Common Event Format Configuration Guide Barracuda Networks Barracuda Web Application Firewall Date: Wednesday, February 01, 2017 1
CEF Connector Configuration Guide This document is provided for informational purposes only, and the information herein is subject to change without notice. Please report any errors herein to HPE. HPE does not provide any warranties covering this information and specifically disclaims any liability in connection with this document. Certified CEF: The event format complies with the requirements of the HPE ArcSight Common Event Format. The HPE ArcSight CEF connector will be able to process the events correctly and the events will be available for use within HPE s ArcSight product. In addition, the event content has been deemed to be in accordance with standard SmartConnector requirements. The events will be sufficiently categorized to be used in correlation rules, reports and dashboards as a proof-of-concept (POC) of the joint solution Barracuda Web Application Firewall December 15, 2016 Revision History Date Description 01/25/2017 First edition of this Configuration Guide. 01/30/2017 Version 900 Certified by HP Enterprise Security CEF Connector Support Information when an issue is outside of the ArcSight team s ability In some cases the ArcSight customer service team is unable to help with issues that lie within the configuration itself in which case, the certified vendor should be contacted for assistance: Barracuda Networks Customer Support To contact Barracuda Networks online from any locale: Visit Barracuda Support for regional contact information. You can also click Create a Support Case. Barracuda Networks Community Forum: Here you can post and answer other users' questions; visit Barracuda Community Forum to log in or create a new Barracuda Networks Community Forum account. 2
Barracuda Web Application Firewall Configuration Guide This guide provides information on how to configure the Barracuda Web Application Firewall v900 and above to collect syslog events that is based on ArcSight Common Event Format. It also describes the field mappings for the events generated in the following logs: System Logs - Logs events generated by the system showing the general activity of the Barracuda Web Application Firewall system. Web Firewall Logs - Logs events which indicate the web firewall activity such as allowing, blocking or modifying the incoming requests and responses as defined in the Barracuda Web Application Firewall rules and policies. Access Logs - Logs events pertaining to traffic activity and various elements of the incoming HTTP request and the responses from the back-end servers. Audit Logs - Logs events pertaining to the auditing events generated by the system including configuration and UI activity by users like admin. Network Firewall Logs - Logs events generated whenever network traffic passing through the interfaces (WAN, LAN and MGMT) matches the configured Network ACL rule. For more information on logs, refer to the Logs Overview and How to Configure Syslog and other Logs articles. Overview The Barracuda Web Application Firewall blocks an ever-expanding list of sophisticated web-based intrusions and attacks that target applications hosted on web servers and in the cloud. The Barracuda Web Application Firewall scans all inbound web traffic to block attacks, and inspects the HTTP or HTTPs responses from the configured back-end servers for Data Loss Prevention (DLP). The integrated access control engine enables administrators to create granular access control policies for Authentication, Authorization & Accounting (AAA) without requiring application changes. The onboard L4/L7 Load Balancing capabilities enable organizations to add back-end servers quickly to scale deployments as they grow. Its application acceleration capabilities like SSL Offloading, caching, compression, and connection pooling ensure faster application delivery of the web application content. Configuration This section provides information on how to configure the syslog server and logs format on the Barracuda Web Application Firewall to send CEF events to HP ArcSight ESM (Enterprise Security Manager). Adding a Syslog Server 1. Go to the ADVANCED > Export Logs page. 2. In the Export Logs section, click Add Export Log Server. The Add Export Log Server window appears, specify values for the following:: a. Name Enter a name for the syslog NG server. b. Log Server Type - Select Syslog NG. c. IP Address or Hostname Enter the IP address or the hostname of the HP ArcSight ESM server. d. Port Enter the port associated with the IP address of the HP ArcSight ESM server. 3 e. Connection Type Select the connection type to transmit the logs from the Barracuda Web Application Firewall to the HP ArcSight ESM server. Default 1514 port for UDP or 1701 port for TCP.
3. Click Add. f. Validate Server Certificate Set to Yes to validate the syslog server certificate using the internal bundle of Certificate Authority's (CAs) certificates packaged with the system. If set to No, any certificate from the syslog server is accepted. g. Client Certificate When set to Yes, the Barracuda Web Application Firewall presents the certificate while connecting to the syslog server. h. Certificate Select a certificate for the Barracuda Web Application Firewall to present when connecting to the syslog server. Certificates can be uploaded on the BASIC > Certificates page. For more information on how to upload a certificate, see How to Add an SSL Certificate. i. Log Timestamp and Hostname - Set to Yes if you want to log the date and time of the event, and the hostname configured on the BASIC > IP Configuration > Domain Configuration section. Configuring ArcSight Format for Logs 1. Go to the ADVANCED > Export Logs page. 2. In the Logs Format section, select the ArcSight logs format for all the logs: 3. Click Save. a. Syslog Header: Select ArcSight Log Header. b. Web Firewall Logs Format: Select HPE ArcSight CEF:0 c. Access Logs Format: Select HPE ArcSight CEF:0 d. Audit Logs Format: Select HPE ArcSight CEF:0 e. Network Firewall Logs Format: Select HPE ArcSight CEF:0 f. System Logs Format: Select HPE ArcSight CEF:0 4
Screen Shot Access Log Events Audit Log Events 5
Network Firewall Log Events System Log Events 6
7 Web Firewall Log Events
Events To view the system log messages and the associated event IDs, refer to the System Log Messages article in the Barracuda Web Application firewall Documentation. To view the detailed list of attack actions, refer to the Attacks Description Action Policy article in the Barracuda Web Application Firewall Documentation. Device Event Mapping to ArcSight Data Fields Information contained within vendor-specific event definitions is sent to the ArcSight SmartConnector, then mapped to an ArcSight data field. The following table lists the mappings from ArcSight data fields to the supported vendor-specific event definitions. The Barracuda Web Application Firewall Connector Field Mappings Vendor-Specific Event Definition ArcSight Event Data Field Access Logs Service IP (%ai) Service Port (%ap) Authenticated User (%au) Bytes Received (%br) Bytes Sent (%bs) Cache Hit (%ch) Certificate User (%cu) Client IP (%ci) Client Port (%cp) Cookie (%c) Client Type (%ct) Custom Header 1 (%cs1) Custom Header 2 (%cs2) dvc cn1 duser in out cn2 suser src spt requestcookies cs1 BarracudaWafCustomHeader1 BarracudaWafCustomHeader2 8
Vendor-Specific Event Definition Custom Header 3 (%cs3) Host (%h) HTTP Status (%s) Login ID (%id) Log Type (%lt) Method (%m) Protocol (%p) Protected (%pf) Proxy IP (%px) Profile Matched (%pmf) Proxy Port (%pp) Query String Referer (%r) Response Type (%rtf) Session ID (%sid) Server IP Server Port (%sp) Server Time (%st) Epoch/Unix Time Stamp (%tarc) Time Taken (%tt) URL (%u) ArcSight Event Data Field BarracudaWafCustomHeader3 dhost outcome suid cat requestmethod app cs2 cs3 cs4 cn3 msg requestcontext BarracudaWafResponseType BarracudaWafSessionID dst dpt flexnumber1 rt flexnumber2 request 9
Vendor-Specific Event Definition User Agent (%ua) Unit Name (%un) Unique ID (%uid) Version (%v) WF Matched (%wmf) Web Firewall Logs Service IP (%ai) Service Port (%ap) Action (%at) Attack Details (%adl) Attack Group (%ag) Authenticated User (%au) Client IP (%ci) Client Port (%cp) Follow-up Action (%fa) Log Type (%lt) Method (%m) Protocol (%p) Proxy IP (%px) Proxy Port (%pp) Referer (%r) ArcSight Event Data Field requestclientapplication dvchost externalid flexstring1 cs6 dst dpt act msg cs4 duser src spt cs2 dst cat requestmethod app cs5 cn2 requestcontext 10
Vendor-Specific Event Definition Rule ID (%ri) Rule Type (%rt) Session ID (%sid) Severity (%sl) Time (%t) Epoch/Unix Time Stamp (%tarc) URL (%u) User Agent (%ua) Unit Name (%un) Unique ID (%uid) ArcSight Event Data Field cs1 cs3 cs6 In Header as "SEVERITY" start rt request requestclientapplication dvchost externalid Audit Logs Additional Data (%add) Admin Name (%an) Change Type (%cht) Client Type (%ct) Command Name (%cn) Login IP (%li) Login Port (%lp) Log Type (%lt) New Value (%nv) Object Name (%on) msg duser outcome requestclientapplication deviceprocessname src spt cat cs1 fname 11
Vendor-Specific Event Definition Object Type (%ot) Old Value (%ov) Time (%t) Epoch/Unix Time Stamp (%tarc) Transaction ID (%tri) Unit Name (%un) Variable (%var) ArcSight Event Data Field filetype cs2 start rt cn1 dvchost cs3 Network Firewall Logs Action ID (%act) Details (%dsc) Destination IP (%di) Destination Port (%dp) Log Type (%lt) Protocol (%p) Source IP (%srci) Source Port (%srcp) Time (%t) Epoch/Unix Time Stamp (%tarc) Unit Name (%un) act cs1 dst dpt cat proto src spt start rt dvchost System Logs Event ID (%ei) externalid 12
Vendor-Specific Event Definition Log Type (%lt) Message (%ms) Epoch/Unix Time Stamp (%tarc) Time (%t) Unit Name (%un) ArcSight Event Data Field cat msg rt start dvchost 13