields match between device types, helpful for dashboards etc) you may want to name your fields to match the Graylog schema
https://schema.graylog.org/en/stable/schema/entites.html

system · March 5, 2023, 4:03am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Troubles writing a pipeline for Firepower Management Center logs Graylog Central (peer support)	7	1243	April 27, 2019
Pipeline rule key/value with specific delimiter not working Graylog Central (peer support) pipeline-rules	3	458	September 21, 2023
Sonicwall SMA logs Not able to parse values in Pipeline Graylog Central (peer support) pipeline-rules , debuggingpl	3	671	March 22, 2021
pfSense SNORT SYSLOG Log Parsing Graylog Central (peer support)	3	3007	February 24, 2019
Pipeline Rules and "Split" Graylog Central (peer support) pipeline-rules	5	3189	October 31, 2017

Barracuda CG Firewall Activity Log Parsing

Related Topics