diff --git a/packages/barracuda/_dev/deploy/docker/sample_logs/barracuda.log b/packages/barracuda/_dev/deploy/docker/sample_logs/barracuda.log index bc8eded0b0ee..847a01ce4e97 100644 --- a/packages/barracuda/_dev/deploy/docker/sample_logs/barracuda.log +++ b/packages/barracuda/_dev/deploy/docker/sample_logs/barracuda.log @@ -5,4 +5,12 @@ <129>2023-03-01 14:54:44.502 +0100 barracuda WF ALER UNKNOWN_CONTENT_TYPE 193.56.29.26 61507 10.9.0.4 443 Hackazon:adaptive_url_42099b4af021e53fd8fd URL_PROFILE LOG NONE [Content-type\="application/x-www-form-urlencoded"] POST / TLSv1.2 "-" "Mozilla/5.0 (Linux; U; Android 4.4.2; en-US; HM NOTE 1W Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 UCBrowser/11.0.5.850 U3/0.8.0 Mobile Safari/534.30" 20.88.228.79 61507 "-" "-" 1869d743696-dfcf8d96 <129>2023-03-09 13:56:18.404 +0100 barracuda NF ALER TCP 172.105.128.11 57296 10.9.0.4 80 DENY SSH_ATTACK_SOURCES MGMT/LAN/WAN interface traffic:deny <134>2023-03-20 17:22:36.102 +0100 barracuda TR 81.2.69.144 443 89.160.20.112 65483 "-" "-" GET TLSv1.2 67.43.156.2 HTTP/1.1 404 791 240 0 0 1.128.0.1 443 0 "-" INTERNAL DEFAULT PROTECTED INVALID /sendgrid.env "-" "-" "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36" 216.160.83.56 65483 "-" "-" "-" "-" 186ffd46946-e5bacdd0 -<129>2023-03-09 13:22:20.996 +0100 barracuda NF ALER TCP 134.122.135.178 44534 10.9.0.4 80 DENY HTTP_ATTACK_SOURCES MGMT/LAN/WAN interface traffic:deny \ No newline at end of file +<129>2023-03-09 13:22:20.996 +0100 barracuda NF ALER TCP 134.122.135.178 44534 10.9.0.4 80 DENY HTTP_ATTACK_SOURCES MGMT/LAN/WAN interface traffic:deny +<134>2023-03-30 03:11:07.915 +0200 barracuda SYS APS INFO 19034 Num clients to walk : 0 +<133>2023-03-30 03:02:21.053 +0200 barracuda SYS APS NOTI 19034 Adding the Fingerprint:[g_448b2101c2af40186876949d97713f2f] to the Lockout Table +<129>2023-03-30 03:00:56.251 +0200 barracuda SYS ABP_SVC ALER 62001 Advanced Bot Protection Service [Provisioning] timed out. Error: Timed out while waiting for socket to become ready for reading +<129>2023-03-30 03:00:56.251 +0200 barracuda SYS ABP_SVC ALER 62004 Failed to receive Symmetric key for Supply Chain. Error: HASH(0xce04b10) +<133>2023-03-30 03:00:49.732 +0200 barracuda SYS APS NOTI 19034 Adding the Fingerprint:[g_6ddfd29093fc8264ddd87bcf7eeda6db] to the Lockout Table +<134>2023-03-30 02:53:07.902 +0200 barracuda SYS APS INFO 19032 [10.9.0.4:443] OnDDOSProtectionReqH: No entry found for the IP in the captcha tables, checking if its verified or making one +<134>2023-03-29 16:26:13.484 +0200 barracuda AUDIT elastic GUI 31.208.15.130 64197 LOGIN 0 login global - - "" "" [] +<134>2023-03-29 16:23:51.998 +0200 barracuda AUDIT elastic GUI 31.208.15.130 63685 LOGOUT 0 logout global - - "" "" [] diff --git a/packages/barracuda/changelog.yml b/packages/barracuda/changelog.yml index f76a2dc8d675..e5a1c9899464 100644 --- a/packages/barracuda/changelog.yml +++ b/packages/barracuda/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.1.0" + changes: + - description: Add system log and audit log support + type: enhancement + link: https://github.com/elastic/integrations/pull/5746 - version: "1.0.0" changes: - description: Upgrade the Barracuda WAF data_stream and remove spamfirewall data_stream diff --git a/packages/barracuda/data_stream/waf/_dev/test/pipeline/test-audit.log b/packages/barracuda/data_stream/waf/_dev/test/pipeline/test-audit.log new file mode 100644 index 000000000000..02c1f654baeb --- /dev/null +++ b/packages/barracuda/data_stream/waf/_dev/test/pipeline/test-audit.log @@ -0,0 +1,2 @@ +<134>2023-03-29 16:24:13.484 +0200 barracuda AUDIT elastic GUI 81.2.69.144 64197 LOGIN 0 login global - - "" "" [] +<134>2023-03-29 16:23:51.998 +0200 barracuda AUDIT elastic GUI 81.2.69.144 63685 LOGOUT 0 logout global - - "" "" [] \ No newline at end of file diff --git a/packages/barracuda/data_stream/waf/_dev/test/pipeline/test-audit.log-config.yml b/packages/barracuda/data_stream/waf/_dev/test/pipeline/test-audit.log-config.yml new file mode 100644 index 000000000000..4da226416540 --- /dev/null +++ b/packages/barracuda/data_stream/waf/_dev/test/pipeline/test-audit.log-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_original_event diff --git a/packages/barracuda/data_stream/waf/_dev/test/pipeline/test-audit.log-expected.json b/packages/barracuda/data_stream/waf/_dev/test/pipeline/test-audit.log-expected.json new file mode 100644 index 000000000000..73bcaec34005 --- /dev/null +++ b/packages/barracuda/data_stream/waf/_dev/test/pipeline/test-audit.log-expected.json @@ -0,0 +1,122 @@ +{ + "expected": [ + { + "@timestamp": "2023-03-29T14:24:13.484Z", + "barracuda": { + "waf": { + "client_type": "GUI", + "command_name": "login", + "log_type": "AUDIT", + "object_type": "global", + "transaction_id": 0, + "transaction_type": "LOGIN", + "unit_name": "barracuda" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "port": 64197, + "user": { + "name": "elastic" + } + }, + "ecs": { + "version": "8.6.0" + }, + "event": { + "category": [ + "authentication", + "configuration" + ], + "created": "2023-03-29T14:24:13.484Z", + "kind": "event", + "original": "\u003c134\u003e2023-03-29 16:24:13.484 +0200 barracuda AUDIT elastic GUI 81.2.69.144 64197 LOGIN 0 login global - - \"\" \"\" []", + "type": [ + "access" + ] + }, + "related": { + "ip": [ + "81.2.69.144" + ], + "user": [ + "elastic" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-03-29T14:23:51.998Z", + "barracuda": { + "waf": { + "client_type": "GUI", + "command_name": "logout", + "log_type": "AUDIT", + "object_type": "global", + "transaction_id": 0, + "transaction_type": "LOGOUT", + "unit_name": "barracuda" + } + }, + "client": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.144", + "port": 63685, + "user": { + "name": "elastic" + } + }, + "ecs": { + "version": "8.6.0" + }, + "event": { + "category": [ + "authentication", + "configuration" + ], + "created": "2023-03-29T14:23:51.998Z", + "kind": "event", + "original": "\u003c134\u003e2023-03-29 16:23:51.998 +0200 barracuda AUDIT elastic GUI 81.2.69.144 63685 LOGOUT 0 logout global - - \"\" \"\" []", + "type": [ + "access" + ] + }, + "related": { + "ip": [ + "81.2.69.144" + ], + "user": [ + "elastic" + ] + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/barracuda/data_stream/waf/_dev/test/pipeline/test-system.log b/packages/barracuda/data_stream/waf/_dev/test/pipeline/test-system.log new file mode 100644 index 000000000000..b7efcd34e78b --- /dev/null +++ b/packages/barracuda/data_stream/waf/_dev/test/pipeline/test-system.log @@ -0,0 +1,9 @@ +<134>2023-03-30 03:11:07.915 +0200 barracuda SYS APS INFO 19034 Num clients to walk : 0 +<133>2023-03-30 03:02:21.053 +0200 barracuda SYS APS NOTI 19034 Adding the Fingerprint:[g_448b2101c2af40186876949d97713f2f] to the Lockout Table +<129>2023-03-30 03:00:56.251 +0200 barracuda SYS ABP_SVC ALER 62001 Advanced Bot Protection Service [Provisioning] timed out. Error: Timed out while waiting for socket to become ready for reading +<129>2023-03-30 03:00:56.251 +0200 barracuda SYS ABP_SVC ALER 62004 Failed to receive Symmetric key for Supply Chain. Error: HASH(0xce04b10) +<133>2023-03-30 03:00:49.732 +0200 barracuda SYS APS NOTI 19034 Adding the Fingerprint:[g_6ddfd29093fc8264ddd87bcf7eeda6db] to the Lockout Table +<134>2023-03-30 02:53:07.902 +0200 barracuda SYS APS INFO 19032 [10.9.0.4:443] OnDDOSProtectionReqH: No entry found for the IP in the captcha tables, checking if its verified or making one +<134>2023-03-30 02:31:27.553 +0200 barracuda SYS APS INFO 19032 [10.9.0.4:443] EvalClientBehaviour: Found the entry 0x7fd2c7caefc0 and captcha entry 0x0 and temp entry 0x0, run idx 0 +<133>2023-03-30 02:18:21.494 +0200 barracuda SYS APS NOTI 19034 Num clients walked and displayed : 1 +<129>2023-03-30 02:00:56.026 +0200 barracuda SYS ABP_SVC ALER 62004 Failed to receive Symmetric key for Supply Chain. Error: HASH(0xbb6cd88) \ No newline at end of file diff --git a/packages/barracuda/data_stream/waf/_dev/test/pipeline/test-system.log-config.yml b/packages/barracuda/data_stream/waf/_dev/test/pipeline/test-system.log-config.yml new file mode 100644 index 000000000000..4da226416540 --- /dev/null +++ b/packages/barracuda/data_stream/waf/_dev/test/pipeline/test-system.log-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_original_event diff --git a/packages/barracuda/data_stream/waf/_dev/test/pipeline/test-system.log-expected.json b/packages/barracuda/data_stream/waf/_dev/test/pipeline/test-system.log-expected.json new file mode 100644 index 000000000000..887e2cea8e5d --- /dev/null +++ b/packages/barracuda/data_stream/waf/_dev/test/pipeline/test-system.log-expected.json @@ -0,0 +1,292 @@ +{ + "expected": [ + { + "@timestamp": "2023-03-30T01:11:07.915Z", + "barracuda": { + "waf": { + "log_type": "SYS", + "module": { + "event_id": 19034, + "event_message": "Num clients to walk : 0", + "name": "APS" + }, + "severity_level": "INFO", + "unit_name": "barracuda" + } + }, + "ecs": { + "version": "8.6.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2023-03-30T01:11:07.915Z", + "kind": "event", + "original": "\u003c134\u003e2023-03-30 03:11:07.915 +0200 barracuda SYS APS INFO 19034 Num clients to walk : 0", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-03-30T01:02:21.053Z", + "barracuda": { + "waf": { + "log_type": "SYS", + "module": { + "event_id": 19034, + "event_message": "Adding the Fingerprint:[g_448b2101c2af40186876949d97713f2f] to the Lockout Table", + "name": "APS" + }, + "severity_level": "NOTI", + "unit_name": "barracuda" + } + }, + "ecs": { + "version": "8.6.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2023-03-30T01:02:21.053Z", + "kind": "event", + "original": "\u003c133\u003e2023-03-30 03:02:21.053 +0200 barracuda SYS APS NOTI 19034 Adding the Fingerprint:[g_448b2101c2af40186876949d97713f2f] to the Lockout Table", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-03-30T01:00:56.251Z", + "barracuda": { + "waf": { + "log_type": "SYS", + "module": { + "event_id": 62001, + "event_message": "Advanced Bot Protection Service [Provisioning] timed out. Error: Timed out while waiting for socket to become ready for reading", + "name": "ABP_SVC" + }, + "severity_level": "ALER", + "unit_name": "barracuda" + } + }, + "ecs": { + "version": "8.6.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2023-03-30T01:00:56.251Z", + "kind": "alert", + "original": "\u003c129\u003e2023-03-30 03:00:56.251 +0200 barracuda SYS ABP_SVC ALER 62001 Advanced Bot Protection Service [Provisioning] timed out. Error: Timed out while waiting for socket to become ready for reading", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-03-30T01:00:56.251Z", + "barracuda": { + "waf": { + "log_type": "SYS", + "module": { + "event_id": 62004, + "event_message": "Failed to receive Symmetric key for Supply Chain. Error: HASH(0xce04b10)", + "name": "ABP_SVC" + }, + "severity_level": "ALER", + "unit_name": "barracuda" + } + }, + "ecs": { + "version": "8.6.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2023-03-30T01:00:56.251Z", + "kind": "alert", + "original": "\u003c129\u003e2023-03-30 03:00:56.251 +0200 barracuda SYS ABP_SVC ALER 62004 Failed to receive Symmetric key for Supply Chain. Error: HASH(0xce04b10)", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-03-30T01:00:49.732Z", + "barracuda": { + "waf": { + "log_type": "SYS", + "module": { + "event_id": 19034, + "event_message": "Adding the Fingerprint:[g_6ddfd29093fc8264ddd87bcf7eeda6db] to the Lockout Table", + "name": "APS" + }, + "severity_level": "NOTI", + "unit_name": "barracuda" + } + }, + "ecs": { + "version": "8.6.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2023-03-30T01:00:49.732Z", + "kind": "event", + "original": "\u003c133\u003e2023-03-30 03:00:49.732 +0200 barracuda SYS APS NOTI 19034 Adding the Fingerprint:[g_6ddfd29093fc8264ddd87bcf7eeda6db] to the Lockout Table", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-03-30T00:53:07.902Z", + "barracuda": { + "waf": { + "log_type": "SYS", + "module": { + "event_id": 19032, + "event_message": "[10.9.0.4:443] OnDDOSProtectionReqH: No entry found for the IP in the captcha tables, checking if its verified or making one", + "name": "APS" + }, + "severity_level": "INFO", + "unit_name": "barracuda" + } + }, + "ecs": { + "version": "8.6.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2023-03-30T00:53:07.902Z", + "kind": "event", + "original": "\u003c134\u003e2023-03-30 02:53:07.902 +0200 barracuda SYS APS INFO 19032 [10.9.0.4:443] OnDDOSProtectionReqH: No entry found for the IP in the captcha tables, checking if its verified or making one", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-03-30T00:31:27.553Z", + "barracuda": { + "waf": { + "log_type": "SYS", + "module": { + "event_id": 19032, + "event_message": "[10.9.0.4:443] EvalClientBehaviour: Found the entry 0x7fd2c7caefc0 and captcha entry 0x0 and temp entry 0x0, run idx 0", + "name": "APS" + }, + "severity_level": "INFO", + "unit_name": "barracuda" + } + }, + "ecs": { + "version": "8.6.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2023-03-30T00:31:27.553Z", + "kind": "event", + "original": "\u003c134\u003e2023-03-30 02:31:27.553 +0200 barracuda SYS APS INFO 19032 [10.9.0.4:443] EvalClientBehaviour: Found the entry 0x7fd2c7caefc0 and captcha entry 0x0 and temp entry 0x0, run idx 0", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-03-30T00:18:21.494Z", + "barracuda": { + "waf": { + "log_type": "SYS", + "module": { + "event_id": 19034, + "event_message": "Num clients walked and displayed : 1", + "name": "APS" + }, + "severity_level": "NOTI", + "unit_name": "barracuda" + } + }, + "ecs": { + "version": "8.6.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2023-03-30T00:18:21.494Z", + "kind": "event", + "original": "\u003c133\u003e2023-03-30 02:18:21.494 +0200 barracuda SYS APS NOTI 19034 Num clients walked and displayed : 1", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-03-30T00:00:56.026Z", + "barracuda": { + "waf": { + "log_type": "SYS", + "module": { + "event_id": 62004, + "event_message": "Failed to receive Symmetric key for Supply Chain. Error: HASH(0xbb6cd88)", + "name": "ABP_SVC" + }, + "severity_level": "ALER", + "unit_name": "barracuda" + } + }, + "ecs": { + "version": "8.6.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2023-03-30T00:00:56.026Z", + "kind": "alert", + "original": "\u003c129\u003e2023-03-30 02:00:56.026 +0200 barracuda SYS ABP_SVC ALER 62004 Failed to receive Symmetric key for Supply Chain. Error: HASH(0xbb6cd88)", + "type": [ + "info" + ] + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/barracuda/data_stream/waf/elasticsearch/ingest_pipeline/audit.yml b/packages/barracuda/data_stream/waf/elasticsearch/ingest_pipeline/audit.yml new file mode 100644 index 000000000000..161718a1f653 --- /dev/null +++ b/packages/barracuda/data_stream/waf/elasticsearch/ingest_pipeline/audit.yml @@ -0,0 +1,51 @@ +--- +description: Pipeline for processing audit logs +processors: + - dissect: + field: _temp.remMessage + pattern: "%{client.user.name} %{barracuda.waf.client_type} %{_temp.clientIp} %{_temp.clientPort} %{barracuda.waf.transaction_type} %{barracuda.waf.transaction_id} %{barracuda.waf.command_name} %{barracuda.waf.change_type} %{barracuda.waf.object_type} %{barracuda.waf.object_name} %{barracuda.waf.variable} %{barracuda.waf.old_value} %{barracuda.waf.new_value} %{barracuda.waf.additional_data}" + - convert: + field: _temp.clientIp + target_field: client.ip + type: ip + ignore_missing: true + - convert: + field: _temp.clientPort + target_field: client.port + type: long + ignore_missing: true + - convert: + field: barracuda.waf.transaction_id + type: long + ignore_missing: true + - geoip: + field: client.ip + target_field: client.geo + ignore_missing: true + - append: + field: related.ip + value: "{{client.ip}}" + if: ctx.client?.ip != null + allow_duplicates: false + - append: + field: related.user + value: "{{client.user.name}}" + if: ctx.client?.user?.name != null + allow_duplicates: false + - set: + field: event.category + value: [authentication, configuration] + - set: + field: event.kind + value: event + - set: + field: event.type + value: [access] + +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/barracuda/data_stream/waf/elasticsearch/ingest_pipeline/default.yml b/packages/barracuda/data_stream/waf/elasticsearch/ingest_pipeline/default.yml index 840a1032aef1..ef0101f82a80 100644 --- a/packages/barracuda/data_stream/waf/elasticsearch/ingest_pipeline/default.yml +++ b/packages/barracuda/data_stream/waf/elasticsearch/ingest_pipeline/default.yml @@ -42,6 +42,12 @@ processors: - pipeline: name: '{{ IngestPipeline "access" }}' if: ctx.barracuda?.waf?.log_type != null && ctx.barracuda?.waf?.log_type == "TR" + - pipeline: + name: '{{ IngestPipeline "system" }}' + if: ctx.barracuda?.waf?.log_type != null && ctx.barracuda?.waf?.log_type == "SYS" + - pipeline: + name: '{{ IngestPipeline "audit" }}' + if: ctx.barracuda?.waf?.log_type != null && ctx.barracuda?.waf?.log_type == "AUDIT" ################################################################ ## Cleanup script to remove null, empty , '-' values in the document @@ -58,7 +64,7 @@ processors: handleList(x); } } - map.values().removeIf(v -> v == null || v == "" || v == "-" || v == "\"-\"" || ((v instanceof List || v instanceof Map) && v.isEmpty())); + map.values().removeIf(v -> v == null || v == "" || v == "\"\"" || v == "[]" || v == "-" || v == "\"-\"" || ((v instanceof List || v instanceof Map) && v.isEmpty())); } void handleList(List list) { for (def x : list) { diff --git a/packages/barracuda/data_stream/waf/elasticsearch/ingest_pipeline/system.yml b/packages/barracuda/data_stream/waf/elasticsearch/ingest_pipeline/system.yml new file mode 100644 index 000000000000..d8c1601d4298 --- /dev/null +++ b/packages/barracuda/data_stream/waf/elasticsearch/ingest_pipeline/system.yml @@ -0,0 +1,33 @@ +--- +description: Pipeline for processing system logs +processors: + - dissect: + field: _temp.remMessage + pattern: "%{barracuda.waf.module.name} %{barracuda.waf.severity_level} %{_temp.eventid} %{barracuda.waf.module.event_message}" + - convert: + field: "_temp.eventid" + target_field: "barracuda.waf.module.event_id" + type: long + ignore_missing: true + - set: + field: event.category + value: [configuration] + - set: + field: event.kind + value: alert + if: ctx.barracuda.waf?.severity_level != null && ["ALER", "EMER", "CRIT", "ALERT", "CRITICAL","EMERGENCY"].contains(ctx.barracuda.waf.severity_level) + - set: + field: event.kind + value: event + if: ctx.event?.kind == null + - set: + field: event.type + value: [info] + +on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: "{{ _ingest.on_failure_message }}" diff --git a/packages/barracuda/data_stream/waf/fields/fields.yml b/packages/barracuda/data_stream/waf/fields/fields.yml index d0d0709d265a..4d445d631fda 100644 --- a/packages/barracuda/data_stream/waf/fields/fields.yml +++ b/packages/barracuda/data_stream/waf/fields/fields.yml @@ -67,6 +67,30 @@ - name: request_cookie description: Specifies whether the request is valid. Values:INVALID, VALID. type: keyword + - name: additional_data + description: Provides more information on the parameter changed. + type: keyword + - name: client_type + description: This indicates that GUI is used as client to access the Barracuda Web Application Firewall. + type: keyword + - name: command_name + description: The name of the command that was executed on the Barracuda Web Application Firewall. + type: keyword + - name: new_value + description: The value after modification. + type: keyword + - name: object_type + description: The type of the object that is being modified. + type: keyword + - name: old_value + description: The value before modification. + type: keyword + - name: transaction_id + description: Specifies the transaction ID for the transaction that makes the persistent change. Note:Events that do not change anything do not have a transaction ID. This is indicated by transaction ID of -1. + type: long + - name: transaction_type + description: Denotes the type of transaction done by the system administrator. Values:LOGIN, LOGOUT, CONFIG, COMMAND, ROLLBACK, RESTORE, REBOOT, SHUTDOWN, FIRMWARE UPDATE, ENERGIZE UPDATE, SUPPORT TUNNEL OPEN, SUPPORT TUNNEL CLOSED, FIRMWARE APPLY, FIRMWARE REVERT, TRANSPARENT MODE, UNSUCCESSFUL LOGIN, ADMIN ACCESS VIOLATION. + type: keyword - name: custom_header type: group fields: @@ -79,3 +103,15 @@ - name: connection description: The header connection in the Access Logs type: keyword + - name: module + type: group + fields: + - name: name + description: Denotes the name of the module that generated the logs. + type: keyword + - name: event_id + description: The event ID of the module. + type: long + - name: event_message + description: Denotes the log message for the event that occurred. + type: keyword diff --git a/packages/barracuda/docs/README.md b/packages/barracuda/docs/README.md index 08dbc743d724..f5eb0d41ee5d 100644 --- a/packages/barracuda/docs/README.md +++ b/packages/barracuda/docs/README.md @@ -97,15 +97,24 @@ An example event for `waf` looks as following: |---|---|---| | @timestamp | Event timestamp. | date | | barracuda.waf.action_taken | The appropriate action applied on the traffic. DENY - denotes that the traffic is denied. LOG - denotes monitoring of the traffic with the assigned rule. WARNING - warns about the traffic. | keyword | +| barracuda.waf.additional_data | Provides more information on the parameter changed. | keyword | | barracuda.waf.attack_description | The name of the attack triggered by the request. | keyword | | barracuda.waf.attack_details | The details of the attack triggered by the request. | keyword | | barracuda.waf.authenticated_user | The username of the currently authenticated client requesting the web page. This is available only when the request is for a service that is using the AAA (Access Control) module. | keyword | | barracuda.waf.cache_hit | Specifies whether the response is served out of the Barracuda Web Application Firewall cache or from the backend server. Values:0 - if the request is fetched from the server and given to the user.1 - if the request is fetched from the cache and given to the user. | long | +| barracuda.waf.client_type | This indicates that GUI is used as client to access the Barracuda Web Application Firewall. | keyword | +| barracuda.waf.command_name | The name of the command that was executed on the Barracuda Web Application Firewall. | keyword | | barracuda.waf.custom_header.accept_encoding | The header Accept-Encoding in the Access Logs | keyword | | barracuda.waf.custom_header.connection | The header connection in the Access Logs | keyword | | barracuda.waf.custom_header.host | The header host in the Access Logs | keyword | | barracuda.waf.followup_action | The follow-up action as specified by the action policy. It can be either None or Locked in case the lockout is chosen. | keyword | | barracuda.waf.log_type | Specifies the type of log - Web Firewall Log, Access Log, Audit Log, Network Firewall Log or System Log - WF, TR, AUDIT, NF, SYS. | keyword | +| barracuda.waf.module.event_id | The event ID of the module. | long | +| barracuda.waf.module.event_message | Denotes the log message for the event that occurred. | keyword | +| barracuda.waf.module.name | Denotes the name of the module that generated the logs. | keyword | +| barracuda.waf.new_value | The value after modification. | keyword | +| barracuda.waf.object_type | The type of the object that is being modified. | keyword | +| barracuda.waf.old_value | The value before modification. | keyword | | barracuda.waf.policy | The ACL policy (Allow or Deny) applied to this ACL rule. | keyword | | barracuda.waf.profile_matched | Specifies whether the request matched a defined URL or Parameter Profile. Values:DEFAULT, PROFILED. | keyword | | barracuda.waf.protected | Specifies whether the request went through the Barracuda Web Application Firewall rules and policy checks. Values:PASSIVE, PROTECTED, UNPROTECTED. | keyword | @@ -118,6 +127,8 @@ An example event for `waf` looks as following: | barracuda.waf.server_time | The total time taken by the backend server to serve the request forwarded to it by the Barracuda Web Application Firewall. | long | | barracuda.waf.sessionid | The value of the session tokens found in the request if session tracking is enabled. | keyword | | barracuda.waf.severity_level | Defines the seriousness of the attack. EMERGENCY - System is unusable (highest priority). ALERT - Response must be taken immediately. CRITICAL - Critical conditions. ERROR - Error conditions. WARNING - Warning conditions. NOTICE - Normal but significant condition. INFORMATION - Informational message (on ACL configuration changes). DEBUG - Debug-level message (lowest priority). | keyword | +| barracuda.waf.transaction_id | Specifies the transaction ID for the transaction that makes the persistent change. Note:Events that do not change anything do not have a transaction ID. This is indicated by transaction ID of -1. | long | +| barracuda.waf.transaction_type | Denotes the type of transaction done by the system administrator. Values:LOGIN, LOGOUT, CONFIG, COMMAND, ROLLBACK, RESTORE, REBOOT, SHUTDOWN, FIRMWARE UPDATE, ENERGIZE UPDATE, SUPPORT TUNNEL OPEN, SUPPORT TUNNEL CLOSED, FIRMWARE APPLY, FIRMWARE REVERT, TRANSPARENT MODE, UNSUCCESSFUL LOGIN, ADMIN ACCESS VIOLATION. | keyword | | barracuda.waf.unit_name | Specifies the name of the unit. | keyword | | barracuda.waf.user_id | The identifier of the user. | keyword | | barracuda.waf.wf_matched | Specifies whether the request is valid. Values:INVALID, VALID. | keyword | diff --git a/packages/barracuda/img/audit_log.png b/packages/barracuda/img/audit_log.png new file mode 100644 index 000000000000..23f120b4c805 Binary files /dev/null and b/packages/barracuda/img/audit_log.png differ diff --git a/packages/barracuda/img/system_log.png b/packages/barracuda/img/system_log.png new file mode 100644 index 000000000000..55eb45def9c7 Binary files /dev/null and b/packages/barracuda/img/system_log.png differ diff --git a/packages/barracuda/kibana/dashboard/barracuda-4c9f17f0-cee9-11ed-8bd5-2d9c9e3c9d44.json b/packages/barracuda/kibana/dashboard/barracuda-4c9f17f0-cee9-11ed-8bd5-2d9c9e3c9d44.json new file mode 100644 index 000000000000..5774610eff23 --- /dev/null +++ b/packages/barracuda/kibana/dashboard/barracuda-4c9f17f0-cee9-11ed-8bd5-2d9c9e3c9d44.json @@ -0,0 +1,343 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"barracuda.waf\" and barracuda.waf.log_type : \"SYS\" " + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-13d606a3-a4c5-4537-999d-6111e1d9a9ae", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "13d606a3-a4c5-4537-999d-6111e1d9a9ae": { + "columnOrder": [ + "64a9a532-a581-43a7-b745-240ee863a264" + ], + "columns": { + "64a9a532-a581-43a7-b745-240ee863a264": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Number of Events", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "accessor": "64a9a532-a581-43a7-b745-240ee863a264", + "layerId": "13d606a3-a4c5-4537-999d-6111e1d9a9ae", + "layerType": "data", + "size": "xl", + "textAlign": "center", + "titlePosition": "bottom" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "2aca65ac-0004-4ee0-8ba5-37de7aefdf34", + "w": 13, + "x": 0, + "y": 0 + }, + "panelIndex": "2aca65ac-0004-4ee0-8ba5-37de7aefdf34", + "type": "lens", + "version": "8.4.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-b4815931-0095-45f2-a1a9-51f4384accff", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "b4815931-0095-45f2-a1a9-51f4384accff": { + "columnOrder": [ + "4e724b73-5c23-401f-9267-35a288a1a22a", + "56ee6a24-3628-4a56-9fd1-080edfa5ad6e" + ], + "columns": { + "4e724b73-5c23-401f-9267-35a288a1a22a": { + "dataType": "string", + "isBucketed": true, + "label": "Top 20 values of barracuda.waf.severity_level", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "56ee6a24-3628-4a56-9fd1-080edfa5ad6e", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 20 + }, + "scale": "ordinal", + "sourceField": "barracuda.waf.severity_level" + }, + "56ee6a24-3628-4a56-9fd1-080edfa5ad6e": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "4e724b73-5c23-401f-9267-35a288a1a22a" + ], + "layerId": "b4815931-0095-45f2-a1a9-51f4384accff", + "layerType": "data", + "legendDisplay": "default", + "metric": "56ee6a24-3628-4a56-9fd1-080edfa5ad6e", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "73f57a04-9d8a-4455-abc9-ed39a3d93e7f", + "w": 12, + "x": 13, + "y": 0 + }, + "panelIndex": "73f57a04-9d8a-4455-abc9-ed39a3d93e7f", + "title": "Severity Level", + "type": "lens", + "version": "8.4.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-93407cee-ad89-4922-96ae-5b6926e6fd82", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "93407cee-ad89-4922-96ae-5b6926e6fd82": { + "columnOrder": [ + "125719e1-2181-4c83-a161-cdc15ae18244", + "a9d863a9-41d9-403d-ac31-2b1ee5ae38fc" + ], + "columns": { + "125719e1-2181-4c83-a161-cdc15ae18244": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Module Name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "a9d863a9-41d9-403d-ac31-2b1ee5ae38fc", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "barracuda.waf.module.name" + }, + "a9d863a9-41d9-403d-ac31-2b1ee5ae38fc": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "a9d863a9-41d9-403d-ac31-2b1ee5ae38fc" + ], + "layerId": "93407cee-ad89-4922-96ae-5b6926e6fd82", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal_stacked", + "showGridlines": false, + "xAccessor": "125719e1-2181-4c83-a161-cdc15ae18244" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_horizontal_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 18, + "i": "e6911e9a-51c4-48df-a0b2-435892233794", + "w": 25, + "x": 0, + "y": 15 + }, + "panelIndex": "e6911e9a-51c4-48df-a0b2-435892233794", + "title": "Top 10 Modules", + "type": "lens", + "version": "8.4.0" + } + ], + "timeRestore": false, + "title": "[Logs Barracuda WAF] System logs", + "version": 1 + }, + "coreMigrationVersion": "8.4.0", + "id": "barracuda-4c9f17f0-cee9-11ed-8bd5-2d9c9e3c9d44", + "migrationVersion": { + "dashboard": "8.4.0" + }, + "references": [ + { + "id": "logs-*", + "name": "2aca65ac-0004-4ee0-8ba5-37de7aefdf34:indexpattern-datasource-layer-13d606a3-a4c5-4537-999d-6111e1d9a9ae", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "73f57a04-9d8a-4455-abc9-ed39a3d93e7f:indexpattern-datasource-layer-b4815931-0095-45f2-a1a9-51f4384accff", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e6911e9a-51c4-48df-a0b2-435892233794:indexpattern-datasource-layer-93407cee-ad89-4922-96ae-5b6926e6fd82", + "type": "index-pattern" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/barracuda/kibana/dashboard/barracuda-d86e6a10-cee9-11ed-8bd5-2d9c9e3c9d44.json b/packages/barracuda/kibana/dashboard/barracuda-d86e6a10-cee9-11ed-8bd5-2d9c9e3c9d44.json new file mode 100644 index 000000000000..54e9d284fe5f --- /dev/null +++ b/packages/barracuda/kibana/dashboard/barracuda-d86e6a10-cee9-11ed-8bd5-2d9c9e3c9d44.json @@ -0,0 +1,260 @@ +{ + "attributes": { + "description": "", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"barracuda.waf\" and barracuda.waf.log_type : \"AUDIT\" " + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-593245cf-0064-4ce1-8d25-a8feb5c20eaa", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "593245cf-0064-4ce1-8d25-a8feb5c20eaa": { + "columnOrder": [ + "3dec2487-4618-4a5d-a0b2-a21ad504387e", + "53ccf8e5-7d7f-41bc-a6c2-3042632ba76c" + ], + "columns": { + "3dec2487-4618-4a5d-a0b2-a21ad504387e": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "53ccf8e5-7d7f-41bc-a6c2-3042632ba76c": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Number of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "53ccf8e5-7d7f-41bc-a6c2-3042632ba76c" + ], + "layerId": "593245cf-0064-4ce1-8d25-a8feb5c20eaa", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "3dec2487-4618-4a5d-a0b2-a21ad504387e" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {} + }, + "gridData": { + "h": 22, + "i": "d361d466-b104-479a-8187-3a23e585b311", + "w": 24, + "x": 0, + "y": 0 + }, + "panelIndex": "d361d466-b104-479a-8187-3a23e585b311", + "type": "lens", + "version": "8.4.0" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-236acc37-2744-43a2-b031-59cf0a417173", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "236acc37-2744-43a2-b031-59cf0a417173": { + "columnOrder": [ + "c082de01-bbab-4523-8960-615c6bf9b828", + "bd24c554-ad4a-46c4-b262-a0d07fc0896b" + ], + "columns": { + "bd24c554-ad4a-46c4-b262-a0d07fc0896b": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "c082de01-bbab-4523-8960-615c6bf9b828": { + "dataType": "string", + "isBucketed": true, + "label": "Top 20 values of barracuda.waf.transaction_type", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "bd24c554-ad4a-46c4-b262-a0d07fc0896b", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 20 + }, + "scale": "ordinal", + "sourceField": "barracuda.waf.transaction_type" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "c082de01-bbab-4523-8960-615c6bf9b828" + ], + "layerId": "236acc37-2744-43a2-b031-59cf0a417173", + "layerType": "data", + "legendDisplay": "default", + "metric": "bd24c554-ad4a-46c4-b262-a0d07fc0896b", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 22, + "i": "092a0bd9-7c1e-4032-8b2d-1db9994cf2da", + "w": 16, + "x": 24, + "y": 0 + }, + "panelIndex": "092a0bd9-7c1e-4032-8b2d-1db9994cf2da", + "title": "Transaction Types", + "type": "lens", + "version": "8.4.0" + } + ], + "timeRestore": false, + "title": "[Logs Barracuda WAF] Audit Logs", + "version": 1 + }, + "coreMigrationVersion": "8.4.0", + "id": "barracuda-d86e6a10-cee9-11ed-8bd5-2d9c9e3c9d44", + "migrationVersion": { + "dashboard": "8.4.0" + }, + "references": [ + { + "id": "logs-*", + "name": "d361d466-b104-479a-8187-3a23e585b311:indexpattern-datasource-layer-593245cf-0064-4ce1-8d25-a8feb5c20eaa", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "092a0bd9-7c1e-4032-8b2d-1db9994cf2da:indexpattern-datasource-layer-236acc37-2744-43a2-b031-59cf0a417173", + "type": "index-pattern" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/barracuda/manifest.yml b/packages/barracuda/manifest.yml index 23b6066628c9..ccccc7a9f77b 100644 --- a/packages/barracuda/manifest.yml +++ b/packages/barracuda/manifest.yml @@ -1,7 +1,7 @@ format_version: 2.3.0 name: barracuda title: "Barracuda Logs" -version: 1.0.0 +version: 1.1.0 description: Ingest Events from Barracuda Web Application Firewall type: integration categories: @@ -30,6 +30,14 @@ screenshots: title: Web Firewall log size: 721x311 type: image/png + - src: /img/audit_log.png + title: Audit log + size: 4972x1376 + type: image/png + - src: /img/system_log.png + title: System log + size: 3124x2050 + type: image/png icons: - src: /img/logo.svg title: Barracuda logo