Configuration of an Extractor on a WAF

Graylog
,
#1

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

Creating extractor for Barracuda [WAF]

Hello everyone,

Im sending this message because i need help, i can’t find a way to create an extractor with a json file for WAF Barracuda last version, i’ve tried to see on the Marketplace, i’ve found an example, but i don’t really understand how does it work, and i’ve tried to import it, but it’s not parsing :frowning: i’ve also read the documentation about json file, but i don’t understand how to parse logs, when in the logs, as a delimeter it’s a space, and not a caracter like “;” or “,”

Can someone please explain the different steps to create this json file

2. Describe your environment:

  • OS Information: WAF / Version 11.0.1.006

  • Package Version: Graylog Version / 4.2.6

  • Service logs, configurations, and environment variables:

3. What steps have you already taken to try and solve the problem?
i’ve tried to see on the market place, import a json file from it, tried to remplace some parameters and add it to my graylog interface, i’ve read the documentation, saw a lot of videos
4. How can the community help?

It would be very helpful is someone could guide me, i would very appreaciate it, i’m not experimented in parcing logs…

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

#2

Hello && Welcome.

Barracuda [WAF] I believe this is a firewall, is this correct?

Correct me if I’m wrong, there are logs sent from Barracuda [WAF] that are in JSON format and you need to create a field/s for these logs?

If you want to use an extractor. If this is correct I might be able to help.

Can you show an example of these logs?

What type of INPUT are you using ( i.e. Syslog UDP/TCP, Raw/Plaintext, GELF, etc…)

If you could explain in greater detail what the end results you want that would be appreciated.

Can you show what has been tried already?

#3

Hii ! thank you for you respond, i’m glad that you might help me ! :slight_smile:

So first yes, Barracuda [WAF] is a web firewall ! Second, the logs that are sent from the barracuda are in Syslog NG format, and i would like to create a json extractor to parse those logs correctly ! I saw an option in graylog interface, where i can put json code.

Here is an example of one log just for you to see how they look on graylog without parsing (i’ve put only the beginning, it’s a looongg log)

08:11/69.356 +200 NameFirewall 192.180.65.23 443 91.184.102.100 32694 ‘-‘ ‘-‘ GET TLSv1.3 www.youtube.fr HTTP/1.1 200

As you can see, the delimeter is a space !

For the configuration of the input, i’m using syslog. And i would like to have this kind of results :
Heure : 08:11/69.356 +200

Nom du pare-feu : Pare-feu-secret

Service IP : 192.180.65.23

Port : 443

Adresse Proxy : 91.184.102.100

Proxy port : 32694

Méthode Server : GET

Server protocol : TLSv1.3

Host : www.myefrei.fr

Version serveur : HTTP/1.1

Réponse serveur : 200

I’ve tried to parse with a json file on the market place on graylog, i’ve changed it (the regex rule for example) but it’s not working, and i’m kinda lost…

If you can explain to me how to create the json file, it would mean a lot to me ! :slight_smile:

Thank you again,

#4

Hello,
Thanks for the feed back. I am curious and correct me if I’m wrong but the JSON logs are received and indexed, meaning you can see these logs in a search?

Have you tried a different INPUT type/PORT? The reason I stated this is because a GELF UDP input might help create those fields for you. Not sure if this was tested already.

My apologies , not very good at making a JSON extractor. I try to avoid them as much as possible. I have a tendency to either use a pipeline here or Regex extractor.

I can find out what REGEX Extractor are needed from the example of the log you have posted if you want to go that route?

#5

Ok… so what I did was…

Create a Syslog UDP input.

image
image537×725 40 KB

Then, uploaded this example to my Lab GL server.

As shown here.

image
image1639×419 27.6 KB

Then I tested a GROK extractor as shown below

image
image1389×794 35.3 KB

Results.

image
image1397×525 32.5 KB

That was a easy way but I prefer REGEX.
Using this command below to grab the IP address

^.+?((?:\d+\.){3}\d+).+$

Test REGEX.

image
image1394×724 47 KB

Below you can see both the GROK patterns and the new REGEX fields created.

image
image1441×367 18.5 KB

Hope that helps, sorry its not a JSON extractor but to be honest I seen a pipeline work way better then Extractor since you want multiple fields created.