Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question. Don’t forget to select tags to help index your topic!
Creating extractor for Barracuda [WAF]
Hello everyone,
Im sending this message because i need help, i can’t find a way to create an extractor with a json file for WAF Barracuda last version, i’ve tried to see on the Marketplace, i’ve found an example, but i don’t really understand how does it work, and i’ve tried to import it, but it’s not parsing i’ve also read the documentation about json file, but i don’t understand how to parse logs, when in the logs, as a delimeter it’s a space, and not a caracter like “;” or “,”
Can someone please explain the different steps to create this json file
2. Describe your environment:
OS Information: WAF / Version 11.0.1.006
Package Version: Graylog Version / 4.2.6
Service logs, configurations, and environment variables:
3. What steps have you already taken to try and solve the problem?
i’ve tried to see on the market place, import a json file from it, tried to remplace some parameters and add it to my graylog interface, i’ve read the documentation, saw a lot of videos 4. How can the community help?
It would be very helpful is someone could guide me, i would very appreaciate it, i’m not experimented in parcing logs…
Hii ! thank you for you respond, i’m glad that you might help me !
So first yes, Barracuda [WAF] is a web firewall ! Second, the logs that are sent from the barracuda are in Syslog NG format, and i would like to create a json extractor to parse those logs correctly ! I saw an option in graylog interface, where i can put json code.
Here is an example of one log just for you to see how they look on graylog without parsing (i’ve put only the beginning, it’s a looongg log)
I’ve tried to parse with a json file on the market place on graylog, i’ve changed it (the regex rule for example) but it’s not working, and i’m kinda lost…
If you can explain to me how to create the json file, it would mean a lot to me !
Hello,
Thanks for the feed back. I am curious and correct me if I’m wrong but the JSON logs are received and indexed, meaning you can see these logs in a search?
Have you tried a different INPUT type/PORT? The reason I stated this is because a GELF UDP input might help create those fields for you. Not sure if this was tested already.
My apologies , not very good at making a JSON extractor. I try to avoid them as much as possible. I have a tendency to either use a pipeline here or Regex extractor.
I can find out what REGEX Extractor are needed from the example of the log you have posted if you want to go that route?
Hope that helps, sorry its not a JSON extractor but to be honest I seen a pipeline work way better then Extractor since you want multiple fields created.