Help
FortiSIEM Discussions
IsuruTharanga
New Contributor

Created on ‎11-11-2021 09:25 PM

FortiSIEM - Barracuda Web Filter Parser

Hi,

I have created a custom parser for Barracuda WAF (BarracudaWAFParser.xml). But I have encountered an issue since the logs are "comma-separated".

ex: <131>Nov 12 10:03:30 barracuda 2021-11-12 04:33:30.083 +0000 barracuda SYS REPORTS ERRO 44703 Report not sent to john@abc.com: Auth failed: 535 5.7.8 Error: authentication failed: authentication failure

for the above log event types, I have created to parse the logs as follows,

<when test="$_event = 'barracuda SYS'">

<!-- Barracuda System Log Fields -->
<!-- %md : Module Name -->
<!-- %ll : Log Level -->
<!-- %ei : Event ID -->
<!-- %ms : Message -->

<setEventAttribute attr="eventType">Barracuda-WAF-System</setEventAttribute>
<collectAndSetAttrByPos src="$_body" sep=" ">
<attrPosMap attr="module" pos="1"/>
<attrPosMap attr="logLevel" pos="2"/>
<attrPosMap attr="eventId" pos="3"/>
<attrPosMap attr="msg" pos="4"/>
</collectAndSetAttrByPos>
</when>​


The correct way to parse this log is as,

Module Name: REPORTS
Log Level: ERRO
Event ID: 44703
Message: Report not sent to john@abc.com: Auth failed: 535 5.7.8 Error: authentication failed: authentication failure


However, since the "Message" is also comma-separated, I can only retrieve the first Word (Report) of the whole message (not_parsing_correctly.png). In this type of scenario what would be the logical approach to parse the full message.

This happens to the rest of the Barracuda event types as well.



------------------------------
Cheers,
Isuru
------------------------------
3314
0 Kudos
7 REPLIES 7
GabrielKaelin
Staff
Staff

Created on ‎11-12-2021 04:39 AM

Hi Isuru

why are you not using the system parser that does the job well?
<when test="$_logType = 'SYS'">
<!-- system logs -->
<switch>
<case>
<collectFieldsByRegex src="$_body">
<regex><![CDATA[<module:gPatWord>\s+<eventSeverityCat:gPatWord>\s+<_eventID:gPatInt>\s+<msg:gPatMesgBodyMin>\s*$]]></regex>
</collectFieldsByRegex>
<!-- e.g. Barracuda-Sys-51001 -->
<setEventAttribute attr="eventType">combineMsgId("Barracuda-Sys-", $_eventID)</setEventAttribute>
</case>
<default>
<setEventAttribute attr="eventType">Barracuda-Sys-Generic</setEventAttribute>
</default>
</switch>
</when>

To answer your question, yet, you'd have to applycollectAndSetAttrByPos only to the section of the log messages that can be separated by a space and identify that section first e.g. by a collectFieldsByRegex instead of applying it to the full _body. The system parser does not use the collectAndSetAttrByPos because it's probably easier to include the 3 fields directly in the collectFieldsByRegex

I hope this helps.

Regards,
Gabriel

------------------------------
Gabriel Kälin, Systems Engineer
Fortinet | Riedmühlestr. 8 | 8305 Dietlikon | Switzerland | E: gkaelin@fortinet.com | T: +41 79 882 80 98
------------------------------
-------------------------------------------
Original Message:
Sent: Nov 11, 2021 09:25 PM
From: Isuru Tharanga
Subject: FortiSIEM - Barracuda Web Filter Parser

Hi,

I have created a custom parser for Barracuda WAF (BarracudaWAFParser.xml). But I have encountered an issue since the logs are "comma-separated".

ex: <131>Nov 12 10:03:30 barracuda 2021-11-12 04:33:30.083 +0000 barracuda SYS REPORTS ERRO 44703 Report not sent to : Auth failed: 535 5.7.8 Error: authentication failed: authentication failure

for the above log event types, I have created to parse the logs as follows,

<when test="$_event = 'barracuda SYS'"><!-- Barracuda System Log Fields --><!-- %md : Module Name --><!-- %ll : Log Level --><!-- %ei : Event ID --><!-- %ms : Message --><setEventAttribute attr="eventType">Barracuda-WAF-System</setEventAttribute><collectAndSetAttrByPos src="$_body" sep=" "><attrPosMap attr="module" pos="1"/><attrPosMap attr="logLevel" pos="2"/><attrPosMap attr="eventId" pos="3"/><attrPosMap attr="msg" pos="4"/></collectAndSetAttrByPos></when>​


The correct way to parse this log is as,

Module Name: REPORTS
Log Level: ERRO
Event ID: 44703
Message: Report not sent to : Auth failed: 535 5.7.8 Error: authentication failed: authentication failure


However, since the "Message" is also comma-separated, I can only retrieve the first Word (Report) of the whole message (not_parsing_correctly.png). In this type of scenario what would be the logical approach to parse the full message.

This happens to the rest of the Barracuda event types as well.



------------------------------
Cheers,
Isuru
------------------------------
3314
0 Kudos
IsuruTharanga
New Contributor
In response to GabrielKaelin

Created on ‎11-12-2021 05:09 AM

Hi Gabriel,

Thanks for the insight. The out-of-the-box parser [FortiSIEM 5.2.6 (1623)] fails with the logs receiving to the SIEM (fortisiem_parser.png). Possibly due to the additional Syslog header. Is there a way to remove the Syslog header since I couldn't find it in the Barracuda configuration?

------------------------------
Cheers,
Isuru
------------------------------
-------------------------------------------
Original Message:
Sent: Nov 12, 2021 04:39 AM
From: Gabriel Kaelin
Subject: FortiSIEM - Barracuda Web Filter Parser

Hi Isuru

why are you not using the system parser that does the job well?
<when test="$_logType = 'SYS'">
<!-- system logs -->
<switch>
<case>
<collectFieldsByRegex src="$_body">
<regex><![CDATA[<module:gPatWord>\s+<eventSeverityCat:gPatWord>\s+<_eventID:gPatInt>\s+<msg:gPatMesgBodyMin>\s*$]]></regex>
</collectFieldsByRegex>
<!-- e.g. Barracuda-Sys-51001 -->
<setEventAttribute attr="eventType">combineMsgId("Barracuda-Sys-", $_eventID)</setEventAttribute>
</case>
<default>
<setEventAttribute attr="eventType">Barracuda-Sys-Generic</setEventAttribute>
</default>
</switch>
</when>

To answer your question, yet, you'd have to applycollectAndSetAttrByPos only to the section of the log messages that can be separated by a space and identify that section first e.g. by a collectFieldsByRegex instead of applying it to the full _body. The system parser does not use the collectAndSetAttrByPos because it's probably easier to include the 3 fields directly in the collectFieldsByRegex

I hope this helps.

Regards,
Gabriel

------------------------------
Gabriel Kälin, Systems Engineer
Fortinet | Riedmühlestr. 8 | 8305 Dietlikon | Switzerland | E: | T: +41 79 882 80 98
------------------------------

Original Message:
Sent: Nov 11, 2021 09:25 PM
From: Isuru Tharanga
Subject: FortiSIEM - Barracuda Web Filter Parser

Hi,

I have created a custom parser for Barracuda WAF (BarracudaWAFParser.xml). But I have encountered an issue since the logs are "comma-separated".

ex: <131>Nov 12 10:03:30 barracuda 2021-11-12 04:33:30.083 +0000 barracuda SYS REPORTS ERRO 44703 Report not sent to : Auth failed: 535 5.7.8 Error: authentication failed: authentication failure

for the above log event types, I have created to parse the logs as follows,

<when test="$_event = 'barracuda SYS'"><!-- Barracuda System Log Fields --><!-- %md : Module Name --><!-- %ll : Log Level --><!-- %ei : Event ID --><!-- %ms : Message --><setEventAttribute attr="eventType">Barracuda-WAF-System</setEventAttribute><collectAndSetAttrByPos src="$_body" sep=" "><attrPosMap attr="module" pos="1"/><attrPosMap attr="logLevel" pos="2"/><attrPosMap attr="eventId" pos="3"/><attrPosMap attr="msg" pos="4"/></collectAndSetAttrByPos></when>​


The correct way to parse this log is as,

Module Name: REPORTS
Log Level: ERRO
Event ID: 44703
Message: Report not sent to : Auth failed: 535 5.7.8 Error: authentication failed: authentication failure


However, since the "Message" is also comma-separated, I can only retrieve the first Word (Report) of the whole message (not_parsing_correctly.png). In this type of scenario what would be the logical approach to parse the full message.

This happens to the rest of the Barracuda event types as well.



------------------------------
Cheers,
Isuru
------------------------------
3314
0 Kudos
IsuruTharanga
New Contributor
In response to IsuruTharanga

Created on ‎11-12-2021 05:15 AM

Hi Gabriel,

Please find the original parser included in the FortiSIEM.

------------------------------
Cheers,
Isuru
------------------------------
-------------------------------------------
Original Message:
Sent: Nov 12, 2021 05:08 AM
From: Isuru Tharanga
Subject: FortiSIEM - Barracuda Web Filter Parser

Hi Gabriel,

Thanks for the insight. The out-of-the-box parser [FortiSIEM 5.2.6 (1623)] fails with the logs receiving to the SIEM (fortisiem_parser.png). Possibly due to the additional Syslog header. Is there a way to remove the Syslog header since I couldn't find it in the Barracuda configuration?

------------------------------
Cheers,
Isuru
------------------------------

Original Message:
Sent: Nov 12, 2021 04:39 AM
From: Gabriel Kaelin
Subject: FortiSIEM - Barracuda Web Filter Parser

Hi Isuru

why are you not using the system parser that does the job well?
<when test="$_logType = 'SYS'">
<!-- system logs -->
<switch>
<case>
<collectFieldsByRegex src="$_body">
<regex><![CDATA[<module:gPatWord>\s+<eventSeverityCat:gPatWord>\s+<_eventID:gPatInt>\s+<msg:gPatMesgBodyMin>\s*$]]></regex>
</collectFieldsByRegex>
<!-- e.g. Barracuda-Sys-51001 -->
<setEventAttribute attr="eventType">combineMsgId("Barracuda-Sys-", $_eventID)</setEventAttribute>
</case>
<default>
<setEventAttribute attr="eventType">Barracuda-Sys-Generic</setEventAttribute>
</default>
</switch>
</when>

To answer your question, yet, you'd have to applycollectAndSetAttrByPos only to the section of the log messages that can be separated by a space and identify that section first e.g. by a collectFieldsByRegex instead of applying it to the full _body. The system parser does not use the collectAndSetAttrByPos because it's probably easier to include the 3 fields directly in the collectFieldsByRegex

I hope this helps.

Regards,
Gabriel

------------------------------
Gabriel Kälin, Systems Engineer
Fortinet | Riedmühlestr. 8 | 8305 Dietlikon | Switzerland | E: | T: +41 79 882 80 98

Original Message:
Sent: Nov 11, 2021 09:25 PM
From: Isuru Tharanga
Subject: FortiSIEM - Barracuda Web Filter Parser

Hi,

I have created a custom parser for Barracuda WAF (BarracudaWAFParser.xml). But I have encountered an issue since the logs are "comma-separated".

ex: <131>Nov 12 10:03:30 barracuda 2021-11-12 04:33:30.083 +0000 barracuda SYS REPORTS ERRO 44703 Report not sent to : Auth failed: 535 5.7.8 Error: authentication failed: authentication failure

for the above log event types, I have created to parse the logs as follows,

<when test="$_event = 'barracuda SYS'"><!-- Barracuda System Log Fields --><!-- %md : Module Name --><!-- %ll : Log Level --><!-- %ei : Event ID --><!-- %ms : Message --><setEventAttribute attr="eventType">Barracuda-WAF-System</setEventAttribute><collectAndSetAttrByPos src="$_body" sep=" "><attrPosMap attr="module" pos="1"/><attrPosMap attr="logLevel" pos="2"/><attrPosMap attr="eventId" pos="3"/><attrPosMap attr="msg" pos="4"/></collectAndSetAttrByPos></when>​


The correct way to parse this log is as,

Module Name: REPORTS
Log Level: ERRO
Event ID: 44703
Message: Report not sent to : Auth failed: 535 5.7.8 Error: authentication failed: authentication failure


However, since the "Message" is also comma-separated, I can only retrieve the first Word (Report) of the whole message (not_parsing_correctly.png). In this type of scenario what would be the logical approach to parse the full message.

This happens to the rest of the Barracuda event types as well.



------------------------------
Cheers,
Isuru
------------------------------
3314
0 Kudos
GabrielKaelin
Staff
Staff
In response to IsuruTharanga

Created on ‎11-12-2021 07:41 AM

Hi Isuru

I don't find any BarracudaWebFilterParser on my FortiSIEM 6.3.2 instance:

df5a8fb3673248a7b132e79860b3ff15.pngdf5a8fb3673248a7b132e79860b3ff15.png
Yet, the log message you posted originally passes the system's BarracudaWAFParser:
76f67fb8565a46acae1c6b0dc56b4f78.png76f67fb8565a46acae1c6b0dc56b4f78.pngThe only issue I see with the parser is that it does not correctly categorize the ERRO as Event Severity Category "MEDIUM" because it compares to "ERROR" instead of just "ERRO" and then sets an non-existing attribute "severity" instead of "eventSeverity"

9f99a876835d48858790d6a1ba8ae474.png9f99a876835d48858790d6a1ba8ae474.png
In green the corrected line that will correctly set the severity. The pieces in red likely need modification as well, but I don't have access to Barracuda logs.

​​Regards,
Gabriel

------------------------------
Gabriel Kälin, Systems Engineer
Fortinet | Riedmühlestr. 8 | 8305 Dietlikon | Switzerland | E: gkaelin@fortinet.com | T: +41 79 882 80 98
------------------------------
-------------------------------------------
Original Message:
Sent: Nov 12, 2021 05:15 AM
From: Isuru Tharanga
Subject: FortiSIEM - Barracuda Web Filter Parser

Hi Gabriel,

Please find the original parser included in the FortiSIEM.

------------------------------
Cheers,
Isuru
------------------------------

Original Message:
Sent: Nov 12, 2021 05:08 AM
From: Isuru Tharanga
Subject: FortiSIEM - Barracuda Web Filter Parser

Hi Gabriel,

Thanks for the insight. The out-of-the-box parser [FortiSIEM 5.2.6 (1623)] fails with the logs receiving to the SIEM (fortisiem_parser.png). Possibly due to the additional Syslog header. Is there a way to remove the Syslog header since I couldn't find it in the Barracuda configuration?

------------------------------
Cheers,
Isuru

Original Message:
Sent: Nov 12, 2021 04:39 AM
From: Gabriel Kaelin
Subject: FortiSIEM - Barracuda Web Filter Parser

Hi Isuru

why are you not using the system parser that does the job well?
<when test="$_logType = 'SYS'">
<!-- system logs -->
<switch>
<case>
<collectFieldsByRegex src="$_body">
<regex><![CDATA[<module:gPatWord>\s+<eventSeverityCat:gPatWord>\s+<_eventID:gPatInt>\s+<msg:gPatMesgBodyMin>\s*$]]></regex>
</collectFieldsByRegex>
<!-- e.g. Barracuda-Sys-51001 -->
<setEventAttribute attr="eventType">combineMsgId("Barracuda-Sys-", $_eventID)</setEventAttribute>
</case>
<default>
<setEventAttribute attr="eventType">Barracuda-Sys-Generic</setEventAttribute>
</default>
</switch>
</when>

To answer your question, yet, you'd have to applycollectAndSetAttrByPos only to the section of the log messages that can be separated by a space and identify that section first e.g. by a collectFieldsByRegex instead of applying it to the full _body. The system parser does not use the collectAndSetAttrByPos because it's probably easier to include the 3 fields directly in the collectFieldsByRegex

I hope this helps.

Regards,
Gabriel

------------------------------
Gabriel Kälin, Systems Engineer
Fortinet | Riedmühlestr. 8 | 8305 Dietlikon | Switzerland | E: | T: +41 79 882 80 98

Original Message:
Sent: Nov 11, 2021 09:25 PM
From: Isuru Tharanga
Subject: FortiSIEM - Barracuda Web Filter Parser

Hi,

I have created a custom parser for Barracuda WAF (BarracudaWAFParser.xml). But I have encountered an issue since the logs are "comma-separated".

ex: <131>Nov 12 10:03:30 barracuda 2021-11-12 04:33:30.083 +0000 barracuda SYS REPORTS ERRO 44703 Report not sent to : Auth failed: 535 5.7.8 Error: authentication failed: authentication failure

for the above log event types, I have created to parse the logs as follows,

<when test="$_event = 'barracuda SYS'"><!-- Barracuda System Log Fields --><!-- %md : Module Name --><!-- %ll : Log Level --><!-- %ei : Event ID --><!-- %ms : Message --><setEventAttribute attr="eventType">Barracuda-WAF-System</setEventAttribute><collectAndSetAttrByPos src="$_body" sep=" "><attrPosMap attr="module" pos="1"/><attrPosMap attr="logLevel" pos="2"/><attrPosMap attr="eventId" pos="3"/><attrPosMap attr="msg" pos="4"/></collectAndSetAttrByPos></when>​


The correct way to parse this log is as,

Module Name: REPORTS
Log Level: ERRO
Event ID: 44703
Message: Report not sent to : Auth failed: 535 5.7.8 Error: authentication failed: authentication failure


However, since the "Message" is also comma-separated, I can only retrieve the first Word (Report) of the whole message (not_parsing_correctly.png). In this type of scenario what would be the logical approach to parse the full message.

This happens to the rest of the Barracuda event types as well.



------------------------------
Cheers,
Isuru
------------------------------
3314
0 Kudos
IsuruTharanga
New Contributor
In response to GabrielKaelin

Created on ‎11-12-2021 07:55 AM

Hi Gabriel,

I'm referring to an older version of FortiSIEM [FortiSIEM 5.2.6 (1623)]. Could you please share with me the parser you have so I can test the same?

------------------------------
Cheers,
Isuru
------------------------------
-------------------------------------------
Original Message:
Sent: Nov 12, 2021 07:40 AM
From: Gabriel Kaelin
Subject: FortiSIEM - Barracuda Web Filter Parser

Hi Isuru

I don't find any BarracudaWebFilterParser on my FortiSIEM 6.3.2 instance:

df5a8fb3673248a7b132e79860b3ff15.pngdf5a8fb3673248a7b132e79860b3ff15.png
Yet, the log message you posted originally passes the system's BarracudaWAFParser:
76f67fb8565a46acae1c6b0dc56b4f78.png76f67fb8565a46acae1c6b0dc56b4f78.pngThe only issue I see with the parser is that it does not correctly categorize the ERRO as Event Severity Category "MEDIUM" because it compares to "ERROR" instead of just "ERRO" and then sets an non-existing attribute "severity" instead of "eventSeverity"

9f99a876835d48858790d6a1ba8ae474.png9f99a876835d48858790d6a1ba8ae474.png
In green the corrected line that will correctly set the severity. The pieces in red likely need modification as well, but I don't have access to Barracuda logs.

​​Regards,
Gabriel

------------------------------
Gabriel Kälin, Systems Engineer
Fortinet | Riedmühlestr. 8 | 8305 Dietlikon | Switzerland | E: | T: +41 79 882 80 98
------------------------------

Original Message:
Sent: Nov 12, 2021 05:15 AM
From: Isuru Tharanga
Subject: FortiSIEM - Barracuda Web Filter Parser

Hi Gabriel,

Please find the original parser included in the FortiSIEM.

------------------------------
Cheers,
Isuru

Original Message:
Sent: Nov 12, 2021 05:08 AM
From: Isuru Tharanga
Subject: FortiSIEM - Barracuda Web Filter Parser

Hi Gabriel,

Thanks for the insight. The out-of-the-box parser [FortiSIEM 5.2.6 (1623)] fails with the logs receiving to the SIEM (fortisiem_parser.png). Possibly due to the additional Syslog header. Is there a way to remove the Syslog header since I couldn't find it in the Barracuda configuration?

------------------------------
Cheers,
Isuru

Original Message:
Sent: Nov 12, 2021 04:39 AM
From: Gabriel Kaelin
Subject: FortiSIEM - Barracuda Web Filter Parser

Hi Isuru

why are you not using the system parser that does the job well?
<when test="$_logType = 'SYS'">
<!-- system logs -->
<switch>
<case>
<collectFieldsByRegex src="$_body">
<regex><![CDATA[<module:gPatWord>\s+<eventSeverityCat:gPatWord>\s+<_eventID:gPatInt>\s+<msg:gPatMesgBodyMin>\s*$]]></regex>
</collectFieldsByRegex>
<!-- e.g. Barracuda-Sys-51001 -->
<setEventAttribute attr="eventType">combineMsgId("Barracuda-Sys-", $_eventID)</setEventAttribute>
</case>
<default>
<setEventAttribute attr="eventType">Barracuda-Sys-Generic</setEventAttribute>
</default>
</switch>
</when>

To answer your question, yet, you'd have to applycollectAndSetAttrByPos only to the section of the log messages that can be separated by a space and identify that section first e.g. by a collectFieldsByRegex instead of applying it to the full _body. The system parser does not use the collectAndSetAttrByPos because it's probably easier to include the 3 fields directly in the collectFieldsByRegex

I hope this helps.

Regards,
Gabriel

------------------------------
Gabriel Kälin, Systems Engineer
Fortinet | Riedmühlestr. 8 | 8305 Dietlikon | Switzerland | E: | T: +41 79 882 80 98

Original Message:
Sent: Nov 11, 2021 09:25 PM
From: Isuru Tharanga
Subject: FortiSIEM - Barracuda Web Filter Parser

Hi,

I have created a custom parser for Barracuda WAF (BarracudaWAFParser.xml). But I have encountered an issue since the logs are "comma-separated".

ex: <131>Nov 12 10:03:30 barracuda 2021-11-12 04:33:30.083 +0000 barracuda SYS REPORTS ERRO 44703 Report not sent to : Auth failed: 535 5.7.8 Error: authentication failed: authentication failure

for the above log event types, I have created to parse the logs as follows,

<when test="$_event = 'barracuda SYS'"><!-- Barracuda System Log Fields --><!-- %md : Module Name --><!-- %ll : Log Level --><!-- %ei : Event ID --><!-- %ms : Message --><setEventAttribute attr="eventType">Barracuda-WAF-System</setEventAttribute><collectAndSetAttrByPos src="$_body" sep=" "><attrPosMap attr="module" pos="1"/><attrPosMap attr="logLevel" pos="2"/><attrPosMap attr="eventId" pos="3"/><attrPosMap attr="msg" pos="4"/></collectAndSetAttrByPos></when>​


The correct way to parse this log is as,

Module Name: REPORTS
Log Level: ERRO
Event ID: 44703
Message: Report not sent to : Auth failed: 535 5.7.8 Error: authentication failed: authentication failure


However, since the "Message" is also comma-separated, I can only retrieve the first Word (Report) of the whole message (not_parsing_correctly.png). In this type of scenario what would be the logical approach to parse the full message.

This happens to the rest of the Barracuda event types as well.



------------------------------
Cheers,
Isuru
------------------------------
3314
0 Kudos
GabrielKaelin
Staff
Staff
In response to IsuruTharanga

Created on ‎11-12-2021 08:15 AM

Isuru, please find the BarracudaWAFParser from FortiSIEM 6.3.2 attached.

Happy weekend!

------------------------------
Gabriel Kälin, Systems Engineer
Fortinet | Riedmühlestr. 8 | 8305 Dietlikon | Switzerland | E: gkaelin@fortinet.com | T: +41 79 882 80 98
------------------------------
-------------------------------------------
Original Message:
Sent: Nov 12, 2021 07:54 AM
From: Isuru Tharanga
Subject: FortiSIEM - Barracuda Web Filter Parser

Hi Gabriel,

I'm referring to an older version of FortiSIEM [FortiSIEM 5.2.6 (1623)]. Could you please share with me the parser you have so I can test the same?

------------------------------
Cheers,
Isuru
------------------------------

Original Message:
Sent: Nov 12, 2021 07:40 AM
From: Gabriel Kaelin
Subject: FortiSIEM - Barracuda Web Filter Parser

Hi Isuru

I don't find any BarracudaWebFilterParser on my FortiSIEM 6.3.2 instance:

df5a8fb3673248a7b132e79860b3ff15.pngdf5a8fb3673248a7b132e79860b3ff15.png
Yet, the log message you posted originally passes the system's BarracudaWAFParser:
76f67fb8565a46acae1c6b0dc56b4f78.png76f67fb8565a46acae1c6b0dc56b4f78.pngThe only issue I see with the parser is that it does not correctly categorize the ERRO as Event Severity Category "MEDIUM" because it compares to "ERROR" instead of just "ERRO" and then sets an non-existing attribute "severity" instead of "eventSeverity"

9f99a876835d48858790d6a1ba8ae474.png9f99a876835d48858790d6a1ba8ae474.png
In green the corrected line that will correctly set the severity. The pieces in red likely need modification as well, but I don't have access to Barracuda logs.

​​Regards,
Gabriel

------------------------------
Gabriel Kälin, Systems Engineer
Fortinet | Riedmühlestr. 8 | 8305 Dietlikon | Switzerland | E: | T: +41 79 882 80 98

Original Message:
Sent: Nov 12, 2021 05:15 AM
From: Isuru Tharanga
Subject: FortiSIEM - Barracuda Web Filter Parser

Hi Gabriel,

Please find the original parser included in the FortiSIEM.

------------------------------
Cheers,
Isuru

Original Message:
Sent: Nov 12, 2021 05:08 AM
From: Isuru Tharanga
Subject: FortiSIEM - Barracuda Web Filter Parser

Hi Gabriel,

Thanks for the insight. The out-of-the-box parser [FortiSIEM 5.2.6 (1623)] fails with the logs receiving to the SIEM (fortisiem_parser.png). Possibly due to the additional Syslog header. Is there a way to remove the Syslog header since I couldn't find it in the Barracuda configuration?

------------------------------
Cheers,
Isuru

Original Message:
Sent: Nov 12, 2021 04:39 AM
From: Gabriel Kaelin
Subject: FortiSIEM - Barracuda Web Filter Parser

Hi Isuru

why are you not using the system parser that does the job well?
<when test="$_logType = 'SYS'">
<!-- system logs -->
<switch>
<case>
<collectFieldsByRegex src="$_body">
<regex><![CDATA[<module:gPatWord>\s+<eventSeverityCat:gPatWord>\s+<_eventID:gPatInt>\s+<msg:gPatMesgBodyMin>\s*$]]></regex>
</collectFieldsByRegex>
<!-- e.g. Barracuda-Sys-51001 -->
<setEventAttribute attr="eventType">combineMsgId("Barracuda-Sys-", $_eventID)</setEventAttribute>
</case>
<default>
<setEventAttribute attr="eventType">Barracuda-Sys-Generic</setEventAttribute>
</default>
</switch>
</when>

To answer your question, yet, you'd have to applycollectAndSetAttrByPos only to the section of the log messages that can be separated by a space and identify that section first e.g. by a collectFieldsByRegex instead of applying it to the full _body. The system parser does not use the collectAndSetAttrByPos because it's probably easier to include the 3 fields directly in the collectFieldsByRegex

I hope this helps.

Regards,
Gabriel

------------------------------
Gabriel Kälin, Systems Engineer
Fortinet | Riedmühlestr. 8 | 8305 Dietlikon | Switzerland | E: | T: +41 79 882 80 98

Original Message:
Sent: Nov 11, 2021 09:25 PM
From: Isuru Tharanga
Subject: FortiSIEM - Barracuda Web Filter Parser

Hi,

I have created a custom parser for Barracuda WAF (BarracudaWAFParser.xml). But I have encountered an issue since the logs are "comma-separated".

ex: <131>Nov 12 10:03:30 barracuda 2021-11-12 04:33:30.083 +0000 barracuda SYS REPORTS ERRO 44703 Report not sent to : Auth failed: 535 5.7.8 Error: authentication failed: authentication failure

for the above log event types, I have created to parse the logs as follows,

<when test="$_event = 'barracuda SYS'"><!-- Barracuda System Log Fields --><!-- %md : Module Name --><!-- %ll : Log Level --><!-- %ei : Event ID --><!-- %ms : Message --><setEventAttribute attr="eventType">Barracuda-WAF-System</setEventAttribute><collectAndSetAttrByPos src="$_body" sep=" "><attrPosMap attr="module" pos="1"/><attrPosMap attr="logLevel" pos="2"/><attrPosMap attr="eventId" pos="3"/><attrPosMap attr="msg" pos="4"/></collectAndSetAttrByPos></when>​


The correct way to parse this log is as,

Module Name: REPORTS
Log Level: ERRO
Event ID: 44703
Message: Report not sent to : Auth failed: 535 5.7.8 Error: authentication failed: authentication failure


However, since the "Message" is also comma-separated, I can only retrieve the first Word (Report) of the whole message (not_parsing_correctly.png). In this type of scenario what would be the logical approach to parse the full message.

This happens to the rest of the Barracuda event types as well.



------------------------------
Cheers,
Isuru
------------------------------
3314
0 Kudos
IsuruTharanga
New Contributor
In response to GabrielKaelin

Created on ‎11-12-2021 08:19 AM

Hi Gabriel,

Thanks!! Happy weekend!! 

------------------------------
Cheers,
Isuru
------------------------------
-------------------------------------------
Original Message:
Sent: Nov 12, 2021 08:14 AM
From: Gabriel Kaelin
Subject: FortiSIEM - Barracuda Web Filter Parser

Isuru, please find the BarracudaWAFParser from FortiSIEM 6.3.2 attached.

Happy weekend!

------------------------------
Gabriel Kälin, Systems Engineer
Fortinet | Riedmühlestr. 8 | 8305 Dietlikon | Switzerland | E: | T: +41 79 882 80 98
------------------------------

Original Message:
Sent: Nov 12, 2021 07:54 AM
From: Isuru Tharanga
Subject: FortiSIEM - Barracuda Web Filter Parser

Hi Gabriel,

I'm referring to an older version of FortiSIEM [FortiSIEM 5.2.6 (1623)]. Could you please share with me the parser you have so I can test the same?

------------------------------
Cheers,
Isuru

Original Message:
Sent: Nov 12, 2021 07:40 AM
From: Gabriel Kaelin
Subject: FortiSIEM - Barracuda Web Filter Parser

Hi Isuru

I don't find any BarracudaWebFilterParser on my FortiSIEM 6.3.2 instance:

df5a8fb3673248a7b132e79860b3ff15.pngdf5a8fb3673248a7b132e79860b3ff15.png
Yet, the log message you posted originally passes the system's BarracudaWAFParser:
76f67fb8565a46acae1c6b0dc56b4f78.png76f67fb8565a46acae1c6b0dc56b4f78.pngThe only issue I see with the parser is that it does not correctly categorize the ERRO as Event Severity Category "MEDIUM" because it compares to "ERROR" instead of just "ERRO" and then sets an non-existing attribute "severity" instead of "eventSeverity"

9f99a876835d48858790d6a1ba8ae474.png9f99a876835d48858790d6a1ba8ae474.png
In green the corrected line that will correctly set the severity. The pieces in red likely need modification as well, but I don't have access to Barracuda logs.

​​Regards,
Gabriel

------------------------------
Gabriel Kälin, Systems Engineer
Fortinet | Riedmühlestr. 8 | 8305 Dietlikon | Switzerland | E: | T: +41 79 882 80 98

Original Message:
Sent: Nov 12, 2021 05:15 AM
From: Isuru Tharanga
Subject: FortiSIEM - Barracuda Web Filter Parser

Hi Gabriel,

Please find the original parser included in the FortiSIEM.

------------------------------
Cheers,
Isuru

Original Message:
Sent: Nov 12, 2021 05:08 AM
From: Isuru Tharanga
Subject: FortiSIEM - Barracuda Web Filter Parser

Hi Gabriel,

Thanks for the insight. The out-of-the-box parser [FortiSIEM 5.2.6 (1623)] fails with the logs receiving to the SIEM (fortisiem_parser.png). Possibly due to the additional Syslog header. Is there a way to remove the Syslog header since I couldn't find it in the Barracuda configuration?

------------------------------
Cheers,
Isuru

Original Message:
Sent: Nov 12, 2021 04:39 AM
From: Gabriel Kaelin
Subject: FortiSIEM - Barracuda Web Filter Parser

Hi Isuru

why are you not using the system parser that does the job well?
<when test="$_logType = 'SYS'">
<!-- system logs -->
<switch>
<case>
<collectFieldsByRegex src="$_body">
<regex><![CDATA[<module:gPatWord>\s+<eventSeverityCat:gPatWord>\s+<_eventID:gPatInt>\s+<msg:gPatMesgBodyMin>\s*$]]></regex>
</collectFieldsByRegex>
<!-- e.g. Barracuda-Sys-51001 -->
<setEventAttribute attr="eventType">combineMsgId("Barracuda-Sys-", $_eventID)</setEventAttribute>
</case>
<default>
<setEventAttribute attr="eventType">Barracuda-Sys-Generic</setEventAttribute>
</default>
</switch>
</when>

To answer your question, yet, you'd have to applycollectAndSetAttrByPos only to the section of the log messages that can be separated by a space and identify that section first e.g. by a collectFieldsByRegex instead of applying it to the full _body. The system parser does not use the collectAndSetAttrByPos because it's probably easier to include the 3 fields directly in the collectFieldsByRegex

I hope this helps.

Regards,
Gabriel

------------------------------
Gabriel Kälin, Systems Engineer
Fortinet | Riedmühlestr. 8 | 8305 Dietlikon | Switzerland | E: | T: +41 79 882 80 98

Original Message:
Sent: Nov 11, 2021 09:25 PM
From: Isuru Tharanga
Subject: FortiSIEM - Barracuda Web Filter Parser

Hi,

I have created a custom parser for Barracuda WAF (BarracudaWAFParser.xml). But I have encountered an issue since the logs are "comma-separated".

ex: <131>Nov 12 10:03:30 barracuda 2021-11-12 04:33:30.083 +0000 barracuda SYS REPORTS ERRO 44703 Report not sent to : Auth failed: 535 5.7.8 Error: authentication failed: authentication failure

for the above log event types, I have created to parse the logs as follows,

<when test="$_event = 'barracuda SYS'"><!-- Barracuda System Log Fields --><!-- %md : Module Name --><!-- %ll : Log Level --><!-- %ei : Event ID --><!-- %ms : Message --><setEventAttribute attr="eventType">Barracuda-WAF-System</setEventAttribute><collectAndSetAttrByPos src="$_body" sep=" "><attrPosMap attr="module" pos="1"/><attrPosMap attr="logLevel" pos="2"/><attrPosMap attr="eventId" pos="3"/><attrPosMap attr="msg" pos="4"/></collectAndSetAttrByPos></when>​


The correct way to parse this log is as,

Module Name: REPORTS
Log Level: ERRO
Event ID: 44703
Message: Report not sent to : Auth failed: 535 5.7.8 Error: authentication failed: authentication failure


However, since the "Message" is also comma-separated, I can only retrieve the first Word (Report) of the whole message (not_parsing_correctly.png). In this type of scenario what would be the logical approach to parse the full message.

This happens to the rest of the Barracuda event types as well.



------------------------------
Cheers,
Isuru
------------------------------
3314
0 Kudos
Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.