How do I configure remote syslog logging for a Barracuda Firewall

This article will walk through the steps to configure Barracuda firewalls to send syslog messages to the RocketAgent Syslog Server

The following steps are performed from the Barracuda Firewall Management Interface

Enable Audit Logs

Activate the generation of Firewall Audit data:

  1. Go to CONFIGURATION > Full Configuration > Box > Infrastructure Services > General Firewall Configuration.
  2. In the left menu, select Audit and Reporting.
  3. Expand the Configuration Mode menu and select Switch to Advanced View.
  4. Click Lock.
  5. In the Log Policy section enable Generate Audit Log.
  6. Click Set next to Audit Log Data.
  7. From the Audit Delivery list select how audit log data is stored or processed
  8. Select Syslog-Proxy from the Audit Delivery drop-down.
  9. Click OK.
  10. Click Send Changes and Activate.

Enable the Syslog Service

  1. Go to CONFIGURATION > Full Configuration > Box > Infrastructure Services > Syslog Streaming.
  2. Click Lock.
  3. Set Enable Syslog Streaming to yes.
    syslog_stream_barracuda
  4. Click Send Changes and Activate.

Configure Logdata Filters

Define profiles specifying the log file types to be transferred / streamed to the RocketAgent.

  1. Go to CONFIGURATION > Full Configuration > Box > Infrastructure Services > Syslog Streaming.
  2. In the left menu, select Logdata Filters.
  3. Expand the Configuration Mode menu and select Switch to Advanced View.
  4. Click Lock.
  5. Click the + icon to add a new entry. 
  6. Enter RocketCyber in the Filters dialog and click OK.
  7. In the Data Selection table, add the log files to be streamed.  Select:
    • Firewall_Audit_Log – The log contents of the firewall's machine readable audit data stream. Whether data is streamed into the Firewall_Audit_Log has to be configured in the General Firewall Configuration settings on box-level, section Audit Log Handling >Audit-Delivery: Syslog-Proxy (see: FW Audit). The log instance name corresponding to Syslog-Proxy selected will be trans7.
    • Panic_log – log contents of the panic log (log instance name: panic)

      When Log-File is selected in the firewall's configuration, the data will go into a log file named Box->Firewall->audit (which means the instance is named box_Firewall_audit) and thus this filter setting is not applicable. The pertinent one then would be a selection of category Firewall within the box selection portion of the filter.

  8. In the Affected Box Logdata section, define what kind of box logs are to be affected by the syslog daemon from the Data Selection list.
  9. Choose Selection (default), 
    1. Click the + icon next to Data Selection to add an entry.
    2. Enter a descriptive name for the group and click OK. The Data Selection window opens.
    3. Add the Log Groups table select Other and specify the following:
      AuthEvent
      Firewall
      Network
      SSH
      virscan
      proxy
      sslprx
      cofs
      sslprx
      spamfilter
      sshprx
      vpnserver
    4. (Optional) Set a Log Message Filter. When choosing Selection
      • Add the explicit log type to the Selected Message Types table.
    5. Click OK.
  10. In the Affected Service Logdata section, define what kind of logs created by services are to be sent by the syslog daemon from the Data Selection list.
  11. Choose Selection (default), 
    1. Click the + icon next to Data Selection to add an entry.
    2. Enter a descriptive name for the group and click OK. The Data Selection window opens.
    3. In the Log Groups table, select Other and specify the following:

      virscan_cas
      firewall_auth
      firewall_Rule*
    1. (Optional) Set a Log Message Filter. When choosing Selection
      • Add the explicit log type to the Selected Message Types table.
    2. Click OK.
  1. Click Send Changes and Activate.

Configure Logstream Destinations

  1. Go to CONFIGURATION > Full Configuration > Box > Infrastructure Services > Syslog Streaming.
  2. In the left menu, select Logstream Destinations.
  3. Expand the Configuration Mode menu and select Switch to Advanced View.
  4. Click Lock.
  5. Click the + icon to add a new entry.
  6. Enter RocketCyber in the upcoming dialog and click OK. The Destinations window opens.
  7. Select the Logtream Destination. When an external log host is used, 
    1. Select Explicit IP.
    2. Enter the the destination IP address in the Destination IP Address field. This is the IP address of the RocketAgent Syslog Server
  8. Enter the Destination Port for delivering syslog messages, enter 514. This is the default port that the RocketCyber Syslog Server listens on.

     
  9. Select the Transmission Mode UDP

     
  10. Click OK.
  11. Click Send Changes and Activate.