When you configure the Barracuda Web Security Gateway to send log data to USM Anywhere, you can use the Barracuda Web Filter plugin to translate the raw log data into normalized events for analysis.
|Device type||Web Filter|
Barracuda Web Security Gateway Integration
Before configuring the log collection, you must have the IP address of the USM Anywhere Sensor.
To send log data from Barracuda Web Security Gateway to USM Anywhere
- Log in to the Barracuda Web Security Gateway.
Go to the Advanced tab and click Syslog.
(If using Barracuda Web Security Gateway version 14 or later) Change Enable W3C Logs to Yes.
Important: When sending logs in the World Wide Web Consortium (W3C) format, Barracuda does not include any tags in the syslog header. Therefore, you must manually enable the Barracuda Web Filter plugin in USM Anywhere. See Adding AlienApps to an Asset for assistance.
- Specify the IP address of the USM Anywhere Sensor in both the Web Traffic Syslog and Web Interface Syslog fields.
- Click Save.
Note: In some instances, users with older firmware have reported event information being improperly parsed from syslog messages. As of the Web Security Gateway version 12.0 firmware update, syslog messages are correctly parsed.
If not sending W3C logs, the Barracuda Web Filter plugin automatically processes all messages whose syslog tag matches one of the following values "httpscan,http_scan,sniff".
If sending W3C logs, as the case in Barracuda Web Security Gateway version 14 or later, you must manually enable the Barracuda Web Filter plugin in USM Anywhere. See Adding AlienApps to an Asset for assistance.
Available Plugin Fields
The following plugin fields are important attributes extracted from the syslog message. The USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.
For troubleshooting, refer to the vendor documentation: