This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.
Created on 11-11-2021 09:25 PM
<when test="$_event = 'barracuda SYS'"> <!-- Barracuda System Log Fields --> <!-- %md : Module Name --> <!-- %ll : Log Level --> <!-- %ei : Event ID --> <!-- %ms : Message --> <setEventAttribute attr="eventType">Barracuda-WAF-System</setEventAttribute> <collectAndSetAttrByPos src="$_body" sep=" "> <attrPosMap attr="module" pos="1"/> <attrPosMap attr="logLevel" pos="2"/> <attrPosMap attr="eventId" pos="3"/> <attrPosMap attr="msg" pos="4"/> </collectAndSetAttrByPos> </when>
The correct way to parse this log is as,
Module Name: REPORTS
Log Level: ERRO
Event ID: 44703
Message: Report not sent to firstname.lastname@example.org: Auth failed: 535 5.7.8 Error: authentication failed: authentication failure
However, since the "Message" is also comma-separated, I can only retrieve the first Word (Report) of the whole message (not_parsing_correctly.png). In this type of scenario what would be the logical approach to parse the full message.
This happens to the rest of the Barracuda event types as well.
Solved! Go to Solution.
Created on 11-12-2021 04:39 AM
<when test="$_logType = 'SYS'">
<!-- system logs -->
<!-- e.g. Barracuda-Sys-51001 -->
<setEventAttribute attr="eventType">combineMsgId("Barracuda-Sys-", $_eventID)</setEventAttribute>
collectAndSetAttrByPosonly to the section of the log messages that can be separated by a space and identify that section first e.g. by a collectFieldsByRegex instead of applying it to the full _body. The system parser does not use the collectAndSetAttrByPos because it's probably easier to include the 3 fields directly in the collectFieldsByRegex
I don't find any BarracudaWebFilterParser on my FortiSIEM 6.3.2 instance:
Yet, the log message you posted originally passes the system's BarracudaWAFParser:
The only issue I see with the parser is that it does not correctly categorize the ERRO as Event Severity Category "MEDIUM" because it compares to "ERROR" instead of just "ERRO" and then sets an non-existing attribute "severity" instead of "eventSeverity"
In green the corrected line that will correctly set the severity. The pieces in red likely need modification as well, but I don't have access to Barracuda logs.