Help
Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

isuru
New Contributor II

Created on ‎11-11-2021 09:25 PM

FortiSIEM - Barracuda Web Filter Parser

Hi,

I have created a custom parser for Barracuda WAF (BarracudaWAFParser.xml). But I have encountered an issue since the logs are "comma-separated".

ex: <131>Nov 12 10:03:30 barracuda 2021-11-12 04:33:30.083 +0000 barracuda SYS REPORTS ERRO 44703 Report not sent to john@abc.com: Auth failed: 535 5.7.8 Error: authentication failed: authentication failure

for the above log event types, I have created to parse the logs as follows,

<when test="$_event = 'barracuda SYS'">

<!-- Barracuda System Log Fields -->
<!-- %md : Module Name -->
<!-- %ll : Log Level -->
<!-- %ei : Event ID -->
<!-- %ms : Message -->

<setEventAttribute attr="eventType">Barracuda-WAF-System</setEventAttribute>
<collectAndSetAttrByPos src="$_body" sep=" ">
<attrPosMap attr="module" pos="1"/>
<attrPosMap attr="logLevel" pos="2"/>
<attrPosMap attr="eventId" pos="3"/>
<attrPosMap attr="msg" pos="4"/>
</collectAndSetAttrByPos>
</when>​


The correct way to parse this log is as,

Module Name: REPORTS
Log Level: ERRO
Event ID: 44703
Message: Report not sent to john@abc.com: Auth failed: 535 5.7.8 Error: authentication failed: authentication failure


However, since the "Message" is also comma-separated, I can only retrieve the first Word (Report) of the whole message (not_parsing_correctly.png). In this type of scenario what would be the logical approach to parse the full message.

This happens to the rest of the Barracuda event types as well.



------------------------------
Cheers,
Isuru
------------------------------
Cheers,
Isuru Malawige
Cheers,Isuru Malawige
Preview file
51 KB
Preview file
9 KB
Labels:
2202
0 Kudos
1 Solution
Gabe_FTNT
Staff
Staff
In response to isuru

Created on ‎11-12-2021 08:15 AM

Isuru, please find the BarracudaWAFParser from FortiSIEM 6.3.2 attached.

Happy weekend!

------------------------------
Gabriel Kälin, Systems Engineer
Fortinet | Riedmühlestr. 8 | 8305 Dietlikon | Switzerland | E: gkaelin@fortinet.com | T: +41 79 882 80 98
------------------------------
Gabriel Kälin, Systems Engineer Fortinet | Riedmühlestr. 8 | 8305 Dietlikon | Switzerland | E: gkaelin@fortinet.com | T: +41 79 882 80 98

View solution in original post

Preview file
9 KB
2160
0 Kudos
7 REPLIES 7
Gabe_FTNT
Staff
Staff

Created on ‎11-12-2021 04:39 AM

Hi Isuru

why are you not using the system parser that does the job well?
<when test="$_logType = 'SYS'">
<!-- system logs -->
<switch>
<case>
<collectFieldsByRegex src="$_body">
<regex><![CDATA[<module:gPatWord>\s+<eventSeverityCat:gPatWord>\s+<_eventID:gPatInt>\s+<msg:gPatMesgBodyMin>\s*$]]></regex>
</collectFieldsByRegex>
<!-- e.g. Barracuda-Sys-51001 -->
<setEventAttribute attr="eventType">combineMsgId("Barracuda-Sys-", $_eventID)</setEventAttribute>
</case>
<default>
<setEventAttribute attr="eventType">Barracuda-Sys-Generic</setEventAttribute>
</default>
</switch>
</when>

To answer your question, yet, you'd have to applycollectAndSetAttrByPos only to the section of the log messages that can be separated by a space and identify that section first e.g. by a collectFieldsByRegex instead of applying it to the full _body. The system parser does not use the collectAndSetAttrByPos because it's probably easier to include the 3 fields directly in the collectFieldsByRegex

I hope this helps.

Regards,
Gabriel

------------------------------
Gabriel Kälin, Systems Engineer
Fortinet | Riedmühlestr. 8 | 8305 Dietlikon | Switzerland | E: gkaelin@fortinet.com | T: +41 79 882 80 98
------------------------------
Gabriel Kälin, Systems Engineer Fortinet | Riedmühlestr. 8 | 8305 Dietlikon | Switzerland | E: gkaelin@fortinet.com | T: +41 79 882 80 98
2160
0 Kudos
isuru
New Contributor II
In response to Gabe_FTNT

Created on ‎11-12-2021 05:09 AM

Hi Gabriel,

Thanks for the insight. The out-of-the-box parser [FortiSIEM 5.2.6 (1623)] fails with the logs receiving to the SIEM (fortisiem_parser.png). Possibly due to the additional Syslog header. Is there a way to remove the Syslog header since I couldn't find it in the Barracuda configuration?

------------------------------
Cheers,
Isuru
------------------------------
Cheers,
Isuru Malawige
Cheers,Isuru Malawige
Preview file
67 KB
2160
0 Kudos
isuru
New Contributor II
In response to isuru

Created on ‎11-12-2021 05:15 AM

Hi Gabriel,

Please find the original parser included in the FortiSIEM.

------------------------------
Cheers,
Isuru
------------------------------
Cheers,
Isuru Malawige
Cheers,Isuru Malawige
Preview file
5 KB
2160
0 Kudos
Gabe_FTNT
Staff
Staff
In response to isuru

Created on ‎11-12-2021 07:41 AM

Hi Isuru

I don't find any BarracudaWebFilterParser on my FortiSIEM 6.3.2 instance:

MessageImages_df5a8fb3673248a7b132e79860b3ff15.png
Yet, the log message you posted originally passes the system's BarracudaWAFParser:
MessageImages_76f67fb8565a46acae1c6b0dc56b4f78.pngThe only issue I see with the parser is that it does not correctly categorize the ERRO as Event Severity Category "MEDIUM" because it compares to "ERROR" instead of just "ERRO" and then sets an non-existing attribute "severity" instead of "eventSeverity"

MessageImages_9f99a876835d48858790d6a1ba8ae474.png
In green the corrected line that will correctly set the severity. The pieces in red likely need modification as well, but I don't have access to Barracuda logs.

​​Regards,
Gabriel

------------------------------
Gabriel Kälin, Systems Engineer
Fortinet | Riedmühlestr. 8 | 8305 Dietlikon | Switzerland | E: gkaelin@fortinet.com | T: +41 79 882 80 98
------------------------------
Gabriel Kälin, Systems Engineer Fortinet | Riedmühlestr. 8 | 8305 Dietlikon | Switzerland | E: gkaelin@fortinet.com | T: +41 79 882 80 98
2160
0 Kudos
isuru
New Contributor II
In response to Gabe_FTNT

Created on ‎11-12-2021 07:55 AM

Hi Gabriel,

I'm referring to an older version of FortiSIEM [FortiSIEM 5.2.6 (1623)]. Could you please share with me the parser you have so I can test the same?

------------------------------
Cheers,
Isuru
------------------------------
Cheers,
Isuru Malawige
Cheers,Isuru Malawige
2160
0 Kudos
Gabe_FTNT
Staff
Staff
In response to isuru

Created on ‎11-12-2021 08:15 AM

Isuru, please find the BarracudaWAFParser from FortiSIEM 6.3.2 attached.

Happy weekend!

------------------------------
Gabriel Kälin, Systems Engineer
Fortinet | Riedmühlestr. 8 | 8305 Dietlikon | Switzerland | E: gkaelin@fortinet.com | T: +41 79 882 80 98
------------------------------
Gabriel Kälin, Systems Engineer Fortinet | Riedmühlestr. 8 | 8305 Dietlikon | Switzerland | E: gkaelin@fortinet.com | T: +41 79 882 80 98
Preview file
9 KB
2161
0 Kudos
isuru
New Contributor II
In response to Gabe_FTNT

Created on ‎11-12-2021 08:19 AM

Hi Gabriel,

Thanks!! Happy weekend!! 

------------------------------
Cheers,
Isuru
------------------------------
Cheers,
Isuru Malawige
Cheers,Isuru Malawige
2160
0 Kudos
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.