Log Export

Barracuda WAF-as-a-Service generates various types of logs, as described in Log Retention and Location. The Log Export component enables you to export these logs in real-time via the Syslog protocol or Azure event hubs. You can then stream the data from Azure event hubs to SIEM (Security Information and Event Management) tools, like Barracuda XDR, Splunk, ArcSight, and others.

Before You Begin

Regardless of how you will export your logs, be sure to allow the source IPs for the export logs, as described in Restricting Direct Traffic.

Choose one of the following methods to export logs:

Exporting to Syslog
Exporting to Azure Event Hubs

Exporting to Syslog

Preparing to Export Logs

To export logs, you must have a Syslog server. You can set up your server or use a server provided by a cloud service.

If you are running syslog on a UNIX machine, ensure you start the syslog daemon process with the -r option so it can receive messages from external sources.
Windows users require additional software when using syslog, because the Windows OS does not include the syslog capability. There are many syslog solutions available, both free and commercial, including Kiwi Syslog.
If you are using a cloud service, they will provide you with the server hostname, port, and protocol. Barracuda WAF-as-a-Service can export logs via UDP, TCP, or SSL protocols.

Syslog Facility

Syslog receives different types of log messages. To differentiate and store them in distinct log files, log messages contain a logging priority and a logging facility, in addition to the actual message and IP address.

There are eight facility options. All log messages are marked with one of the facility options, labelled local0 through local7. By default, each syslog server is marked with local0.

For each configured syslog server, you can associate a specific facility with each log type, so your syslog server can segregate the log of each type into a different file.

See the instructions below for setting a facility option.

You can set the same facility for both Firewall Logs and Access Logs.

Severity Level

You can set the severity level to export firewall logs and system logs to the configured export log server(s). Barracuda WAF-as-a-Service severity levels, listed from greatest to least severity, are:

Emergency
Alert
Critical
Error
Warning
Notice – Default setting
Information
Debug

Notice is the default setting, indicating normal, but significant conditions.

Barracuda WAF-as-a-Service exports logs based on the selected severity level. For example, if you set the severity to Critical, then logs with a severity level of Critical and above (that is, Emergency, Alert, and Critical) are all sent to the external log server.

Configuring Export Log Information

Within Barracuda WAF-as-a-Service, open the application. In the left navigation panel, select Log Export.
Click Add Export Log Server.
In the Add Export Log Server page, specify the following information:
- Name – Enter a name for the new setting.
- Log Server Type – Select Syslog NG.
- Log Server Communication – (This option is available only when the application is deployed in the custom container) Select how you want the logs to be exported to the external log server.
  - Send logs to the Log Server from WAF-as-a-Service - Logs are displayed on the WAF-as-a-Service web interface (Logs page) and exported to the external log server simultaneously.
  - Send logs to the Log Server directly from the WAF Container - Logs are exported to the configured external log server directly from the WAF container.
- Server Address and Port – Add the IP address or Hostname and Port for the external log server. The port is automatically entered based on your selection in Connection Type below.
- Connection Type – Select how you will connect with the external log server. Based on your selection, the appropriate port is automatically entered in the Server Address and Port field, located directly above.
- Syslog Header – Select a standard header or select Custom to specify the header.
- Firewall Logs – Specify the export format for Firewall Logs. This typically matches the type of logging server to which you are exporting logs. The following log formats are displayed in the drop-down list:
  - Default - The default firewall logs format defined by the Barracuda WAF-as-a-Service.
  - CEF:0 (ArcSight) - The Common Event Format (CEF) log used by ArcSight.
  - HPE ArcSight CEF:0 - The Common Event Format (CEF) log used by HP ArcSight. This is the updated version of CEF:0 (ArcSight).
  - LEEF1.0 (QRadar) - The Log Event Enhanced Format (LEEF) log used by QRadar.
  - Microsoft Azure Log Analytics - The default log format used by Microsoft Azure Log Analytics.
  - Symantec SIM - The default log format used by Symantec SIM.
  - RSA enVision - The default log format used by RSA envision.
  - Splunk - The default log format used by Splunk.
  - XDR - The default log format used by Barracuda Extended Detection and Response (XDR). The default log format used by Barracuda Extended Detection and Response (XDR). Note: If you choose the XDR format as the export format for any logs, ensure that you apply the XDR format consistently across all logs. For example, if the XDR format is chosen for Firewall Logs, it should also be configured for Event Logs and Access Logs.
  - Custom - Define a custom log format using the values displayed in the Log Field Macros section.
    If you do not see your log type listed, select Custom and enter the format. See below for the format specifier. If you do not want to export Firewall Logs, select Do Not Export.
    - Severity - Select the severity for log events you want to export. Events with that severity, and higher levels of severity, are exported. The default setting is Notice, described above.
    - Facility - Specify where you want to store the log file, so logs are kept separate and are easy to retrieve. See the Syslog Facility section.
- Access Logs - Specify the export format for Access Logs. This typically matches the type of logging server to which you are exporting logs. The following log formats are displayed in the drop-down list:
  - Default - The default access logs format defined by the Barracuda WAF-as-a-Service.
  - Common Log Format - The default format for logged HTTP information.
  - NCSA Extended Format - The Common Log Format appended with referer and user-agent information.
  - W3C Extended Format - The default log format used by Microsoft Internet Information Server (IIS).
  - CEF:0 (ArcSight) - The Common Event Format (CEF) log used by ArcSight.
  - HPE ArcSight CEF:0 - The Common Event Format (CEF) log used by HP ArcSight. This is the updated version of CEF:0 (ArcSight)
  - LEEF1.0 (QRadar) - The Log Event Enhanced Format (LEEF) log used by QRadar.
  - Microsoft Azure Log Analytics - The default log format used by Microsoft Azure Log Analytics.
  - Symantec SIM - The default log format used by Symantec SIM.
  - RSA enVision - The default log format used by RSA enVision.
  - Splunk - The default log format used by Splunk.
  - XDR - The default log format used by Barracuda Extended Detection and Response (XDR). The default log format used by Barracuda Extended Detection and Response (XDR). Note: If you choose the XDR format as the export format for any logs, ensure that you apply the XDR format consistently across all logs. For example, if the XDR format is chosen for Firewall Logs, it should also be configured for Event Logs and Access Logs.
  - Custom - Define the custom log format using the values displayed in the Log Field Macros section.
    If you do not see your log type listed, select Custom and enter the format. See below for the format specifier. If you do not want to export Firewall Logs, select Do Not Export.
  - Facility - Specify where you want to store the log file, so logs are kept separate and are easy to retrieve. See the Syslog Facility section.
- Event Logs – Specify the export format for Event Logs. This typically matches the type of logging server to which you are exporting logs. The following log formats are displayed in the drop-down list:
  - Default - The default event logs format defined by the Barracuda WAF-as-a-Service.
  - XDR - The default log format used by Barracuda Extended Detection and Response (XDR). The default log format used by Barracuda Extended Detection and Response (XDR). Note: If you choose the XDR format as the export format for any logs, ensure that you apply the XDR format consistently across all logs. For example, if the XDR format is chosen for Firewall Logs, it should also be configured for Event Logs and Access Logs.
  - Custom - Define the custom log format using the values displayed in the Log Field Macros section.
    If you do not see your log type listed, select Custom and enter the format. See below for the format specifier. If you do not want to export Firewall Logs, select Do Not Export.
  - Facility – Specify where you want to store the log file, so logs are kept separate and are easy to retrieve. See the Syslog Facility section.
Click Add to add the above settings.

Exporting to Azure Event Hubs

To use Azure Event Hubs, contact Barracuda Networks Technical Support.

Configuring Export Log Information for Azure Event Hubs

Exporting log data to Azure event hubs enables you to analyze that data with third-party SIEM (Security Information and Event Management) tools. For more information, refer to this Microsoft document, Stream Azure monitoring data to an event hub or external partner.

Within Barracuda WAF-as-a-Service, open the application. In the left navigation panel, select Log Export.
Click Add Export Log Server.
In the Add Export Log Server page, specify the following information:
- Name – Enter a name for the new setting.
- Log Server Type – Select Azure Event Hubs.
- Event Hub Name – Specify the name of your Azure event hub.
- Service Bus Name – Specify the name of the service bus for your Azure event hub.
- Policy Name – Specify the policy name for your event hub.
- Policy SAS Key – Specify the Microsoft Azure event hub SAS key value.
- Send Traffic Logs – Enable to export traffic logs.
- Send WAF Firewall Logs – Enable to export Barracuda Web Application Firewall logs.
- Send WaaS Event Logs – Enable to export Barracuda WAF-as-a-Service event logs.
Click Add to add the above settings.

Log information is automatically sent to your Azure event hub, and beyond if you choose.

Log Format for Firewall Logs

The default log format for Firewall Logs:

%t %un %lt %sl %ad %ci %cp %ai %ap %ri %rt %at %fa %adl %m %u %p %sid %ua %px %pp %au %r %uid

Example:

^{Apr 13 08:05:07 Barracuda - 2024-04-13 08:05:07.183 +0000 57fbcbf54f-z6pxk WF ALER TILDE_IN_URL 213.182.115.22 35245 10.125.7.107 31200 security-policy GLOBAL DENY NONE PathInfo="~" GET /index.html TLSv1.2 curl/7.47.0 10.145.7.147 60148 12ed42d1bef-365b5f9}

Description

The following table provides information about each element of the firewall logs:

Field Name	Example	Description

Field Name	Example	Description
Time	Apr 13 08:05:07	Data and time of the log when it was generated.
Unit Name	Barracuda	Name of the unit.
Log Type	WF	Type of log: Web Firewall Log, Access Log, or Event Log.
Severity Level	ALER	Defines the seriousness of the attack. Values: EMERGENCY – System is unusable (highest priority). ALERT – Response must be taken immediately. CRITICAL – Critical conditions. ERROR – Error conditions. WARNING – Warning conditions. NOTICE – Normal but significant condition. INFORMATION – Informational message (on ACL configuration changes). DEBUG – Debug-level message (lowest priority).
Attack Description	TILDE_IN_URL	Name of the attack triggered by the request.
Client IP	213.182.115.22	IP address of the client sending the request.
Client Port	35245	Port associated with the client IP address.
Application IP	10.125.7.107	IP address of the application that receives the traffic.
Application Port	31200	Port associated with the application IP address.
Rule ID	security-policy	Name of the policy to which the Barracuda WAF-as-a-Service matched the request.
Rule Type	GLOBAL	Indicates the type of rule that was hit by the request that caused the attack. The following is the list of expected values for Rule Type: Global – indicates that the request matched one of the global rules configured under Security Policies. Global URL ACL – indicates that the request matched one of the global URL ACL rules configured under Security Policies. URL ACL – indicates that the request matched one of the Allow/Deny rules configured specifically for the given website. URL Policy – indicates that the request matched one of the Advanced Security rules configured specifically for the given website. URL Profile – indicates that the request matched one of the rules configured on the URL Profile. Parameter Profile – indicates that the request matched one of the rules configured on the Parameter Profile. Header Profile – indicates that the request matched one of the rules configured on the Header Profile.
Action Taken	DENY	The appropriate action applied on the traffic. DENY – denotes that the traffic is denied. LOG – denotes monitoring of the traffic with the assigned rule. WARNING – warns about the traffic.
Follow Up Action	NONE	The follow-up action as specified by the action policy. It can be either None or Locked in case the lockout is chosen.
Attack Details	PathInfo="~"	Details of the attack triggered by the request.
Method	GET	HTTP method used by the request. Values: GET, POST, HEAD, etc.
URL	/index.html	URL specified in the request.
Protocol	TLSv1.2	Protocol used for the request.
Session ID	-	Value for this field remains blank.
User Agent	curl/7.47.0	The value contained in the User-Agent request header. Normally, this information is submitted by the clients, which details the browser, operating system, software vendor, or software revision, in an identification string.
Proxy IP	10.145.7.147	If the client requests are coming through a proxy or gateway, then this field provides the IP address of the proxy.
Proxy Port	60148	The port of the proxy server whose IP address has been logged in the Proxy IP field above.
Authenticated User		The username of the currently authenticated client requesting the web page.
Referer		The value contained in the Referrer HTTP request header. It identifies the web resource from which the client was “referred” to the requested URL.
Unique ID	12ed42d1bef-365b5f9	ID generated for the request. A unique ID is generated for every log.

Log Format for Access Logs

The default log format for Firewall Logs:

%t %un %lt %ai %ap %ci %cp %id %cu %m %p %h %v %s %bs %br %ch %tt %si %sp %st %sid %rtf %pmf %pf %wmf %u %q %r %c %ua %px %pp %au %cs1 %cs2 %cs3 %uid

Example:

^{Apr 13 08:05:07 Barracuda - 2024-04-13 08:05:07.183 +0000 57fbcbf54f-z6pxk TR 10.225.7.211 12290 112.122.137.66 34225 "-" "-" GET TLSv1.2 app201452.azurelab.cudawaas.com HTTP/1.1 404 8011 107 0 0 10.36.45.24 443 0 INTERNAL DEFAULT PROTECTED INVALID /index.html/?name=srea http://10.99.109.2/index.cgi namkrl=sreask curl/7.47.0 10.221.7.155 60168 Peter curl/7.47.0 "-" app201452.azurelab.cudawaas.com 16ed45d1bef-486b5f9}

Description

The following table provides information about each element of the access log for the above example:

Field Name	Example	Description

Field Name	Example	Description
Time	Apr 13 08:05:07	Date and time of the log when it was generated.
Unit Name	Barracuda	Name of the unit, which is same as the default hostname.
Log Type	TR	Type of log: Web Firewall Log, Access Log, or Event Log.
Application IP	10.225.7.211	IP address of the application that receives the traffic.
Application Port	12290	Port associated with the application IP address.
Client IP	112.122.137.66	IP address of the client sending the request.
Client Port	34225	Port associated with the client IP address.
Login ID		Login ID used by the client when authentication is set to On for the application.
Certificate User		Username as found in the SSL certificate when Client Authentication is enforced by the Barracuda WAF-as-a-Service.
Method	GET	HTTP method used by the request. Values: GET, POST, HEAD, etc.
Protocol	TLSv1.2	Protocol used for the request.
Host	app201452.azurelab.cudawaas.com	IP address of the host or website accessed by the user.
Version	HTTP/1.1	HTTP version used by the request.
HTTP Status	404	The standard response code that helps identify the cause of the problem when a web page or other resource does not load properly.
Bytes Sent	8011	Bytes sent as a response by the Barracuda WAF-as-a-Service to the client.
Bytes Received	107	Bytes received from the client as a part of the request.
Cache Hit	0	Specifies whether the response is served out of the Barracuda WAF-as-a-Service cache or from the backend server. Values: 0 – if the request is fetched from the server and given to the user. 1 – if the request is fetched from the cache and given to the user.
Time Taken	0	Total time taken to serve the request from the time the request landed on the Barracuda WAF-as-a-Service until the last byte given out to the client.
Server IP	10.36.45.24	IP address of the backend web server.
Server Port	443	Port associated with the backend web server.
Server Time	0