Skip to content

Commit

Permalink
Add audit and system logs
Browse files Browse the repository at this point in the history
  • Loading branch information
@bhapas
bhapas committed Mar 30, 2023
1 parent 190acd2 commit 8f8f517
Show file tree
Hide file tree
Showing 18 changed files with 1,195 additions and 3 deletions.
10 changes: 9 additions & 1 deletion packages/barracuda/_dev/deploy/docker/sample_logs/barracuda.log
View file
Expand Up @@ -5,4 +5,12 @@
<129>2023-03-01 14:54:44.502 +0100 barracuda WF ALER UNKNOWN_CONTENT_TYPE 193.56.29.26 61507 10.9.0.4 443 Hackazon:adaptive_url_42099b4af021e53fd8fd URL_PROFILE LOG NONE [Content-type\="application/x-www-form-urlencoded"] POST / TLSv1.2 "-" "Mozilla/5.0 (Linux; U; Android 4.4.2; en-US; HM NOTE 1W Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 UCBrowser/11.0.5.850 U3/0.8.0 Mobile Safari/534.30" 20.88.228.79 61507 "-" "-" 1869d743696-dfcf8d96
<129>2023-03-09 13:56:18.404 +0100 barracuda NF ALER TCP 172.105.128.11 57296 10.9.0.4 80 DENY SSH_ATTACK_SOURCES MGMT/LAN/WAN interface traffic:deny
<134>2023-03-20 17:22:36.102 +0100 barracuda TR 81.2.69.144 443 89.160.20.112 65483 "-" "-" GET TLSv1.2 67.43.156.2 HTTP/1.1 404 791 240 0 0 1.128.0.1 443 0 "-" INTERNAL DEFAULT PROTECTED INVALID /sendgrid.env "-" "-" "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36" 216.160.83.56 65483 "-" "-" "-" "-" 186ffd46946-e5bacdd0
<129>2023-03-09 13:22:20.996 +0100 barracuda NF ALER TCP 134.122.135.178 44534 10.9.0.4 80 DENY HTTP_ATTACK_SOURCES MGMT/LAN/WAN interface traffic:deny
<129>2023-03-09 13:22:20.996 +0100 barracuda NF ALER TCP 134.122.135.178 44534 10.9.0.4 80 DENY HTTP_ATTACK_SOURCES MGMT/LAN/WAN interface traffic:deny
<134>2023-03-30 03:11:07.915 +0200 barracuda SYS APS INFO 19034 Num clients to walk : 0
<133>2023-03-30 03:02:21.053 +0200 barracuda SYS APS NOTI 19034 Adding the Fingerprint:[g_448b2101c2af40186876949d97713f2f] to the Lockout Table
<129>2023-03-30 03:00:56.251 +0200 barracuda SYS ABP_SVC ALER 62001 Advanced Bot Protection Service [Provisioning] timed out. Error: Timed out while waiting for socket to become ready for reading
<129>2023-03-30 03:00:56.251 +0200 barracuda SYS ABP_SVC ALER 62004 Failed to receive Symmetric key for Supply Chain. Error: HASH(0xce04b10)
<133>2023-03-30 03:00:49.732 +0200 barracuda SYS APS NOTI 19034 Adding the Fingerprint:[g_6ddfd29093fc8264ddd87bcf7eeda6db] to the Lockout Table
<134>2023-03-30 02:53:07.902 +0200 barracuda SYS APS INFO 19032 [10.9.0.4:443] OnDDOSProtectionReqH: No entry found for the IP in the captcha tables, checking if its verified or making one
<134>2023-03-29 16:26:13.484 +0200 barracuda AUDIT elastic GUI 31.208.15.130 64197 LOGIN 0 login global - - "" "" []
<134>2023-03-29 16:23:51.998 +0200 barracuda AUDIT elastic GUI 31.208.15.130 63685 LOGOUT 0 logout global - - "" "" []
5 changes: 5 additions & 0 deletions packages/barracuda/changelog.yml
View file
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "1.0.1"
changes:
- description: Add system log and audit log support
type: enhancement
link: https://github.com/elastic/integrations/pull/5746
- version: "1.0.0"
changes:
- description: Upgrade the Barracuda WAF data_stream and remove spamfirewall data_stream
Expand Down
2 changes: 2 additions & 0 deletions packages/barracuda/data_stream/waf/_dev/test/pipeline/test-audit.log
View file
@@ -0,0 +1,2 @@
<134>2023-03-29 16:24:13.484 +0200 barracuda AUDIT elastic GUI 81.2.69.144 64197 LOGIN 0 login global - - "" "" []
<134>2023-03-29 16:23:51.998 +0200 barracuda AUDIT elastic GUI 81.2.69.144 63685 LOGOUT 0 logout global - - "" "" []
3 changes: 3 additions & 0 deletions packages/barracuda/data_stream/waf/_dev/test/pipeline/test-audit.log-config.yml
View file
@@ -0,0 +1,3 @@
fields:
tags:
- preserve_original_event
122 changes: 122 additions & 0 deletions packages/barracuda/data_stream/waf/_dev/test/pipeline/test-audit.log-expected.json
View file
@@ -0,0 +1,122 @@
{
"expected": [
{
"@timestamp": "2023-03-29T14:24:13.484Z",
"barracuda": {
"waf": {
"client_type": "GUI",
"command_name": "login",
"log_type": "AUDIT",
"object_type": "global",
"transaction_id": 0,
"transaction_type": "LOGIN",
"unit_name": "barracuda"
}
},
"client": {
"geo": {
"city_name": "London",
"continent_name": "Europe",
"country_iso_code": "GB",
"country_name": "United Kingdom",
"location": {
"lat": 51.5142,
"lon": -0.0931
},
"region_iso_code": "GB-ENG",
"region_name": "England"
},
"ip": "81.2.69.144",
"port": 64197,
"user": {
"name": "elastic"
}
},
"ecs": {
"version": "8.6.0"
},
"event": {
"category": [
"authentication",
"configuration"
],
"created": "2023-03-29T14:24:13.484Z",
"kind": "event",
"original": "\u003c134\u003e2023-03-29 16:24:13.484 +0200 barracuda AUDIT elastic GUI 81.2.69.144 64197 LOGIN 0 login global - - \"\" \"\" []",
"type": [
"access"
]
},
"related": {
"ip": [
"81.2.69.144"
],
"user": [
"elastic"
]
},
"tags": [
"preserve_original_event"
]
},
{
"@timestamp": "2023-03-29T14:23:51.998Z",
"barracuda": {
"waf": {
"client_type": "GUI",
"command_name": "logout",
"log_type": "AUDIT",
"object_type": "global",
"transaction_id": 0,
"transaction_type": "LOGOUT",
"unit_name": "barracuda"
}
},
"client": {
"geo": {
"city_name": "London",
"continent_name": "Europe",
"country_iso_code": "GB",
"country_name": "United Kingdom",
"location": {
"lat": 51.5142,
"lon": -0.0931
},
"region_iso_code": "GB-ENG",
"region_name": "England"
},
"ip": "81.2.69.144",
"port": 63685,
"user": {
"name": "elastic"
}
},
"ecs": {
"version": "8.6.0"
},
"event": {
"category": [
"authentication",
"configuration"
],
"created": "2023-03-29T14:23:51.998Z",
"kind": "event",
"original": "\u003c134\u003e2023-03-29 16:23:51.998 +0200 barracuda AUDIT elastic GUI 81.2.69.144 63685 LOGOUT 0 logout global - - \"\" \"\" []",
"type": [
"access"
]
},
"related": {
"ip": [
"81.2.69.144"
],
"user": [
"elastic"
]
},
"tags": [
"preserve_original_event"
]
}
]
}
9 changes: 9 additions & 0 deletions packages/barracuda/data_stream/waf/_dev/test/pipeline/test-system.log
View file
@@ -0,0 +1,9 @@
<134>2023-03-30 03:11:07.915 +0200 barracuda SYS APS INFO 19034 Num clients to walk : 0
<133>2023-03-30 03:02:21.053 +0200 barracuda SYS APS NOTI 19034 Adding the Fingerprint:[g_448b2101c2af40186876949d97713f2f] to the Lockout Table
<129>2023-03-30 03:00:56.251 +0200 barracuda SYS ABP_SVC ALER 62001 Advanced Bot Protection Service [Provisioning] timed out. Error: Timed out while waiting for socket to become ready for reading
<129>2023-03-30 03:00:56.251 +0200 barracuda SYS ABP_SVC ALER 62004 Failed to receive Symmetric key for Supply Chain. Error: HASH(0xce04b10)
<133>2023-03-30 03:00:49.732 +0200 barracuda SYS APS NOTI 19034 Adding the Fingerprint:[g_6ddfd29093fc8264ddd87bcf7eeda6db] to the Lockout Table
<134>2023-03-30 02:53:07.902 +0200 barracuda SYS APS INFO 19032 [10.9.0.4:443] OnDDOSProtectionReqH: No entry found for the IP in the captcha tables, checking if its verified or making one
<134>2023-03-30 02:31:27.553 +0200 barracuda SYS APS INFO 19032 [10.9.0.4:443] EvalClientBehaviour: Found the entry 0x7fd2c7caefc0 and captcha entry 0x0 and temp entry 0x0, run idx 0
<133>2023-03-30 02:18:21.494 +0200 barracuda SYS APS NOTI 19034 Num clients walked and displayed : 1
<129>2023-03-30 02:00:56.026 +0200 barracuda SYS ABP_SVC ALER 62004 Failed to receive Symmetric key for Supply Chain. Error: HASH(0xbb6cd88)
3 changes: 3 additions & 0 deletions packages/barracuda/data_stream/waf/_dev/test/pipeline/test-system.log-config.yml
View file
@@ -0,0 +1,3 @@
fields:
tags:
- preserve_original_event

0 comments on commit 8f8f517

Please sign in to comment.