Barracuda CG Firewall Activity Log Parsing

Hey Community,
I’m completly new into this things, but I have the challenge to parse a firewall activity log of a barracuda CG Firewall, and I have absolutley no idea, how to do that.
Maybe there is someone out there, who can give me a hands on in this topic

my syslog message looks like this
XXX-01 XXX-01/box_Firewall_Activity: Info XXX-01 Allow: LIN|TCP|||51320|00:00:00:00:00:00||8080|webcache|bond0.999|OP-SRV-PX|0|||0|1|0|0|0|0|mm1_user|||||

And the challenge is to seperate all the terms, seperated by a pipe, into different fields - like this

Firewall Name XXX-01
Action Allow
Type LIN
Protocoll TCP
srcPort 51320
srcMAC 00:00:00:00:00:00
dstPort 8080
Service webcache
dstIF bond0.999
info 0
duration 0
count 1
RXBytes 0
TXBytes 0
RXPackets 0
TXPackets 0
User mm1_user
App Target
URL Category

br esqu

Hello && welcome @esqu

I found another post while back, maybe this might help.

Or here is another one using Key_value

And another good example here.

Hope that helps.


If you can grab out just the part using the | seperators, using regex etc (and may need to use the same to grab some of those first fields)

But then i think you should be able to use the split function to turn it into an array stored in a variable like

Let var = split(…

And then once its in that variable you should be able to do something like

Set_field(“field1”, var[0])
Set_field(“field2”, var[1])

Thats all from memory, so make sure to check the format of those pipeline functions, but that general idea should work.

Also if you want to normalize your data (so that fields match between device types, helpful for dashboards etc) you may want to name your fields to match the Graylog schema

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.