Common Event Format Configuration Guide. Barracuda Networks Barracuda Web Application Firewall Date: Wednesday, February 01, 2017

Similar documents
How to Configure Syslog and other Logs

Common Event Format Configuration Guide. NIKSUN NetDetector-NetVCR Date: Wednesday, May 30, 2012

Common Event Format Configuration Guide. ABAP-Experts.com // NCMI GmbH SecurityBridge Date: Thursday, January 12, 2017

HPE Security ArcSight Connectors

Common Event Format. Imperva SecureSphere January 3, 2018


HPE Security ArcSight Connectors

Common Event Format: Event Interoperability Standard

HPE Security ArcSight User Behavior Analytics

HPE Security ArcSight Connectors

VARONIS APP FOR SPLUNK. User Guide

How to Make the Client IP Address Available to the Back-end Server

while the LAN interface is in the DMZ. You can control access to the WAN port using either ACLs on the upstream router, or the built-in netfilter

HPE Security ArcSight Connectors

Deploying the BIG-IP System v10 with Oracle s BEA WebLogic

HPE Security ArcSight Connectors

Integration With Third Party SIEM Solutions NetIQ Secure Configuration Manager. October 2016

Lab Guide. Barracuda NextGen Firewall F-Series Microsoft Azure - NGF0501

DEPLOYMENT GUIDE Version 1.2. Deploying the BIG-IP System v10 with Microsoft IIS 7.0 and 7.5

Example - Reverse Proxy for Exchange Services

Micro Focus Security ArcSight Connectors. SmartConnector for McAfee Gateway Syslog. Configuration Guide

McAfee Enterprise Security Manager. Data Source Configuration Guide. Bit9 Parity Suite. Data Source: February 4, Bit9 Parity Suite Page 1 of 8

Microsoft Exchange Server 2013 and 2016 Deployment

Stonesoft Management Center. Release Notes Revision A

HPE Security ArcSight Connectors

Micro Focus Security ArcSight Connectors. SmartConnector for Snort Syslog. Configuration Guide

ForeScout Extended Module for HPE ArcSight

VMware Horizon View Deployment

HPE Security ArcSight Connectors

NGFW Security Management Center

Proxy Log Configuration


HySecure Quick Start Guide. HySecure 5.0

DEPLOYMENT GUIDE DEPLOYING THE BIG-IP SYSTEM WITH BEA WEBLOGIC SERVER

AWS Reference Architecture - CloudGen Firewall Auto Scaling Cluster

Proxy Log Configuration

Cisco Expressway with Jabber Guest

Micro Focus Security ArcSight Connectors. SmartConnector for McAfee Network Security Manager Syslog. Configuration Guide

ForeScout Extended Module for ArcSight

Stonesoft Management Center. Release Notes Revision A

DEPLOYMENT GUIDE Version 1.2. Deploying the BIG-IP System v9.x with Microsoft IIS 7.0 and 7.5

Stonesoft Management Center. Release Notes Revision A

HPE Security ArcSight Connectors

Palo Alto Networks PAN-OS 8.0 Date: August 1, 2017

What is New in Cisco ACE 4710 Application Control Engine Software Release 3.1

DEPLOYMENT GUIDE DEPLOYING F5 WITH ORACLE ACCESS MANAGER

AD FS v3. Deployment Guide

DEPLOYMENT GUIDE. Deploying F5 for High Availability and Scalability of Microsoft Dynamics 4.0

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

HPE Security ArcSight Connectors

DEPLOYMENT GUIDE Version 1.1. Deploying the BIG-IP Access Policy Manager with IBM, Oracle, and Microsoft

Archived. Configuring a single-tenant BIG-IP Virtual Edition in the Cloud. Deployment Guide Document Version: 1.0. What is F5 iapp?

Integrate Citrix NetScaler

Understanding of basic networking concepts (routing, switching, VLAN, firewall functionality)

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Deploying the BIG-IP System with Microsoft IIS

High Availability Synchronization PAN-OS 5.0.3

Syslog and the Barracuda Web Security Gateway

HPE Security ArcSight Connectors

Integrate Palo Alto Traps. EventTracker v8.x and above

Deploying the BIG-IP System v10 with Microsoft Exchange Outlook Web Access 2007

Identity Firewall. About the Identity Firewall

HP Load Balancing Module

NGFW Security Management Center

Barracuda Firewall Release Notes 6.5.x

Implementation Guide - VPN Network with Static Routing

Release Notes Version 7.8

HP ArcSight Port and Protocol Information

Stonesoft Management Center. Release Notes for Version 5.6.1

Micro Focus Security ArcSight Connectors. SmartConnector for Cisco Secure ACS Syslog. Configuration Guide

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

Centrify for ArcSight Integration Guide

2016 OPSWAT, Inc. All rights reserved. OPSWAT, MetadefenderTM and the OPSWAT logo are trademarks of OPSWAT, Inc.All other trademarks, trade names,

ForeScout CounterACT. Core Extensions Module: CEF Plugin. Configuration Guide. Version 2.7

Security, Internet Access, and Communication Ports

NGFW Security Management Center

About DPI-SSL. About DPI-SSL. Functionality. Deployment Scenarios

Security, Internet Access, and Communication Ports

HPE Security ArcSight Connectors

HPE Security ArcSight Connectors

BIG-IP Access Policy Manager : Third- Party Integration. Version 13.1

jetnexus Load Balancer

jetnexus Virtual Load Balancer

Chapter 8 roadmap. Network Security

NGFW Security Management Center

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

HPE Security ArcSight SmartConnectors. Format Preserving Encryption Environment Setup Guide

Deploying the BIG-IP System with HTTP Applications

Bi-directional ADN Deployment Using WCCP with Reflect Client IP [Configuration Sample] Ken Fritz (PSS)

Venafi Platform. Architecture 1 Architecture Basic. Professional Services Venafi. All Rights Reserved.

DEPLOYMENT GUIDE Version 1.0. Deploying the BIG-IP Access Policy Manager with Oracle Access Manager

Sophos Mobile in Central

HPE Security ArcSight Common Event Format

Deploying the BIG-IP System with Oracle WebLogic Server

Stonesoft Management Center. Release Notes Revision B

HPE Security ArcSight Connectors

Stonesoft Management Center. Release Notes Revision B

NGFW Security Management Center

Elastic Load Balancing. User Guide. Date

Security, Internet Access, and Communication Ports

Transcription:

Common Event Format Configuration Guide Barracuda Networks Barracuda Web Application Firewall Date: Wednesday, February 01, 2017 1

CEF Connector Configuration Guide This document is provided for informational purposes only, and the information herein is subject to change without notice. Please report any errors herein to HPE. HPE does not provide any warranties covering this information and specifically disclaims any liability in connection with this document. Certified CEF: The event format complies with the requirements of the HPE ArcSight Common Event Format. The HPE ArcSight CEF connector will be able to process the events correctly and the events will be available for use within HPE s ArcSight product. In addition, the event content has been deemed to be in accordance with standard SmartConnector requirements. The events will be sufficiently categorized to be used in correlation rules, reports and dashboards as a proof-of-concept (POC) of the joint solution Barracuda Web Application Firewall December 15, 2016 Revision History Date Description 01/25/2017 First edition of this Configuration Guide. 01/30/2017 Version 900 Certified by HP Enterprise Security CEF Connector Support Information when an issue is outside of the ArcSight team s ability In some cases the ArcSight customer service team is unable to help with issues that lie within the configuration itself in which case, the certified vendor should be contacted for assistance: Barracuda Networks Customer Support To contact Barracuda Networks online from any locale: Visit Barracuda Support for regional contact information. You can also click Create a Support Case. Barracuda Networks Community Forum: Here you can post and answer other users' questions; visit Barracuda Community Forum to log in or create a new Barracuda Networks Community Forum account. 2

Barracuda Web Application Firewall Configuration Guide This guide provides information on how to configure the Barracuda Web Application Firewall v900 and above to collect syslog events that is based on ArcSight Common Event Format. It also describes the field mappings for the events generated in the following logs: System Logs - Logs events generated by the system showing the general activity of the Barracuda Web Application Firewall system. Web Firewall Logs - Logs events which indicate the web firewall activity such as allowing, blocking or modifying the incoming requests and responses as defined in the Barracuda Web Application Firewall rules and policies. Access Logs - Logs events pertaining to traffic activity and various elements of the incoming HTTP request and the responses from the back-end servers. Audit Logs - Logs events pertaining to the auditing events generated by the system including configuration and UI activity by users like admin. Network Firewall Logs - Logs events generated whenever network traffic passing through the interfaces (WAN, LAN and MGMT) matches the configured Network ACL rule. For more information on logs, refer to the Logs Overview and How to Configure Syslog and other Logs articles. Overview The Barracuda Web Application Firewall blocks an ever-expanding list of sophisticated web-based intrusions and attacks that target applications hosted on web servers and in the cloud. The Barracuda Web Application Firewall scans all inbound web traffic to block attacks, and inspects the HTTP or HTTPs responses from the configured back-end servers for Data Loss Prevention (DLP). The integrated access control engine enables administrators to create granular access control policies for Authentication, Authorization & Accounting (AAA) without requiring application changes. The onboard L4/L7 Load Balancing capabilities enable organizations to add back-end servers quickly to scale deployments as they grow. Its application acceleration capabilities like SSL Offloading, caching, compression, and connection pooling ensure faster application delivery of the web application content. Configuration This section provides information on how to configure the syslog server and logs format on the Barracuda Web Application Firewall to send CEF events to HP ArcSight ESM (Enterprise Security Manager). Adding a Syslog Server 1. Go to the ADVANCED > Export Logs page. 2. In the Export Logs section, click Add Export Log Server. The Add Export Log Server window appears, specify values for the following:: a. Name Enter a name for the syslog NG server. b. Log Server Type - Select Syslog NG. c. IP Address or Hostname Enter the IP address or the hostname of the HP ArcSight ESM server. d. Port Enter the port associated with the IP address of the HP ArcSight ESM server. 3 e. Connection Type Select the connection type to transmit the logs from the Barracuda Web Application Firewall to the HP ArcSight ESM server. Default 1514 port for UDP or 1701 port for TCP.

3. Click Add. f. Validate Server Certificate Set to Yes to validate the syslog server certificate using the internal bundle of Certificate Authority's (CAs) certificates packaged with the system. If set to No, any certificate from the syslog server is accepted. g. Client Certificate When set to Yes, the Barracuda Web Application Firewall presents the certificate while connecting to the syslog server. h. Certificate Select a certificate for the Barracuda Web Application Firewall to present when connecting to the syslog server. Certificates can be uploaded on the BASIC > Certificates page. For more information on how to upload a certificate, see How to Add an SSL Certificate. i. Log Timestamp and Hostname - Set to Yes if you want to log the date and time of the event, and the hostname configured on the BASIC > IP Configuration > Domain Configuration section. Configuring ArcSight Format for Logs 1. Go to the ADVANCED > Export Logs page. 2. In the Logs Format section, select the ArcSight logs format for all the logs: 3. Click Save. a. Syslog Header: Select ArcSight Log Header. b. Web Firewall Logs Format: Select HPE ArcSight CEF:0 c. Access Logs Format: Select HPE ArcSight CEF:0 d. Audit Logs Format: Select HPE ArcSight CEF:0 e. Network Firewall Logs Format: Select HPE ArcSight CEF:0 f. System Logs Format: Select HPE ArcSight CEF:0 4

Screen Shot Access Log Events Audit Log Events 5

Network Firewall Log Events System Log Events 6

7 Web Firewall Log Events

Events To view the system log messages and the associated event IDs, refer to the System Log Messages article in the Barracuda Web Application firewall Documentation. To view the detailed list of attack actions, refer to the Attacks Description Action Policy article in the Barracuda Web Application Firewall Documentation. Device Event Mapping to ArcSight Data Fields Information contained within vendor-specific event definitions is sent to the ArcSight SmartConnector, then mapped to an ArcSight data field. The following table lists the mappings from ArcSight data fields to the supported vendor-specific event definitions. The Barracuda Web Application Firewall Connector Field Mappings Vendor-Specific Event Definition ArcSight Event Data Field Access Logs Service IP (%ai) Service Port (%ap) Authenticated User (%au) Bytes Received (%br) Bytes Sent (%bs) Cache Hit (%ch) Certificate User (%cu) Client IP (%ci) Client Port (%cp) Cookie (%c) Client Type (%ct) Custom Header 1 (%cs1) Custom Header 2 (%cs2) dvc cn1 duser in out cn2 suser src spt requestcookies cs1 BarracudaWafCustomHeader1 BarracudaWafCustomHeader2 8

Vendor-Specific Event Definition Custom Header 3 (%cs3) Host (%h) HTTP Status (%s) Login ID (%id) Log Type (%lt) Method (%m) Protocol (%p) Protected (%pf) Proxy IP (%px) Profile Matched (%pmf) Proxy Port (%pp) Query String Referer (%r) Response Type (%rtf) Session ID (%sid) Server IP Server Port (%sp) Server Time (%st) Epoch/Unix Time Stamp (%tarc) Time Taken (%tt) URL (%u) ArcSight Event Data Field BarracudaWafCustomHeader3 dhost outcome suid cat requestmethod app cs2 cs3 cs4 cn3 msg requestcontext BarracudaWafResponseType BarracudaWafSessionID dst dpt flexnumber1 rt flexnumber2 request 9

Vendor-Specific Event Definition User Agent (%ua) Unit Name (%un) Unique ID (%uid) Version (%v) WF Matched (%wmf) Web Firewall Logs Service IP (%ai) Service Port (%ap) Action (%at) Attack Details (%adl) Attack Group (%ag) Authenticated User (%au) Client IP (%ci) Client Port (%cp) Follow-up Action (%fa) Log Type (%lt) Method (%m) Protocol (%p) Proxy IP (%px) Proxy Port (%pp) Referer (%r) ArcSight Event Data Field requestclientapplication dvchost externalid flexstring1 cs6 dst dpt act msg cs4 duser src spt cs2 dst cat requestmethod app cs5 cn2 requestcontext 10

Vendor-Specific Event Definition Rule ID (%ri) Rule Type (%rt) Session ID (%sid) Severity (%sl) Time (%t) Epoch/Unix Time Stamp (%tarc) URL (%u) User Agent (%ua) Unit Name (%un) Unique ID (%uid) ArcSight Event Data Field cs1 cs3 cs6 In Header as "SEVERITY" start rt request requestclientapplication dvchost externalid Audit Logs Additional Data (%add) Admin Name (%an) Change Type (%cht) Client Type (%ct) Command Name (%cn) Login IP (%li) Login Port (%lp) Log Type (%lt) New Value (%nv) Object Name (%on) msg duser outcome requestclientapplication deviceprocessname src spt cat cs1 fname 11

Vendor-Specific Event Definition Object Type (%ot) Old Value (%ov) Time (%t) Epoch/Unix Time Stamp (%tarc) Transaction ID (%tri) Unit Name (%un) Variable (%var) ArcSight Event Data Field filetype cs2 start rt cn1 dvchost cs3 Network Firewall Logs Action ID (%act) Details (%dsc) Destination IP (%di) Destination Port (%dp) Log Type (%lt) Protocol (%p) Source IP (%srci) Source Port (%srcp) Time (%t) Epoch/Unix Time Stamp (%tarc) Unit Name (%un) act cs1 dst dpt cat proto src spt start rt dvchost System Logs Event ID (%ei) externalid 12

Vendor-Specific Event Definition Log Type (%lt) Message (%ms) Epoch/Unix Time Stamp (%tarc) Time (%t) Unit Name (%un) ArcSight Event Data Field cat msg rt start dvchost 13

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback