Barracuda WAF Log Parsing


I would appreciate some guidance on debugging the Barracuda WAF Filebeat module.

I am running this with Filebeat rather than fleet at the moment as fleet is still in Beta and when I try running it in Fleet I get zero logs.

Running with Filebeat, the process opens up port 9503 as expected and I am getting logs. The problem is that they are not being parsed very well and no fields are being extracted.

In the WAF config, there are a few options for format to set the various log options to but I can't seem to get the logging to parse correctly. Filebeat README file suggests that the log format should be in the format of "RSA NetWitness log parser 2.0" but I can't find anything definitive to describe what that looks like.

I have found some useful resources that will help me customise the logs - the Barracuda website has details on log formats:

Barracuda Log Format

I also found a PDF on RSA which offers a suggestion of how to configure the WAF but that doesn't get more more fields parsed - possible because its quite old:

RSA Log Format

I have tried looking at the pipeline, ingest and other files but I just can't follow them. Can anyone point me to an example of a working log file - ideally for Web Log Filtering and Access Logs so I can aim to match the syslog format.

My alternative is to use Logstash but I would prefer to use Filebeat if possible as its ECS processing will save me lots of time.

For some context, screenshot below is from WAF settings which shows various options for logging customisation

Thanks in advance

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.