« Barracuda integration BitDefender Integration »
Elastic Docs Elastic integrations Barracuda

Barracuda CloudGen Firewall integration

edit

Barracuda CloudGen Firewall integration

edit

Version

1.14.0 (View all)

Compatible Kibana version(s)

8.13.0 or higher

Supported Serverless project types
What’s this?

Security
Observability

Subscription level
What’s this?

Basic

Level of support
What’s this?

Elastic

This integration ingests and parses logs from Barracuda CloudGen Firewalls.

Barracuda CloudGen Firewall allows you to stream event logs from Firewall Insights to Elastic Agent. This provides information on firewall activity, threat logs, and information related to network, version, and location of managed firewall units. Data is sent to Elastic Agent over a TCP connection using CloudGen Firewall’s built-in generic Logstash output.

Setup
edit

For a detailed walk-through of the setup steps the see How to Enable Filebeat Stream to a Logstash Pipeline. These steps were written with a Logstash server as the intended destination, and where it references the "Hostname" use the address and port of the Elastic Agent that is running this integration. Logstash is not used as part of this integration.

Logs

edit

This is the Barracuda CloudGen Firewall log dataset. Below is a sample event and a list of fields that can be produced.

Example

An example event for log looks as following:

{
    "@timestamp": "2020-11-24T15:02:21.000Z",
    "agent": {
        "ephemeral_id": "b620e757-d3b2-4b59-8c2b-cce4d2f17081",
        "id": "70e82165-776e-4b35-98b8-b0c9491f4b6e",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.5.0"
    },
    "barracuda_cloudgen_firewall": {
        "log": {
            "app_rule": "<App>:ALL-APPS",
            "fw_info": 2007
        }
    },
    "data_stream": {
        "dataset": "barracuda_cloudgen_firewall.log",
        "namespace": "ep",
        "type": "logs"
    },
    "destination": {
        "address": "67.43.156.78",
        "as": {
            "number": 35908
        },
        "bytes": 561503,
        "geo": {
            "continent_name": "Asia",
            "country_iso_code": "BT",
            "country_name": "Bhutan",
            "location": {
                "lat": 27.5,
                "lon": 90.5
            }
        },
        "ip": "67.43.156.78",
        "mac": "00-0C-29-00-D6-00",
        "nat": {
            "ip": "67.43.156.100"
        },
        "packets": 439,
        "port": 443
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "70e82165-776e-4b35-98b8-b0c9491f4b6e",
        "snapshot": true,
        "version": "8.5.0"
    },
    "event": {
        "action": "End",
        "agent_id_status": "verified",
        "category": [
            "network"
        ],
        "dataset": "barracuda_cloudgen_firewall.log",
        "duration": -153934592,
        "ingested": "2022-09-21T13:30:52Z",
        "kind": "event",
        "type": [
            "end"
        ]
    },
    "input": {
        "type": "lumberjack"
    },
    "labels": {
        "origin_address": "172.20.0.4:34752"
    },
    "network": {
        "community_id": "1:HGU1tX9W2VUF5ND2ey3X6Niv/AQ=",
        "iana_number": "6",
        "transport": "tcp",
        "type": "ipv4"
    },
    "observer": {
        "egress": {
            "interface": {
                "name": "eth0"
            }
        },
        "hostname": "cgf-scout-int",
        "ingress": {
            "interface": {
                "name": "eth0"
            }
        },
        "product": "ngfw",
        "serial_number": "4f94abdf7a8c465fa2cd76f680ecafd1",
        "type": "firewall",
        "vendor": "Barracuda"
    },
    "related": {
        "ip": [
            "10.17.35.171",
            "67.43.156.78"
        ]
    },
    "rule": {
        "name": "BOX-LAN-2-INTERNET"
    },
    "source": {
        "address": "10.17.35.171",
        "bytes": 7450,
        "ip": "10.17.35.171",
        "mac": "00-0C-29-9A-0A-78",
        "nat": {
            "ip": "10.17.35.175"
        },
        "packets": 129,
        "port": 40532
    },
    "tags": [
        "barracuda_cloudgen_firewall-log",
        "forwarded"
    ]
}
Exported fields
Field Description Type

@timestamp

Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.

date

barracuda_cloudgen_firewall.log.app_rule

application rule name (e.g. "<App>:ALL-APPS")

keyword

barracuda_cloudgen_firewall.log.fw_info

Detailed information about the action performed by the firewall. More information can be found here

long

barracuda_cloudgen_firewall.log.traffic_type

Always "0"

long

barracuda_cloudgen_firewall.log.user_type

User type of web log. 1 if "user" is a username or 0 if "user" is an IP address.

keyword

data_stream.dataset

Data stream dataset.

constant_keyword

data_stream.namespace

Data stream namespace.

constant_keyword

data_stream.type

Data stream type.

constant_keyword

event.dataset

Event dataset

constant_keyword

event.module

Event module

constant_keyword

input.type

Type of Filebeat input.

keyword

labels.origin_address

Remote address where the log originated.

keyword

labels.origin_client_subject

Distinguished name of subject of the x.509 certificate presented by the origin client when mutual TLS is enabled.

keyword

Changelog

edit
Changelog
Version Details Kibana version(s)

1.14.0

Enhancement (View pull request)
Add "preserve_original_event" tag to documents with event.kind set to "pipeline_error".

8.13.0 or higher

1.13.0

Enhancement (View pull request)
Allow @custom pipeline access to event.original without setting preserve_original_event.

8.13.0 or higher

1.12.0

Enhancement (View pull request)
Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.

8.13.0 or higher

1.11.0

Enhancement (View pull request)
Update manifest format version to v3.0.3.

8.5.0 or higher

1.10.1

Enhancement (View pull request)
Changed owners

8.5.0 or higher

1.10.0

Enhancement (View pull request)
ECS version updated to 8.11.0.

8.5.0 or higher

1.9.0

Enhancement (View pull request)
Improve event.original check to avoid errors if set.

8.5.0 or higher

1.8.0

Enhancement (View pull request)
ECS version updated to 8.10.0.

8.5.0 or higher

1.7.0

Enhancement (View pull request)
The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added owner.type: elastic to package manifest.

8.5.0 or higher

1.6.0

Enhancement (View pull request)
Add tags.yml file so that integration’s dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.

8.5.0 or higher

1.5.0

Enhancement (View pull request)
Update package to ECS 8.9.0.

8.5.0 or higher

1.4.0

Enhancement (View pull request)
Ensure event.kind is correctly set for pipeline errors.

8.5.0 or higher

1.3.0

Enhancement (View pull request)
Update package to ECS 8.8.0.

8.5.0 or higher

1.2.0

Enhancement (View pull request)
Update package-spec version to 2.7.0.

8.5.0 or higher

1.1.0

Enhancement (View pull request)
Update package to ECS 8.7.0.

8.5.0 or higher

1.0.0

Enhancement (View pull request)
Release Barracuda CloudGen Firewall as GA.

8.5.0 or higher

0.3.1

Enhancement (View pull request)
Added categories and/or subcategories.

0.3.0

Enhancement (View pull request)
Update package to ECS 8.6.0.

0.2.0

Enhancement (View pull request)
Update package to ECS 8.5.0.

0.1.0

Enhancement (View pull request)
initial release

« Barracuda integration BitDefender Integration »