Barracuda CloudGen Firewall Logs
Collect logs from Barracuda CloudGen Firewall devices with Elastic Agent.
Version | 1.13.0 (View all) |
Compatible Kibana version(s) | 8.13.0 or higher |
Supported Serverless project types | Security Observability |
Subscription level | Basic |
Level of support | Elastic |
This integration ingests and parses logs from Barracuda CloudGen Firewalls.
Barracuda CloudGen Firewall allows you to stream event logs from Firewall Insights to Elastic Agent. This provides information on firewall activity, threat logs, and information related to network, version, and location of managed firewall units. Data is sent to Elastic Agent over a TCP connection using CloudGen Firewall's built-in generic Logstash output.
Setup
For a detailed walk-through of the setup steps the see How to Enable Filebeat Stream to a Logstash Pipeline. These steps were written with a Logstash server as the intended destination, and where it references the "Hostname" use the address and port of the Elastic Agent that is running this integration. Logstash is not used as part of this integration.
Logs
This is the Barracuda CloudGen Firewall log dataset. Below is a sample
event and a list of fields that can be produced.
An example event for log looks as following:
{
"@timestamp": "2020-11-24T15:02:21.000Z",
"agent": {
"ephemeral_id": "b620e757-d3b2-4b59-8c2b-cce4d2f17081",
"id": "70e82165-776e-4b35-98b8-b0c9491f4b6e",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.5.0"
},
"barracuda_cloudgen_firewall": {
"log": {
"app_rule": "<App>:ALL-APPS",
"fw_info": 2007
}
},
"data_stream": {
"dataset": "barracuda_cloudgen_firewall.log",
"namespace": "ep",
"type": "logs"
},
"destination": {
"address": "67.43.156.78",
"as": {
"number": 35908
},
"bytes": 561503,
"geo": {
"continent_name": "Asia",
"country_iso_code": "BT",
"country_name": "Bhutan",
"location": {
"lat": 27.5,
"lon": 90.5
}
},
"ip": "67.43.156.78",
"mac": "00-0C-29-00-D6-00",
"nat": {
"ip": "67.43.156.100"
},
"packets": 439,
"port": 443
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "70e82165-776e-4b35-98b8-b0c9491f4b6e",
"snapshot": true,
"version": "8.5.0"
},
"event": {
"action": "End",
"agent_id_status": "verified",
"category": [
"network"
],
"dataset": "barracuda_cloudgen_firewall.log",
"duration": -153934592,
"ingested": "2022-09-21T13:30:52Z",
"kind": "event",
"type": [
"end"
]
},
"input": {
"type": "lumberjack"
},
"labels": {
"origin_address": "172.20.0.4:34752"
},
"network": {
"community_id": "1:HGU1tX9W2VUF5ND2ey3X6Niv/AQ=",
"iana_number": "6",
"transport": "tcp",
"type": "ipv4"
},
"observer": {
"egress": {
"interface": {
"name": "eth0"
}
},
"hostname": "cgf-scout-int",
"ingress": {
"interface": {
"name": "eth0"
}
},
"product": "ngfw",
"serial_number": "4f94abdf7a8c465fa2cd76f680ecafd1",
"type": "firewall",
"vendor": "Barracuda"
},
"related": {
"ip": [
"10.17.35.171",
"67.43.156.78"
]
},
"rule": {
"name": "BOX-LAN-2-INTERNET"
},
"source": {
"address": "10.17.35.171",
"bytes": 7450,
"ip": "10.17.35.171",
"mac": "00-0C-29-9A-0A-78",
"nat": {
"ip": "10.17.35.175"
},
"packets": 129,
"port": 40532
},
"tags": [
"barracuda_cloudgen_firewall-log",
"forwarded"
]
}
Exported fields
| Field | Description | Type |
|---|---|---|
@timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
barracuda_cloudgen_firewall.log.app_rule | application rule name (e.g. "<App>:ALL-APPS") | keyword |
barracuda_cloudgen_firewall.log.fw_info | Detailed information about the action performed by the firewall. More information can be found here | long |
barracuda_cloudgen_firewall.log.traffic_type | Always "0" | long |
barracuda_cloudgen_firewall.log.user_type | User type of web log. 1 if "user" is a username or 0 if "user" is an IP address. | keyword |
data_stream.dataset | Data stream dataset. | constant_keyword |
data_stream.namespace | Data stream namespace. | constant_keyword |
data_stream.type | Data stream type. | constant_keyword |
event.dataset | Event dataset | constant_keyword |
event.module | Event module | constant_keyword |
input.type | Type of Filebeat input. | keyword |
labels.origin_address | Remote address where the log originated. | keyword |
labels.origin_client_subject | Distinguished name of subject of the x.509 certificate presented by the origin client when mutual TLS is enabled. | keyword |
Changelog
| Version | Details | Kibana version(s) |
|---|---|---|
1.13.0 | Enhancement View pull request | 8.13.0 or higher |
1.12.0 | Enhancement View pull request | 8.13.0 or higher |
1.11.0 | Enhancement View pull request | 8.5.0 or higher |
1.10.1 | Enhancement View pull request | 8.5.0 or higher |
1.10.0 | Enhancement View pull request | 8.5.0 or higher |
1.9.0 | Enhancement View pull request | 8.5.0 or higher |
1.8.0 | Enhancement View pull request | 8.5.0 or higher |
1.7.0 | Enhancement View pull request | 8.5.0 or higher |
1.6.0 | Enhancement View pull request | 8.5.0 or higher |
1.5.0 | Enhancement View pull request | 8.5.0 or higher |
1.4.0 | Enhancement View pull request | 8.5.0 or higher |
1.3.0 | Enhancement View pull request | 8.5.0 or higher |
1.2.0 | Enhancement View pull request | 8.5.0 or higher |
1.1.0 | Enhancement View pull request | 8.5.0 or higher |
1.0.0 | Enhancement View pull request | 8.5.0 or higher |
0.3.1 | Enhancement View pull request | — |
0.3.0 | Enhancement View pull request | — |
0.2.0 | Enhancement View pull request | — |
0.1.0 | Enhancement View pull request | — |