ADVANCED > Export Logs displays all parameters and resources for configuring the log policy on a service. The Barracuda Web Application Firewall uses this policy to generate the logs in standard and custom formats, and then exports them to the configured servers.
To export Web log messages to an FTP server, you need to configure ADVANCED > Export Logs FTP Access Logs.
Syslog
The Syslog section on ADVANCED > Export Logs is a standard UNIX/Linux tool for exporting logs to remote syslog servers. Enter the name and IP addresses of up to 3 syslog servers to which you will export System Events, Web Firewall logs, Access logs, and Audit logs. If you are running syslog on a UNIX machine, be sure to start the syslog daemon process with the “-r” option so that it can receive messages from sources other than itself. Windows users have to install a separate program to utilize the syslog since the Windows OS does not include the syslog capability. Kiwi Syslog is a popular solution, but there are many others to choose from, both free and commercial.
The syslog messages are sent over UDP to the standard syslog port of 514. If there are any firewalls between the Barracuda Web Application Firewall and the servers receiving the syslog messages, then be sure that port 514 is open on the firewalls.
To configure System Logs, use the ADVANCED > Export Logs page, Syslogsection. You need to enter the name and IP address of the syslog server, and choose whether to time stamp log entries or log the unit name of the Barracuda Web Application Firewall which generated the log entry. For more detailed instructions for configuring system logs, see the online help.
To monitor the system logs, use ADVANCED > Export Logs, the Syslog section, and click Monitor Syslog.
Syslog Facility
The syslog receives different types of log messages from various hosts. Each log message contains an actual message and IP address, as well as a logging priority and logging facility. To differentiate and store logged messages coming the to same syslog server in unique log files according to their log type, use the logging facility.
Note
Usually, filtered logs are saved in .csv format. If no filter is applied then all logs are saved in .csv format.
All log messages can be marked with one of the following facilities: local0, local1, local2, local3, local4, local5, local6, or local7. Setting a different facility (default = local0) for each log type allows the syslog server to segregate the logs into different files. Otherwise, all log messages will be in one file.
To configure facilities for different log types use ADVANCED > Export Logs Syslog and click Syslog Settings. Here you can select the appropriate facility (Local0 to Local7) from the drop-down list for each log type.
To configure log levels for different modules, use ADVANCED > Export Logs Module Log Levels.
Specify a Name, and select a Module and Log Level. For more detailed instructions, see the online help.
Custom Logs Formats
The format of the Web Firewall Logs, Access Logs, and Audit Logs to be sent to the syslog sever can be customized. You can choose between the Common Log Format, NCSA Extended Format, W3C Extended Format, Default, or Custom Format. The Common Log Format, NCSA Extended Format, W3C Extended Format, and Default formats are already defined and cannot be edited. Given below are the steps to specify the Custom Format.
To customize the log format for any Log Type (except System Logs) use ADVANCED > Export Logs. On the Logs Format section, select Custom Format for any of the log types. Online help explains the ways Custom Format can be defined.
For information on how to manage these logs please see the documentation available for your syslog server.
FTP Access Logs
FTP Access Logs allow configuration of the FTP server that will host the Access logs and the format of log events being transported.
To configure FTP Access Logs, specify the IP address, port and login credentials of the FTP server.
Indicate the destination directory for the logs, and the logged data format. For detailed configuration instructions, see online help.
Table 15.4: Table of Logs
Note
You can set the same facility for all log types. Then System Logs, Web Firewall Logs, Access Logs, and Audit Logs would be in the same file
System Logs Web Firewall Logs Access Logs Audit Logs
%t - Time Stamp %t - Time Stamp %t - Time Stamp %t - Time Stamp
%md - Module Name %un - Unit Name %un - Unit Name %un - Unit Name
%ll - Log Level %lt - Log Type %lt - Log Type %lt - Log Type
%ei - Event ID %sl - Severity Level %ai - Application IP %an - Admin Name
%ms - Message %ad - Attack Description %ap - Application Port %ct - Client Type
Monitoring, Logging, and Reporting 149
%ci - Client IP %ci - Client IP %li - Login IP
%cp - Client Port %cp - Client Port %lp - Login Port
%ai - Application IP %id - Login ID %trt - Transaction Type
%ap - Application Port %cu - Certificate User %tri - Transaction ID
%ri - Rule ID %m - Method %cn - Command Name
%rt - Rule Type %p - Protocol %cht - Change Type
%at - Action Taken %h - Host %ot - Object Type
%fa - Follow-up Action %v - Version %on - Object Name
%adl - Attack Details %s - HTTP Status %var - Variable
%m - Method %bs - Bytes Sent %ov - Old Value
%u - URL %br - Bytes Received %nv - New Value
%p - Protocol %ch - Cache Hit %add - Additional Data
%sid - Session ID %tt - Time Taken
%r - Referrer %rtf - Response Type Field
%aid - Attack ID %pmf - Profile Matched Field
%ag - Attack Group %pf - Protected Field
%wmf - WF Matched Field
System Logs Web Firewall Logs Access Logs Audit Logs
Reports
You can configure and generate reports of various types, based on all logged information, which help manage day-to-day operation. Barracuda Web Application Firewall reports are broadly classified into four functional groups, each containing a predefined set of report types. Select a Report Group, then a corresponding Report Type from the drop-down list. The four report groups are:
Security and Traffic Reports
Security and Traffic reports contain the Web attack prevention activity performed by the Barracuda Web Application Firewall. Note: Some report types (namely: Top Clients by Bandwidth, Top URL by Bandwidth, Top Domains by Bandwidth, Top Services by Bandwidth, and Top Entry Pages) will not include data corresponding to URLs containing files with extension jpg, png, gif, ico, css, js.
Audit Reports
Audit reports contain server details and the login/logout activities performed by different user roles.
Config Summary Reports Config Summary reports contain:
• Performance of the Barracuda Web Application Firewall features such as Load Balancing, Rate Control, Learning, etc.
• Details of the digital certificates like issuing date, expiry date, and associated services.
• Details of accounts, their users, privileges assigned to them, permitted operations, etc.
PCI Reports
PCI reports detail compliance with PCI (Payment Card Industry) standards and display:
• Combined details of the PCI attacks such as top attacking Clients, and top attacked Services, Domains, and URLs.
• Details of the PCI directives and the Barracuda Web Application Firewall compliance with those directives.