Adding Microsoft Azure Log Analytics Server Using Azure Monitoring Agent

The Barracuda Web Application Firewall now supports log forwarding to Azure Log Analytics using the Azure Monitor Agent (AMA). AMA is Microsoft’s recommended replacement for the legacy OMS (Log Analytics) agent, which is no longer supported by Azure Log Analytics Workspace.

This enhancement ensures compatibility with Azure’s latest monitoring architecture, while offering a more secure and efficient way to export the Barracuda Web Application Firewall logs. You can configure this under ADVANCED > Export Logs > External Log Servers by selecting Azure Log Analytics Server (AMA Connector) from the drop-down list. Once configured, log events are sent as custom logs to Azure Monitor Agent.

For more information about AMA, refer to the Microsoft Documentation.

To configure or migrate to Azure Monitor Agent (AMA), follow the appropriate steps based on your scenario:

If you intend to set up AMA as a connector, follow the instructions in Configuring AMA as a Connector.
If you are migrating from the legacy OMS agent to AMA, proceed with the instructions provided in Migrating from OMS to AMA.

Configuring AMA as a Connector

Step 1. Deploy Azure Components Using the Template

Use the Barracuda Web Application Firewall custom template and deploy the following Azure components:

Log Analytics Workspace
Barracuda Custom Logs Table (barracuda_CL) in the Log Analytics Workspace
Workbook in the Log Analytics Workspace
Data Collection Rules (DCR)

Perform the following steps to deploy the custom template and associate the Barracuda Web Application Firewall instance with the DCR:

Log in to the Microsoft Azure portal.
In the Search field, type custom template and select Deploy a custom template from the list.
On the Custom Deployment page and click Build your own template in the editor.
On the Edit template page:
1. Clear the text area and paste the contents of Barracuda_WAF_Template.json
Click Save. The Custom deployment > Basics page appears.
On the Basics page, specify values for the following:
1. Resource group – Select an existing resource group or create a new resource group to associate the Log Analytics workspace. Note: If you select an existing resource group, the Log Analytics workspace will be created in the same Azure region as the selected resource group.
2. Workspace Name – Enter a name for the Log Analytics workspace.
3. Pricing Tier - Select pergb2018 as the pricing tier.
4. Type – Select Workbook from the drop-down list.
5. DCR Name – Enter a name for the data collection rule (DCR).
6. Click Review + create to create the workspace.
7. On the Custom deployment > Review + create page:
  1. Review the details and click Create.
Once the file is created, it will create a DCR that specifies the Custom Logs file path, the schema of the logs and the custom table for log ingestion in the Log Analytics Workspace.
Go to the Data collection rules page:
1. Click on the DCR you created in step 4.
2. Expand Configuration and click Resources.
3. Click Add.
4. On the Select a scope window, search and select the Azure WAF VM instance.
5. Click Apply.
After the instance is added, the Azure Monitor Agent will be installed on the WAF, establishing the association between the WAF and the DCR.
Now, the Azure Monitor Agent collect logs from the JSON Log files located at: /mail/log/ama/ama_custom_waf_logs.json and sends them to the barracuda_CL table in the Log Analytics workspace.
Go to the Log Analytics workspace page and select Logs under your workspace.
Note: Log data may take approximately 5 to 10 minutes to appear in the workspace after the agent starts.
1. Run the barracuda_CL query to see the logs.
  (Logs will become visible once the AMA connector is added in the Barracuda Web Application Firewall web interface. To set up the AMA connector, refer to Step 3: Configure AMA on the Barracuda Web Application Firewall.)
2. Additionally, run the following query to check if your WAF is connected to the Log Analytics workspace using the Azure Monitoring Agent (AMA).
  Heartbeat | where OSType == 'Linux' | where Category == 'Azure Monitor Agent' | summarize arg_max(TimeGenerated, *) by SourceComputerId | sort by Computer | render table

Step 2. Configure the Workbook

You can either create a new workbook or update an existing workbook using the contents of the Workbook.json file.

To Create a New Workbook

Open the Microsoft Azure portal, navigate to your Log Analytics workspace.
On the workspace page, scroll down to the Monitoring section and select Workbooks.
On the Workbooks page, click New.
In the Editing query item section:
1. Click Advanced Editor.
2. Clear any existing content and paste the contents of the Workbook.json file.
3. Click Done Editing to apply the changes.
The graphs will now start populating in the workbook.

Step 3. Configure AMA on the Barracuda Web Application Firewall

Perform the following steps to configure AMA on the Barracuda WAF:

Log in to the Barracuda Web Application Firewall web interface.
Go to the ADVANCED > Export Logs page.
In the External Log Servers section, click Add Log Server.
In the Add Log Server window, edit the following settings:
1. Name: Enter a name for the log server.
2. Log Server Type: Select Azure Log Analytics Server (AMA Connector) from the drop down list.
3. AMA Log File Path: Path of the JSON file in the Barracuda Web Application Firewall instance where the log data is stored. The Microsoft Azure Monitoring agent uses this path to collect the logs and send them to the Log Analytics workspace.
4. Click Add.
Change the format for logs in the Logs Format section:
1. Syslog Header: Select Custom Header from the drop-down list and keep it blank.
2. Select Azure Log Analytics Server (AMA Connector) from the drop-down list for all logs (Web Firewall Logs, Access Logs, Audit Logs, Network Firewall Logs and System Logs).
Click Save.
After the Azure Monitoring Agent is configured on the WAF, the log files are generated in the JSON format.