Add audit and system logs

packages/barracuda/_dev/deploy/docker/sample_logs/barracuda.log

@@ -5,4 +5,12 @@
 <129>2023-03-01 14:54:44.502 +0100  barracuda WF ALER UNKNOWN_CONTENT_TYPE 193.56.29.26 61507 10.9.0.4 443 Hackazon:adaptive_url_42099b4af021e53fd8fd URL_PROFILE LOG NONE [Content-type\="application/x-www-form-urlencoded"] POST / TLSv1.2 "-" "Mozilla/5.0 (Linux; U; Android 4.4.2; en-US; HM NOTE 1W Build/KOT49H) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 UCBrowser/11.0.5.850 U3/0.8.0 Mobile Safari/534.30" 20.88.228.79 61507 "-" "-" 1869d743696-dfcf8d96
 <129>2023-03-09 13:56:18.404 +0100  barracuda NF ALER TCP 172.105.128.11 57296 10.9.0.4 80 DENY SSH_ATTACK_SOURCES MGMT/LAN/WAN interface traffic:deny
 <134>2023-03-20 17:22:36.102 +0100  barracuda TR 81.2.69.144 443 89.160.20.112 65483 "-" "-" GET TLSv1.2 67.43.156.2 HTTP/1.1 404 791 240 0 0 1.128.0.1 443 0 "-" INTERNAL DEFAULT PROTECTED INVALID /sendgrid.env "-" "-" "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36" 216.160.83.56 65483 "-" "-" "-" "-" 186ffd46946-e5bacdd0
-<129>2023-03-09 13:22:20.996 +0100  barracuda NF ALER TCP 134.122.135.178 44534 10.9.0.4 80 DENY HTTP_ATTACK_SOURCES MGMT/LAN/WAN interface traffic:deny
+<129>2023-03-09 13:22:20.996 +0100  barracuda NF ALER TCP 134.122.135.178 44534 10.9.0.4 80 DENY HTTP_ATTACK_SOURCES MGMT/LAN/WAN interface traffic:deny
+<134>2023-03-30 03:11:07.915 +0200  barracuda SYS APS INFO 19034 Num clients to walk : 0
+<133>2023-03-30 03:02:21.053 +0200  barracuda SYS APS NOTI 19034 Adding the Fingerprint:[g_448b2101c2af40186876949d97713f2f] to the Lockout Table
+<129>2023-03-30 03:00:56.251 +0200  barracuda SYS ABP_SVC ALER 62001 Advanced Bot Protection Service [Provisioning] timed out. Error: Timed out while waiting for socket to become ready for reading
+<129>2023-03-30 03:00:56.251 +0200  barracuda SYS ABP_SVC ALER 62004 Failed to receive Symmetric key for Supply Chain. Error: HASH(0xce04b10)
+<133>2023-03-30 03:00:49.732 +0200  barracuda SYS APS NOTI 19034 Adding the Fingerprint:[g_6ddfd29093fc8264ddd87bcf7eeda6db] to the Lockout Table
+<134>2023-03-30 02:53:07.902 +0200  barracuda SYS APS INFO 19032 [10.9.0.4:443] OnDDOSProtectionReqH: No entry found for the IP in the captcha tables, checking if its verified or making one
+<134>2023-03-29 16:26:13.484 +0200  barracuda AUDIT elastic GUI 31.208.15.130 64197 LOGIN 0 login  global - - "" "" []
+<134>2023-03-29 16:23:51.998 +0200  barracuda AUDIT elastic GUI 31.208.15.130 63685 LOGOUT 0 logout  global - - "" "" []

packages/barracuda/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.1.0"
+  changes:
+    - description: Add system log and audit log support
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/5746
 - version: "1.0.0"
   changes:
     - description: Upgrade the Barracuda WAF data_stream and remove spamfirewall data_stream

packages/barracuda/data_stream/waf/_dev/test/pipeline/test-audit.log

@@ -0,0 +1,2 @@
+<134>2023-03-29 16:24:13.484 +0200  barracuda AUDIT elastic GUI 81.2.69.144 64197 LOGIN 0 login  global - - "" "" []
+<134>2023-03-29 16:23:51.998 +0200  barracuda AUDIT elastic GUI 81.2.69.144 63685 LOGOUT 0 logout  global - - "" "" []

packages/barracuda/data_stream/waf/_dev/test/pipeline/test-audit.log-config.yml

@@ -0,0 +1,3 @@
+fields:
+  tags:
+    - preserve_original_event

packages/barracuda/data_stream/waf/_dev/test/pipeline/test-audit.log-expected.json

@@ -0,0 +1,122 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2023-03-29T14:24:13.484Z",
+            "barracuda": {
+                "waf": {
+                    "client_type": "GUI",
+                    "command_name": "login",
+                    "log_type": "AUDIT",
+                    "object_type": "global",
+                    "transaction_id": 0,
+                    "transaction_type": "LOGIN",
+                    "unit_name": "barracuda"
+                }
+            },
+            "client": {
+                "geo": {
+                    "city_name": "London",
+                    "continent_name": "Europe",
+                    "country_iso_code": "GB",
+                    "country_name": "United Kingdom",
+                    "location": {
+                        "lat": 51.5142,
+                        "lon": -0.0931
+                    },
+                    "region_iso_code": "GB-ENG",
+                    "region_name": "England"
+                },
+                "ip": "81.2.69.144",
+                "port": 64197,
+                "user": {
+                    "name": "elastic"
+                }
+            },
+            "ecs": {
+                "version": "8.6.0"
+            },
+            "event": {
+                "category": [
+                    "authentication",
+                    "configuration"
+                ],
+                "created": "2023-03-29T14:24:13.484Z",
+                "kind": "event",
+                "original": "\u003c134\u003e2023-03-29 16:24:13.484 +0200  barracuda AUDIT elastic GUI 81.2.69.144 64197 LOGIN 0 login  global - - \"\" \"\" []",
+                "type": [
+                    "access"
+                ]
+            },
+            "related": {
+                "ip": [
+                    "81.2.69.144"
+                ],
+                "user": [
+                    "elastic"
+                ]
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        },
+        {
+            "@timestamp": "2023-03-29T14:23:51.998Z",
+            "barracuda": {
+                "waf": {
+                    "client_type": "GUI",
+                    "command_name": "logout",
+                    "log_type": "AUDIT",
+                    "object_type": "global",
+                    "transaction_id": 0,
+                    "transaction_type": "LOGOUT",
+                    "unit_name": "barracuda"
+                }
+            },
+            "client": {
+                "geo": {
+                    "city_name": "London",
+                    "continent_name": "Europe",
+                    "country_iso_code": "GB",
+                    "country_name": "United Kingdom",
+                    "location": {
+                        "lat": 51.5142,
+                        "lon": -0.0931
+                    },
+                    "region_iso_code": "GB-ENG",
+                    "region_name": "England"
+                },
+                "ip": "81.2.69.144",
+                "port": 63685,
+                "user": {
+                    "name": "elastic"
+                }
+            },
+            "ecs": {
+                "version": "8.6.0"
+            },
+            "event": {
+                "category": [
+                    "authentication",
+                    "configuration"
+                ],
+                "created": "2023-03-29T14:23:51.998Z",
+                "kind": "event",
+                "original": "\u003c134\u003e2023-03-29 16:23:51.998 +0200  barracuda AUDIT elastic GUI 81.2.69.144 63685 LOGOUT 0 logout  global - - \"\" \"\" []",
+                "type": [
+                    "access"
+                ]
+            },
+            "related": {
+                "ip": [
+                    "81.2.69.144"
+                ],
+                "user": [
+                    "elastic"
+                ]
+            },
+            "tags": [
+                "preserve_original_event"
+            ]
+        }
+    ]
+}

packages/barracuda/data_stream/waf/_dev/test/pipeline/test-system.log

@@ -0,0 +1,9 @@
+<134>2023-03-30 03:11:07.915 +0200  barracuda SYS APS INFO 19034 Num clients to walk : 0
+<133>2023-03-30 03:02:21.053 +0200  barracuda SYS APS NOTI 19034 Adding the Fingerprint:[g_448b2101c2af40186876949d97713f2f] to the Lockout Table
+<129>2023-03-30 03:00:56.251 +0200  barracuda SYS ABP_SVC ALER 62001 Advanced Bot Protection Service [Provisioning] timed out. Error: Timed out while waiting for socket to become ready for reading
+<129>2023-03-30 03:00:56.251 +0200  barracuda SYS ABP_SVC ALER 62004 Failed to receive Symmetric key for Supply Chain. Error: HASH(0xce04b10)
+<133>2023-03-30 03:00:49.732 +0200  barracuda SYS APS NOTI 19034 Adding the Fingerprint:[g_6ddfd29093fc8264ddd87bcf7eeda6db] to the Lockout Table
+<134>2023-03-30 02:53:07.902 +0200  barracuda SYS APS INFO 19032 [10.9.0.4:443] OnDDOSProtectionReqH: No entry found for the IP in the captcha tables, checking if its verified or making one
+<134>2023-03-30 02:31:27.553 +0200  barracuda SYS APS INFO 19032 [10.9.0.4:443]  EvalClientBehaviour: Found the entry 0x7fd2c7caefc0 and captcha entry 0x0 and temp entry 0x0, run idx 0
+<133>2023-03-30 02:18:21.494 +0200  barracuda SYS APS NOTI 19034 Num clients walked and displayed : 1
+<129>2023-03-30 02:00:56.026 +0200  barracuda SYS ABP_SVC ALER 62004 Failed to receive Symmetric key for Supply Chain. Error: HASH(0xbb6cd88)

packages/barracuda/data_stream/waf/_dev/test/pipeline/test-system.log-config.yml

@@ -0,0 +1,3 @@
+fields:
+  tags:
+    - preserve_original_event