<when test="$_event = 'barracuda SYS'">
<!-- Barracuda System Log Fields -->
<!-- %md : Module Name -->
<!-- %ll : Log Level -->
<!-- %ei : Event ID -->
<!-- %ms : Message -->
<setEventAttribute attr="eventType">Barracuda-WAF-System</setEventAttribute>
<collectAndSetAttrByPos src="$_body" sep=" ">
<attrPosMap attr="module" pos="1"/>
<attrPosMap attr="logLevel" pos="2"/>
<attrPosMap attr="eventId" pos="3"/>
<attrPosMap attr="msg" pos="4"/>
</collectAndSetAttrByPos>
</when>​
The correct way to parse this log is as,
Module Name: REPORTS
Log Level: ERRO
Event ID: 44703
Message: Report not sent to john@abc.com: Auth failed: 535 5.7.8 Error: authentication failed: authentication failure
However, since the "Message" is also comma-separated, I can only retrieve the first Word (Report) of the whole message (not_parsing_correctly.png). In this type of scenario what would be the logical approach to parse the full message.
This happens to the rest of the Barracuda event types as well.
<when test="$_logType = 'SYS'">
<!-- system logs -->
<switch>
<case>
<collectFieldsByRegex src="$_body">
<regex><![CDATA[<module:gPatWord>\s+<eventSeverityCat:gPatWord>\s+<_eventID:gPatInt>\s+<msg:gPatMesgBodyMin>\s*$]]></regex>
</collectFieldsByRegex>
<!-- e.g. Barracuda-Sys-51001 -->
<setEventAttribute attr="eventType">combineMsgId("Barracuda-Sys-", $_eventID)</setEventAttribute>
</case>
<default>
<setEventAttribute attr="eventType">Barracuda-Sys-Generic</setEventAttribute>
</default>
</switch>
</when>
collectAndSetAttrByPos
only to the section of the log messages that can be separated by a space and identify that section first e.g. by a collectFieldsByRegex instead of applying it to the full _body. The system parser does not use the collectAndSetAttrByPos because it's probably easier to include the 3 fields directly in the collectFieldsByRegex<when test="$_event = 'barracuda SYS'"><!-- Barracuda System Log Fields --><!-- %md : Module Name --><!-- %ll : Log Level --><!-- %ei : Event ID --><!-- %ms : Message --><setEventAttribute attr="eventType">Barracuda-WAF-System</setEventAttribute><collectAndSetAttrByPos src="$_body" sep=" "><attrPosMap attr="module" pos="1"/><attrPosMap attr="logLevel" pos="2"/><attrPosMap attr="eventId" pos="3"/><attrPosMap attr="msg" pos="4"/></collectAndSetAttrByPos></when>​
The correct way to parse this log is as,
Module Name: REPORTS
Log Level: ERRO
Event ID: 44703
Message: Report not sent to : Auth failed: 535 5.7.8 Error: authentication failed: authentication failure
However, since the "Message" is also comma-separated, I can only retrieve the first Word (Report) of the whole message (not_parsing_correctly.png). In this type of scenario what would be the logical approach to parse the full message.
This happens to the rest of the Barracuda event types as well.
<when test="$_logType = 'SYS'">
<!-- system logs -->
<switch>
<case>
<collectFieldsByRegex src="$_body">
<regex><![CDATA[<module:gPatWord>\s+<eventSeverityCat:gPatWord>\s+<_eventID:gPatInt>\s+<msg:gPatMesgBodyMin>\s*$]]></regex>
</collectFieldsByRegex>
<!-- e.g. Barracuda-Sys-51001 -->
<setEventAttribute attr="eventType">combineMsgId("Barracuda-Sys-", $_eventID)</setEventAttribute>
</case>
<default>
<setEventAttribute attr="eventType">Barracuda-Sys-Generic</setEventAttribute>
</default>
</switch>
</when>
collectAndSetAttrByPos
only to the section of the log messages that can be separated by a space and identify that section first e.g. by a collectFieldsByRegex instead of applying it to the full _body. The system parser does not use the collectAndSetAttrByPos because it's probably easier to include the 3 fields directly in the collectFieldsByRegex<when test="$_event = 'barracuda SYS'"><!-- Barracuda System Log Fields --><!-- %md : Module Name --><!-- %ll : Log Level --><!-- %ei : Event ID --><!-- %ms : Message --><setEventAttribute attr="eventType">Barracuda-WAF-System</setEventAttribute><collectAndSetAttrByPos src="$_body" sep=" "><attrPosMap attr="module" pos="1"/><attrPosMap attr="logLevel" pos="2"/><attrPosMap attr="eventId" pos="3"/><attrPosMap attr="msg" pos="4"/></collectAndSetAttrByPos></when>​
The correct way to parse this log is as,
Module Name: REPORTS
Log Level: ERRO
Event ID: 44703
Message: Report not sent to : Auth failed: 535 5.7.8 Error: authentication failed: authentication failure
However, since the "Message" is also comma-separated, I can only retrieve the first Word (Report) of the whole message (not_parsing_correctly.png). In this type of scenario what would be the logical approach to parse the full message.
This happens to the rest of the Barracuda event types as well.
<when test="$_logType = 'SYS'">
<!-- system logs -->
<switch>
<case>
<collectFieldsByRegex src="$_body">
<regex><![CDATA[<module:gPatWord>\s+<eventSeverityCat:gPatWord>\s+<_eventID:gPatInt>\s+<msg:gPatMesgBodyMin>\s*$]]></regex>
</collectFieldsByRegex>
<!-- e.g. Barracuda-Sys-51001 -->
<setEventAttribute attr="eventType">combineMsgId("Barracuda-Sys-", $_eventID)</setEventAttribute>
</case>
<default>
<setEventAttribute attr="eventType">Barracuda-Sys-Generic</setEventAttribute>
</default>
</switch>
</when>
collectAndSetAttrByPos
only to the section of the log messages that can be separated by a space and identify that section first e.g. by a collectFieldsByRegex instead of applying it to the full _body. The system parser does not use the collectAndSetAttrByPos because it's probably easier to include the 3 fields directly in the collectFieldsByRegex<when test="$_event = 'barracuda SYS'"><!-- Barracuda System Log Fields --><!-- %md : Module Name --><!-- %ll : Log Level --><!-- %ei : Event ID --><!-- %ms : Message --><setEventAttribute attr="eventType">Barracuda-WAF-System</setEventAttribute><collectAndSetAttrByPos src="$_body" sep=" "><attrPosMap attr="module" pos="1"/><attrPosMap attr="logLevel" pos="2"/><attrPosMap attr="eventId" pos="3"/><attrPosMap attr="msg" pos="4"/></collectAndSetAttrByPos></when>​
The correct way to parse this log is as,
Module Name: REPORTS
Log Level: ERRO
Event ID: 44703
Message: Report not sent to : Auth failed: 535 5.7.8 Error: authentication failed: authentication failure
However, since the "Message" is also comma-separated, I can only retrieve the first Word (Report) of the whole message (not_parsing_correctly.png). In this type of scenario what would be the logical approach to parse the full message.
This happens to the rest of the Barracuda event types as well.
Hi Isuru
I don't find any BarracudaWebFilterParser on my FortiSIEM 6.3.2 instance:
Yet, the log message you posted originally passes the system's BarracudaWAFParser:
The only issue I see with the parser is that it does not correctly categorize the ERRO as Event Severity Category "MEDIUM" because it compares to "ERROR" instead of just "ERRO" and then sets an non-existing attribute "severity" instead of "eventSeverity"
In green the corrected line that will correctly set the severity. The pieces in red likely need modification as well, but I don't have access to Barracuda logs.
<when test="$_logType = 'SYS'">
<!-- system logs -->
<switch>
<case>
<collectFieldsByRegex src="$_body">
<regex><![CDATA[<module:gPatWord>\s+<eventSeverityCat:gPatWord>\s+<_eventID:gPatInt>\s+<msg:gPatMesgBodyMin>\s*$]]></regex>
</collectFieldsByRegex>
<!-- e.g. Barracuda-Sys-51001 -->
<setEventAttribute attr="eventType">combineMsgId("Barracuda-Sys-", $_eventID)</setEventAttribute>
</case>
<default>
<setEventAttribute attr="eventType">Barracuda-Sys-Generic</setEventAttribute>
</default>
</switch>
</when>
collectAndSetAttrByPos
only to the section of the log messages that can be separated by a space and identify that section first e.g. by a collectFieldsByRegex instead of applying it to the full _body. The system parser does not use the collectAndSetAttrByPos because it's probably easier to include the 3 fields directly in the collectFieldsByRegex<when test="$_event = 'barracuda SYS'"><!-- Barracuda System Log Fields --><!-- %md : Module Name --><!-- %ll : Log Level --><!-- %ei : Event ID --><!-- %ms : Message --><setEventAttribute attr="eventType">Barracuda-WAF-System</setEventAttribute><collectAndSetAttrByPos src="$_body" sep=" "><attrPosMap attr="module" pos="1"/><attrPosMap attr="logLevel" pos="2"/><attrPosMap attr="eventId" pos="3"/><attrPosMap attr="msg" pos="4"/></collectAndSetAttrByPos></when>​
The correct way to parse this log is as,
Module Name: REPORTS
Log Level: ERRO
Event ID: 44703
Message: Report not sent to : Auth failed: 535 5.7.8 Error: authentication failed: authentication failure
However, since the "Message" is also comma-separated, I can only retrieve the first Word (Report) of the whole message (not_parsing_correctly.png). In this type of scenario what would be the logical approach to parse the full message.
This happens to the rest of the Barracuda event types as well.
Hi Isuru
I don't find any BarracudaWebFilterParser on my FortiSIEM 6.3.2 instance:
Yet, the log message you posted originally passes the system's BarracudaWAFParser:
The only issue I see with the parser is that it does not correctly categorize the ERRO as Event Severity Category "MEDIUM" because it compares to "ERROR" instead of just "ERRO" and then sets an non-existing attribute "severity" instead of "eventSeverity"
In green the corrected line that will correctly set the severity. The pieces in red likely need modification as well, but I don't have access to Barracuda logs.
<when test="$_logType = 'SYS'">
<!-- system logs -->
<switch>
<case>
<collectFieldsByRegex src="$_body">
<regex><![CDATA[<module:gPatWord>\s+<eventSeverityCat:gPatWord>\s+<_eventID:gPatInt>\s+<msg:gPatMesgBodyMin>\s*$]]></regex>
</collectFieldsByRegex>
<!-- e.g. Barracuda-Sys-51001 -->
<setEventAttribute attr="eventType">combineMsgId("Barracuda-Sys-", $_eventID)</setEventAttribute>
</case>
<default>
<setEventAttribute attr="eventType">Barracuda-Sys-Generic</setEventAttribute>
</default>
</switch>
</when>
collectAndSetAttrByPos
only to the section of the log messages that can be separated by a space and identify that section first e.g. by a collectFieldsByRegex instead of applying it to the full _body. The system parser does not use the collectAndSetAttrByPos because it's probably easier to include the 3 fields directly in the collectFieldsByRegex<when test="$_event = 'barracuda SYS'"><!-- Barracuda System Log Fields --><!-- %md : Module Name --><!-- %ll : Log Level --><!-- %ei : Event ID --><!-- %ms : Message --><setEventAttribute attr="eventType">Barracuda-WAF-System</setEventAttribute><collectAndSetAttrByPos src="$_body" sep=" "><attrPosMap attr="module" pos="1"/><attrPosMap attr="logLevel" pos="2"/><attrPosMap attr="eventId" pos="3"/><attrPosMap attr="msg" pos="4"/></collectAndSetAttrByPos></when>​
The correct way to parse this log is as,
Module Name: REPORTS
Log Level: ERRO
Event ID: 44703
Message: Report not sent to : Auth failed: 535 5.7.8 Error: authentication failed: authentication failure
However, since the "Message" is also comma-separated, I can only retrieve the first Word (Report) of the whole message (not_parsing_correctly.png). In this type of scenario what would be the logical approach to parse the full message.
This happens to the rest of the Barracuda event types as well.
Hi Isuru
I don't find any BarracudaWebFilterParser on my FortiSIEM 6.3.2 instance:
Yet, the log message you posted originally passes the system's BarracudaWAFParser:
The only issue I see with the parser is that it does not correctly categorize the ERRO as Event Severity Category "MEDIUM" because it compares to "ERROR" instead of just "ERRO" and then sets an non-existing attribute "severity" instead of "eventSeverity"
In green the corrected line that will correctly set the severity. The pieces in red likely need modification as well, but I don't have access to Barracuda logs.
<when test="$_logType = 'SYS'">
<!-- system logs -->
<switch>
<case>
<collectFieldsByRegex src="$_body">
<regex><![CDATA[<module:gPatWord>\s+<eventSeverityCat:gPatWord>\s+<_eventID:gPatInt>\s+<msg:gPatMesgBodyMin>\s*$]]></regex>
</collectFieldsByRegex>
<!-- e.g. Barracuda-Sys-51001 -->
<setEventAttribute attr="eventType">combineMsgId("Barracuda-Sys-", $_eventID)</setEventAttribute>
</case>
<default>
<setEventAttribute attr="eventType">Barracuda-Sys-Generic</setEventAttribute>
</default>
</switch>
</when>
collectAndSetAttrByPos
only to the section of the log messages that can be separated by a space and identify that section first e.g. by a collectFieldsByRegex instead of applying it to the full _body. The system parser does not use the collectAndSetAttrByPos because it's probably easier to include the 3 fields directly in the collectFieldsByRegex<when test="$_event = 'barracuda SYS'"><!-- Barracuda System Log Fields --><!-- %md : Module Name --><!-- %ll : Log Level --><!-- %ei : Event ID --><!-- %ms : Message --><setEventAttribute attr="eventType">Barracuda-WAF-System</setEventAttribute><collectAndSetAttrByPos src="$_body" sep=" "><attrPosMap attr="module" pos="1"/><attrPosMap attr="logLevel" pos="2"/><attrPosMap attr="eventId" pos="3"/><attrPosMap attr="msg" pos="4"/></collectAndSetAttrByPos></when>​
The correct way to parse this log is as,
Module Name: REPORTS
Log Level: ERRO
Event ID: 44703
Message: Report not sent to : Auth failed: 535 5.7.8 Error: authentication failed: authentication failure
However, since the "Message" is also comma-separated, I can only retrieve the first Word (Report) of the whole message (not_parsing_correctly.png). In this type of scenario what would be the logical approach to parse the full message.
This happens to the rest of the Barracuda event types as well.
Hi Isuru
I don't find any BarracudaWebFilterParser on my FortiSIEM 6.3.2 instance:
Yet, the log message you posted originally passes the system's BarracudaWAFParser:
The only issue I see with the parser is that it does not correctly categorize the ERRO as Event Severity Category "MEDIUM" because it compares to "ERROR" instead of just "ERRO" and then sets an non-existing attribute "severity" instead of "eventSeverity"
In green the corrected line that will correctly set the severity. The pieces in red likely need modification as well, but I don't have access to Barracuda logs.
<when test="$_logType = 'SYS'">
<!-- system logs -->
<switch>
<case>
<collectFieldsByRegex src="$_body">
<regex><![CDATA[<module:gPatWord>\s+<eventSeverityCat:gPatWord>\s+<_eventID:gPatInt>\s+<msg:gPatMesgBodyMin>\s*$]]></regex>
</collectFieldsByRegex>
<!-- e.g. Barracuda-Sys-51001 -->
<setEventAttribute attr="eventType">combineMsgId("Barracuda-Sys-", $_eventID)</setEventAttribute>
</case>
<default>
<setEventAttribute attr="eventType">Barracuda-Sys-Generic</setEventAttribute>
</default>
</switch>
</when>
collectAndSetAttrByPos
only to the section of the log messages that can be separated by a space and identify that section first e.g. by a collectFieldsByRegex instead of applying it to the full _body. The system parser does not use the collectAndSetAttrByPos because it's probably easier to include the 3 fields directly in the collectFieldsByRegex<when test="$_event = 'barracuda SYS'"><!-- Barracuda System Log Fields --><!-- %md : Module Name --><!-- %ll : Log Level --><!-- %ei : Event ID --><!-- %ms : Message --><setEventAttribute attr="eventType">Barracuda-WAF-System</setEventAttribute><collectAndSetAttrByPos src="$_body" sep=" "><attrPosMap attr="module" pos="1"/><attrPosMap attr="logLevel" pos="2"/><attrPosMap attr="eventId" pos="3"/><attrPosMap attr="msg" pos="4"/></collectAndSetAttrByPos></when>​
The correct way to parse this log is as,
Module Name: REPORTS
Log Level: ERRO
Event ID: 44703
Message: Report not sent to : Auth failed: 535 5.7.8 Error: authentication failed: authentication failure
However, since the "Message" is also comma-separated, I can only retrieve the first Word (Report) of the whole message (not_parsing_correctly.png). In this type of scenario what would be the logical approach to parse the full message.
This happens to the rest of the Barracuda event types as well.
Welcome to your new Fortinet Community!
You'll find your previous forum posts under "Forums"
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.