Connect this data source on your own, using the Hunters platform.
TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
---|---|---|---|---|---|---|---|
Barracuda Box Auth Control Services Logs | ✅ | ✅ | barracuda_box_auth_control_services_logs | Text | S3 | ||
Barracuda Box Events Logs | ✅ | ✅ | barracuda_box_events_logs | CSV without header | S3 | ||
Barracuda Box Firewall Logs | ✅ | ✅ | barracuda_box_firewall_logs | Text | S3 | ||
Barracuda Box Firewall Activity Logs | ✅ | ✅ | barracuda_box_firewall_activity_logs | CSV without header | S3 | ||
Barracuda Box SSH Logs | ✅ | ✅ | barracuda_box_ssh_logs | Text | S3 |
Overview
Barracuda CloudGen Firewall (FW) is a next-generation security solution that integrates advanced threat protection, traffic management, and secure SD-WAN capabilities. Effective log management enhances security, network visibility, and performance optimization.
Firewall logs provide valuable insights into network activity, security incidents, and system health. Analyzing these logs helps detect anomalies, investigate threats, and troubleshoot issues. Integrating them with Security Information and Event Management (SIEM) platforms or monitoring tools strengthens real-time threat detection, compliance, and incident response.
Learn more here.
Supported data types
Barracuda Box Auth Control Services Logs
Overview
Table name: barracuda_box_auth_control_services_logs
These logs capture all authentication-related events processed by the firewall's access control services. They provide visibility into user logins, failed authentication attempts, and policy-based access decisions. These logs are essential for auditing user access and identifying unauthorized login activity.
Send data to Hunters
Hunters supports the collection of Barracuda logs via an intermediary S3 bucket.
To connect Barracuda logs:
Follow this guide to set up log routing via Syslog.
Receive and Process Logs using Fluentd:
Install Fluentd on a server (e.g., EC2 instance or on-prem box).
Here’s a sample Fluentd config (td-agent.conf or fluent.conf) that:
Listens for Syslog messages
Parses them
Forwards them to Amazon S3
<source> @type syslog port 5140 bind 0.0.0.0 tag barracuda.logs </source> <filter barracuda.logs> @type record_transformer enable_ruby true <record> hostname ${record["host"]} message ${record["message"]} timestamp ${time.strftime('%Y-%m-%dT%H:%M:%S%z')} </record> </filter> <match barracuda.logs> @type s3 aws_key_id YOUR_AWS_KEY aws_sec_key YOUR_AWS_SECRET s3_bucket your-s3-bucket s3_region your-region path logs/barracuda/ buffer_path /var/log/td-agent/buffer/s3 time_slice_format %Y/%m/%d/%H time_slice_wait 10m compress gzip format json </match>
Make sure your Fluentd host (or IAM user used by Fluentd) has the following S3 permissions:
{ "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl" ], "Resource": "arn:aws:s3:::your-s3-bucket/*" }
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Expected format
Logs are expected in key-value format.
2024 11 12 20:15:08 +01:00 Info MSAD-Offline-Groups Domain VDCDC01 on 10.0.16.79 has neither NTLM-groups nor group-caching for MSAD activated. Ignoring.
2024 11 12 20:15:59 +01:00 Info phibs: Authentication Timeout(7200) for peer=10.3.34.132 origin=DCCLIENT server=box service=dcclient box=WIH1 igidiel|||||||CN=FWAUTH_BRM_INET_SKF,OU=Groups_Restricted,OU=NetworkOperations,OU=GLOBAL,OU=RHIMAGNESITA,DC=rhimagnesita,DC=com*CN=VPNClient,OU=NetworkOperations,OU=GLOBAL,OU=RHIMAGNESITA,DC=rhimagnesita,DC=com|1731431749|7200||msad|
Barracuda Box Events Logs
Overview
Table name: barracuda_box_events_logs
The Events Logs serve as a centralized record of significant system events across the Barracuda Box. They log administrative actions, configuration changes, service status updates, and system notifications. This log type is vital for tracking operational history and troubleshooting system behavior.
Send data to Hunters
Hunters supports the collection of Barracuda logs via an intermediary S3 bucket.
To connect Barracuda logs:
Follow this guide to set up log routing via Syslog.
Receive and Process Logs using Fluentd:
Install Fluentd on a server (e.g., EC2 instance or on-prem box).
Here’s a sample Fluentd config (td-agent.conf or fluent.conf) that:
Listens for Syslog messages
Parses them
Forwards them to Amazon S3
<source> @type syslog port 5140 bind 0.0.0.0 tag barracuda.logs </source> <filter barracuda.logs> @type record_transformer enable_ruby true <record> hostname ${record["host"]} message ${record["message"]} timestamp ${time.strftime('%Y-%m-%dT%H:%M:%S%z')} </record> </filter> <match barracuda.logs> @type s3 aws_key_id YOUR_AWS_KEY aws_sec_key YOUR_AWS_SECRET s3_bucket your-s3-bucket s3_region your-region path logs/barracuda/ buffer_path /var/log/td-agent/buffer/s3 time_slice_format %Y/%m/%d/%H time_slice_wait 10m compress gzip format json </match>
Make sure your Fluentd host (or IAM user used by Fluentd) has the following S3 permissions:
{ "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl" ], "Resource": "arn:aws:s3:::your-s3-bucket/*" }
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Expected format
Logs are expected in key-value format.
2024 11 13 04:15:04 +01:00 Info event: [1071065] Drop Event from 127.0.0.1:19788 - (D|3|WIH1WIHvp|2|vpnserver|3003|FW2FW-DYNMESH-SHS2VDH<->WIH2VDH|WIH1_AUT_1)
Barracuda Box Firewall Logs
Overview
Table name: barracuda_box_firewall_logs
Firewall Logs detail the internal workings of the firewall's rule engine. Each log entry corresponds to traffic that matches a firewall rule, including allowed, denied, or dropped packets. These logs help administrators verify policy effectiveness and investigate blocked or suspicious traffic.
Send data to Hunters
Hunters supports the collection of Barracuda logs via an intermediary S3 bucket.
To connect Barracuda logs:
Follow this guide to set up log routing via Syslog.
Receive and Process Logs using Fluentd:
Install Fluentd on a server (e.g., EC2 instance or on-prem box).
Here’s a sample Fluentd config (td-agent.conf or fluent.conf) that:
Listens for Syslog messages
Parses them
Forwards them to Amazon S3
<source> @type syslog port 5140 bind 0.0.0.0 tag barracuda.logs </source> <filter barracuda.logs> @type record_transformer enable_ruby true <record> hostname ${record["host"]} message ${record["message"]} timestamp ${time.strftime('%Y-%m-%dT%H:%M:%S%z')} </record> </filter> <match barracuda.logs> @type s3 aws_key_id YOUR_AWS_KEY aws_sec_key YOUR_AWS_SECRET s3_bucket your-s3-bucket s3_region your-region path logs/barracuda/ buffer_path /var/log/td-agent/buffer/s3 time_slice_format %Y/%m/%d/%H time_slice_wait 10m compress gzip format json </match>
Make sure your Fluentd host (or IAM user used by Fluentd) has the following S3 permissions:
{ "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl" ], "Resource": "arn:aws:s3:::your-s3-bucket/*" }
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Expected format
Logs are expected in key-value format.
2024 11 19 00:16:00 +01:00 Security firewall: [Timer] SecurityEvent: (Address-Port Scan) 10 unallowed requests for source IP 10.1.2.238 within 60 seconds
Barracuda Box Firewall Activity Logs
Overview
Table name: barracuda_box_firewall_activity_logs
These logs provide a summarized view of firewall session activity. Rather than showing each individual packet, they track connection-level data such as session start, duration, and data volume. Firewall Activity Logs are useful for understanding network usage patterns and identifying potential anomalies in user behavior.
Send data to Hunters
Hunters supports the collection of Barracuda logs via an intermediary S3 bucket.
To connect Barracuda logs:
Follow this guide to set up log routing via Syslog.
Receive and Process Logs using Fluentd:
Install Fluentd on a server (e.g., EC2 instance or on-prem box).
Here’s a sample Fluentd config (td-agent.conf or fluent.conf) that:
Listens for Syslog messages
Parses them
Forwards them to Amazon S3
<source> @type syslog port 5140 bind 0.0.0.0 tag barracuda.logs </source> <filter barracuda.logs> @type record_transformer enable_ruby true <record> hostname ${record["host"]} message ${record["message"]} timestamp ${time.strftime('%Y-%m-%dT%H:%M:%S%z')} </record> </filter> <match barracuda.logs> @type s3 aws_key_id YOUR_AWS_KEY aws_sec_key YOUR_AWS_SECRET s3_bucket your-s3-bucket s3_region your-region path logs/barracuda/ buffer_path /var/log/td-agent/buffer/s3 time_slice_format %Y/%m/%d/%H time_slice_wait 10m compress gzip format json </match>
Make sure your Fluentd host (or IAM user used by Fluentd) has the following S3 permissions:
{ "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl" ], "Resource": "arn:aws:s3:::your-s3-bucket/*" }
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Expected format
Logs are expected in key-value format.
2024 09 26 12:15:04 +02:00 Info Detect: FWD|UDP|bond0.1|10.1.31.41|52965|00:00:00:00:00:00|83.164.130.118|53||eth4.105||0|83.64.92.68|83.164.130.118|0|1|0|0|0|0||DNS||||
Barracuda Box SSH Logs
Overview
Table name: barracuda_box_ssh_logs
SSH Logs record secure shell access to the firewall appliance, including login attempts, session start and stop times, and executed commands. These logs are crucial for security auditing, helping ensure that administrative access is properly monitored and unauthorized access is promptly detected.
Send data to Hunters
Hunters supports the collection of Barracuda logs via an intermediary S3 bucket.
To connect Barracuda logs:
Follow this guide to set up log routing via Syslog.
Receive and Process Logs using Fluentd:
Install Fluentd on a server (e.g., EC2 instance or on-prem box).
Here’s a sample Fluentd config (td-agent.conf or fluent.conf) that:
Listens for Syslog messages
Parses them
Forwards them to Amazon S3
<source> @type syslog port 5140 bind 0.0.0.0 tag barracuda.logs </source> <filter barracuda.logs> @type record_transformer enable_ruby true <record> hostname ${record["host"]} message ${record["message"]} timestamp ${time.strftime('%Y-%m-%dT%H:%M:%S%z')} </record> </filter> <match barracuda.logs> @type s3 aws_key_id YOUR_AWS_KEY aws_sec_key YOUR_AWS_SECRET s3_bucket your-s3-bucket s3_region your-region path logs/barracuda/ buffer_path /var/log/td-agent/buffer/s3 time_slice_format %Y/%m/%d/%H time_slice_wait 10m compress gzip format json </match>
Make sure your Fluentd host (or IAM user used by Fluentd) has the following S3 permissions:
{ "Effect": "Allow", "Action": [ "s3:PutObject", "s3:PutObjectAcl" ], "Resource": "arn:aws:s3:::your-s3-bucket/*" }
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Expected format
Logs are expected in key-value format.
2024 10 28 12:11:24 +01:00 Info sshd: Connection from 10.0.20.5 port 24248 on 10.0.5.45 port 22