Elastic
Start free trial Contact Sales
Loading

Barracuda CloudGen Firewall integration

<div class="condensed-table">
| | |
| --- | --- |
| Version | 1.14.0 (View all) |
| Compatible Kibana version(s) | 8.13.0 or higher |
| Supported Serverless project types
What’s this? | Security
Observability |
| Subscription level
What’s this? | Basic |
| Level of support
What’s this? | Elastic |

</div>
This integration ingests and parses logs from Barracuda CloudGen Firewalls.

Barracuda CloudGen Firewall allows you to stream event logs from Firewall Insights to Elastic Agent. This provides information on firewall activity, threat logs, and information related to network, version, and location of managed firewall units. Data is sent to Elastic Agent over a TCP connection using CloudGen Firewall’s built-in generic Logstash output.

For a detailed walk-through of the setup steps the see How to Enable Filebeat Stream to a Logstash Pipeline. These steps were written with a Logstash server as the intended destination, and where it references the "Hostname" use the address and port of the Elastic Agent that is running this integration. Logstash is not used as part of this integration.

This is the Barracuda CloudGen Firewall log dataset. Below is a sample event and a list of fields that can be produced.

**Example**

An example event for log looks as following:

{
    "@timestamp": "2020-11-24T15:02:21.000Z",
    "agent": {
        "ephemeral_id": "b620e757-d3b2-4b59-8c2b-cce4d2f17081",
        "id": "70e82165-776e-4b35-98b8-b0c9491f4b6e",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.5.0"
    },
    "barracuda_cloudgen_firewall": {
        "log": {
            "app_rule": "<App>:ALL-APPS",
            "fw_info": 2007
        }
    },
    "data_stream": {
        "dataset": "barracuda_cloudgen_firewall.log",
        "namespace": "ep",
        "type": "logs"
    },
    "destination": {
        "address": "67.43.156.78",
        "as": {
            "number": 35908
        },
        "bytes": 561503,
        "geo": {
            "continent_name": "Asia",
            "country_iso_code": "BT",
            "country_name": "Bhutan",
            "location": {
                "lat": 27.5,
                "lon": 90.5
            }
        },
        "ip": "67.43.156.78",
        "mac": "00-0C-29-00-D6-00",
        "nat": {
            "ip": "67.43.156.100"
        },
        "packets": 439,
        "port": 443
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "70e82165-776e-4b35-98b8-b0c9491f4b6e",
        "snapshot": true,
        "version": "8.5.0"
    },
    "event": {
        "action": "End",
        "agent_id_status": "verified",
        "category": [
            "network"
        ],
        "dataset": "barracuda_cloudgen_firewall.log",
        "duration": -153934592,
        "ingested": "2022-09-21T13:30:52Z",
        "kind": "event",
        "type": [
            "end"
        ]
    },
    "input": {
        "type": "lumberjack"
    },
    "labels": {
        "origin_address": "172.20.0.4:34752"
    },
    "network": {
        "community_id": "1:HGU1tX9W2VUF5ND2ey3X6Niv/AQ=",
        "iana_number": "6",
        "transport": "tcp",
        "type": "ipv4"
    },
    "observer": {
        "egress": {
            "interface": {
                "name": "eth0"
            }
        },
        "hostname": "cgf-scout-int",
        "ingress": {
            "interface": {
                "name": "eth0"
            }
        },
        "product": "ngfw",
        "serial_number": "4f94abdf7a8c465fa2cd76f680ecafd1",
        "type": "firewall",
        "vendor": "Barracuda"
    },
    "related": {
        "ip": [
            "10.17.35.171",
            "67.43.156.78"
        ]
    },
    "rule": {
        "name": "BOX-LAN-2-INTERNET"
    },
    "source": {
        "address": "10.17.35.171",
        "bytes": 7450,
        "ip": "10.17.35.171",
        "mac": "00-0C-29-9A-0A-78",
        "nat": {
            "ip": "10.17.35.175"
        },
        "packets": 129,
        "port": 40532
    },
    "tags": [
        "barracuda_cloudgen_firewall-log",
        "forwarded"
    ]
}
**Exported fields**
Field Description Type
@timestamp Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. date
barracuda_cloudgen_firewall.log.app_rule application rule name (e.g. "<App>:ALL-APPS") keyword
barracuda_cloudgen_firewall.log.fw_info Detailed information about the action performed by the firewall. More information can be found here long
barracuda_cloudgen_firewall.log.traffic_type Always "0" long
barracuda_cloudgen_firewall.log.user_type User type of web log. 1 if "user" is a username or 0 if "user" is an IP address. keyword
data_stream.dataset Data stream dataset. constant_keyword
data_stream.namespace Data stream namespace. constant_keyword
data_stream.type Data stream type. constant_keyword
event.dataset Event dataset constant_keyword
event.module Event module constant_keyword
input.type Type of Filebeat input. keyword
labels.origin_address Remote address where the log originated. keyword
labels.origin_client_subject Distinguished name of subject of the x.509 certificate presented by the origin client when mutual TLS is enabled. keyword
**Changelog**
Version Details Kibana version(s)
1.14.0 pass:[] Enhancement (View pull request)
Add "preserve_original_event" tag to documents with event.kind set to "pipeline_error".
 8.13.0 or higher
1.13.0 pass:[] Enhancement (View pull request)
Allow @custom pipeline access to event.original without setting preserve_original_event.
 8.13.0 or higher
1.12.0 pass:[] Enhancement (View pull request)
Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.
 8.13.0 or higher
1.11.0 pass:[] Enhancement (View pull request)
Update manifest format version to v3.0.3.
 8.5.0 or higher
1.10.1 pass:[] Enhancement (View pull request)
Changed owners
 8.5.0 or higher
1.10.0 pass:[] Enhancement (View pull request)
ECS version updated to 8.11.0.
 8.5.0 or higher
1.9.0 pass:[] Enhancement (View pull request)
Improve event.original check to avoid errors if set.
 8.5.0 or higher
1.8.0 pass:[] Enhancement (View pull request)
ECS version updated to 8.10.0.
 8.5.0 or higher
1.7.0 pass:[] Enhancement (View pull request)
The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added owner.type: elastic to package manifest.
 8.5.0 or higher
1.6.0 pass:[] Enhancement (View pull request)
Add tags.yml file so that integration’s dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.
 8.5.0 or higher
1.5.0 pass:[] Enhancement (View pull request)
Update package to ECS 8.9.0.
 8.5.0 or higher
1.4.0 pass:[] Enhancement (View pull request)
Ensure event.kind is correctly set for pipeline errors.
 8.5.0 or higher
1.3.0 pass:[] Enhancement (View pull request)
Update package to ECS 8.8.0.
 8.5.0 or higher
1.2.0 pass:[] Enhancement (View pull request)
Update package-spec version to 2.7.0.
 8.5.0 or higher
1.1.0 pass:[] Enhancement (View pull request)
Update package to ECS 8.7.0.
 8.5.0 or higher
1.0.0 pass:[] Enhancement (View pull request)
Release Barracuda CloudGen Firewall as GA.
 8.5.0 or higher
0.3.1 pass:[] Enhancement (View pull request)
Added categories and/or subcategories.
0.3.0 pass:[] Enhancement (View pull request)
Update package to ECS 8.6.0.
0.2.0 pass:[] Enhancement (View pull request)
Update package to ECS 8.5.0.
0.1.0 pass:[] Enhancement (View pull request)
initial release