Barracuda

Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

Barracuda Box Auth Control Services Logs

✅

✅

barracuda_box_auth_control_services_logs

Text

S3

Barracuda Box Events Logs

✅

✅

barracuda_box_events_logs

CSV without header

S3

Barracuda Box Firewall Logs

✅

✅

barracuda_box_firewall_logs

Text

S3

Barracuda Box Firewall Activity Logs

✅

✅

barracuda_box_firewall_activity_logs

CSV without header

S3

Barracuda Box SSH Logs

✅

✅

barracuda_box_ssh_logs

Text

S3


Overview

Barracuda CloudGen Firewall (FW) is a next-generation security solution that integrates advanced threat protection, traffic management, and secure SD-WAN capabilities. Effective log management enhances security, network visibility, and performance optimization.

Firewall logs provide valuable insights into network activity, security incidents, and system health. Analyzing these logs helps detect anomalies, investigate threats, and troubleshoot issues. Integrating them with Security Information and Event Management (SIEM) platforms or monitoring tools strengthens real-time threat detection, compliance, and incident response.

Learn more here.

Supported data types

Barracuda Box Auth Control Services Logs

Overview

Table name: barracuda_box_auth_control_services_logs

These logs capture all authentication-related events processed by the firewall's access control services. They provide visibility into user logins, failed authentication attempts, and policy-based access decisions. These logs are essential for auditing user access and identifying unauthorized login activity.

Send data to Hunters

Hunters supports the collection of Barracuda logs via an intermediary S3 bucket.

To connect Barracuda logs:

  1. Follow this guide to set up log routing via Syslog.

  2. Receive and Process Logs using Fluentd:

    Install Fluentd on a server (e.g., EC2 instance or on-prem box).

    Here’s a sample Fluentd config (td-agent.conf or fluent.conf) that:

    • Listens for Syslog messages

    • Parses them

    • Forwards them to Amazon S3

      <source>
        @type syslog
        port 5140
        bind 0.0.0.0
        tag barracuda.logs
      </source>
      
      <filter barracuda.logs>
        @type record_transformer
        enable_ruby true
        <record>
          hostname ${record["host"]}
          message ${record["message"]}
          timestamp ${time.strftime('%Y-%m-%dT%H:%M:%S%z')}
        </record>
      </filter>
      
      <match barracuda.logs>
        @type s3
        aws_key_id YOUR_AWS_KEY
        aws_sec_key YOUR_AWS_SECRET
        s3_bucket your-s3-bucket
        s3_region your-region
        path logs/barracuda/
        buffer_path /var/log/td-agent/buffer/s3
        time_slice_format %Y/%m/%d/%H
        time_slice_wait 10m
        compress gzip
        format json
      </match>
  3. Make sure your Fluentd host (or IAM user used by Fluentd) has the following S3 permissions:

    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:PutObjectAcl"
      ],
      "Resource": "arn:aws:s3:::your-s3-bucket/*"
    }
    
  4. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in key-value format.

2024 11 12 20:15:08 +01:00 Info     MSAD-Offline-Groups Domain VDCDC01 on 10.0.16.79 has neither NTLM-groups nor group-caching for MSAD activated. Ignoring.
2024 11 12 20:15:59 +01:00 Info     phibs: Authentication Timeout(7200) for peer=10.3.34.132 origin=DCCLIENT server=box service=dcclient box=WIH1 igidiel|||||||CN=FWAUTH_BRM_INET_SKF,OU=Groups_Restricted,OU=NetworkOperations,OU=GLOBAL,OU=RHIMAGNESITA,DC=rhimagnesita,DC=com*CN=VPNClient,OU=NetworkOperations,OU=GLOBAL,OU=RHIMAGNESITA,DC=rhimagnesita,DC=com|1731431749|7200||msad|

Barracuda Box Events Logs

Overview

Table name: barracuda_box_events_logs

The Events Logs serve as a centralized record of significant system events across the Barracuda Box. They log administrative actions, configuration changes, service status updates, and system notifications. This log type is vital for tracking operational history and troubleshooting system behavior.

Send data to Hunters

Hunters supports the collection of Barracuda logs via an intermediary S3 bucket.

To connect Barracuda logs:

  1. Follow this guide to set up log routing via Syslog.

  2. Receive and Process Logs using Fluentd:

    Install Fluentd on a server (e.g., EC2 instance or on-prem box).

    Here’s a sample Fluentd config (td-agent.conf or fluent.conf) that:

    • Listens for Syslog messages

    • Parses them

    • Forwards them to Amazon S3

      <source>
        @type syslog
        port 5140
        bind 0.0.0.0
        tag barracuda.logs
      </source>
      
      <filter barracuda.logs>
        @type record_transformer
        enable_ruby true
        <record>
          hostname ${record["host"]}
          message ${record["message"]}
          timestamp ${time.strftime('%Y-%m-%dT%H:%M:%S%z')}
        </record>
      </filter>
      
      <match barracuda.logs>
        @type s3
        aws_key_id YOUR_AWS_KEY
        aws_sec_key YOUR_AWS_SECRET
        s3_bucket your-s3-bucket
        s3_region your-region
        path logs/barracuda/
        buffer_path /var/log/td-agent/buffer/s3
        time_slice_format %Y/%m/%d/%H
        time_slice_wait 10m
        compress gzip
        format json
      </match>
  3. Make sure your Fluentd host (or IAM user used by Fluentd) has the following S3 permissions:

    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:PutObjectAcl"
      ],
      "Resource": "arn:aws:s3:::your-s3-bucket/*"
    }
    
  4. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in key-value format.

2024 11 13 04:15:04 +01:00 Info     event: [1071065] Drop Event from 127.0.0.1:19788 - (D|3|WIH1WIHvp|2|vpnserver|3003|FW2FW-DYNMESH-SHS2VDH<->WIH2VDH|WIH1_AUT_1)

Barracuda Box Firewall Logs

Overview

Table name: barracuda_box_firewall_logs

Firewall Logs detail the internal workings of the firewall's rule engine. Each log entry corresponds to traffic that matches a firewall rule, including allowed, denied, or dropped packets. These logs help administrators verify policy effectiveness and investigate blocked or suspicious traffic.

Send data to Hunters

Hunters supports the collection of Barracuda logs via an intermediary S3 bucket.

To connect Barracuda logs:

  1. Follow this guide to set up log routing via Syslog.

  2. Receive and Process Logs using Fluentd:

    Install Fluentd on a server (e.g., EC2 instance or on-prem box).

    Here’s a sample Fluentd config (td-agent.conf or fluent.conf) that:

    • Listens for Syslog messages

    • Parses them

    • Forwards them to Amazon S3

      <source>
        @type syslog
        port 5140
        bind 0.0.0.0
        tag barracuda.logs
      </source>
      
      <filter barracuda.logs>
        @type record_transformer
        enable_ruby true
        <record>
          hostname ${record["host"]}
          message ${record["message"]}
          timestamp ${time.strftime('%Y-%m-%dT%H:%M:%S%z')}
        </record>
      </filter>
      
      <match barracuda.logs>
        @type s3
        aws_key_id YOUR_AWS_KEY
        aws_sec_key YOUR_AWS_SECRET
        s3_bucket your-s3-bucket
        s3_region your-region
        path logs/barracuda/
        buffer_path /var/log/td-agent/buffer/s3
        time_slice_format %Y/%m/%d/%H
        time_slice_wait 10m
        compress gzip
        format json
      </match>
  3. Make sure your Fluentd host (or IAM user used by Fluentd) has the following S3 permissions:

    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:PutObjectAcl"
      ],
      "Resource": "arn:aws:s3:::your-s3-bucket/*"
    }
    
  4. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in key-value format.

2024 11 19 00:16:00 +01:00 Security firewall: [Timer] SecurityEvent: (Address-Port Scan) 10 unallowed requests for source IP 10.1.2.238 within 60 seconds

Barracuda Box Firewall Activity Logs

Overview

Table name: barracuda_box_firewall_activity_logs

These logs provide a summarized view of firewall session activity. Rather than showing each individual packet, they track connection-level data such as session start, duration, and data volume. Firewall Activity Logs are useful for understanding network usage patterns and identifying potential anomalies in user behavior.

Send data to Hunters

Hunters supports the collection of Barracuda logs via an intermediary S3 bucket.

To connect Barracuda logs:

  1. Follow this guide to set up log routing via Syslog.

  2. Receive and Process Logs using Fluentd:

    Install Fluentd on a server (e.g., EC2 instance or on-prem box).

    Here’s a sample Fluentd config (td-agent.conf or fluent.conf) that:

    • Listens for Syslog messages

    • Parses them

    • Forwards them to Amazon S3

      <source>
        @type syslog
        port 5140
        bind 0.0.0.0
        tag barracuda.logs
      </source>
      
      <filter barracuda.logs>
        @type record_transformer
        enable_ruby true
        <record>
          hostname ${record["host"]}
          message ${record["message"]}
          timestamp ${time.strftime('%Y-%m-%dT%H:%M:%S%z')}
        </record>
      </filter>
      
      <match barracuda.logs>
        @type s3
        aws_key_id YOUR_AWS_KEY
        aws_sec_key YOUR_AWS_SECRET
        s3_bucket your-s3-bucket
        s3_region your-region
        path logs/barracuda/
        buffer_path /var/log/td-agent/buffer/s3
        time_slice_format %Y/%m/%d/%H
        time_slice_wait 10m
        compress gzip
        format json
      </match>
  3. Make sure your Fluentd host (or IAM user used by Fluentd) has the following S3 permissions:

    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:PutObjectAcl"
      ],
      "Resource": "arn:aws:s3:::your-s3-bucket/*"
    }
    
  4. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in key-value format.

2024 09 26 12:15:04 +02:00 Info     Detect: FWD|UDP|bond0.1|10.1.31.41|52965|00:00:00:00:00:00|83.164.130.118|53||eth4.105||0|83.64.92.68|83.164.130.118|0|1|0|0|0|0||DNS||||

Barracuda Box SSH Logs

Overview

Table name: barracuda_box_ssh_logs

SSH Logs record secure shell access to the firewall appliance, including login attempts, session start and stop times, and executed commands. These logs are crucial for security auditing, helping ensure that administrative access is properly monitored and unauthorized access is promptly detected.

Send data to Hunters

Hunters supports the collection of Barracuda logs via an intermediary S3 bucket.

To connect Barracuda logs:

  1. Follow this guide to set up log routing via Syslog.

  2. Receive and Process Logs using Fluentd:

    Install Fluentd on a server (e.g., EC2 instance or on-prem box).

    Here’s a sample Fluentd config (td-agent.conf or fluent.conf) that:

    • Listens for Syslog messages

    • Parses them

    • Forwards them to Amazon S3

      <source>
        @type syslog
        port 5140
        bind 0.0.0.0
        tag barracuda.logs
      </source>
      
      <filter barracuda.logs>
        @type record_transformer
        enable_ruby true
        <record>
          hostname ${record["host"]}
          message ${record["message"]}
          timestamp ${time.strftime('%Y-%m-%dT%H:%M:%S%z')}
        </record>
      </filter>
      
      <match barracuda.logs>
        @type s3
        aws_key_id YOUR_AWS_KEY
        aws_sec_key YOUR_AWS_SECRET
        s3_bucket your-s3-bucket
        s3_region your-region
        path logs/barracuda/
        buffer_path /var/log/td-agent/buffer/s3
        time_slice_format %Y/%m/%d/%H
        time_slice_wait 10m
        compress gzip
        format json
      </match>
  3. Make sure your Fluentd host (or IAM user used by Fluentd) has the following S3 permissions:

    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:PutObjectAcl"
      ],
      "Resource": "arn:aws:s3:::your-s3-bucket/*"
    }
    
  4. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in key-value format.

2024 10 28 12:11:24 +01:00 Info     sshd: Connection from 10.0.20.5 port 24248 on 10.0.5.45 port 22