Re: Reports from Barracuda Load Balancer ADC

dgraham7 · ‎05-30-2018

I am using the Barracuda Load Balancer ADC for handling incoming traffic to our web servers. I currently do not have it passing the source IP to the web server so the web server is not showing the IP address of the user, just the IP address of the Load Balancer. I can change the Load Balancer to forward that but really do not want to muck with things if I do not have to. There are also other web sites that I would like to grab some info on but I do not want to install Splunk on.
So, All of the information is coming through the Load Balancer and I have sent the logs to Splunk on UDP 514.
I have installed the Barracuda WAF/ADC add-on for Splunk. To try to read that information I installed the Barracuda Web Filter, but that does not seem to be working. I see the logs and some have the source type of Barracuda:waf and some with barracuda:log, both with an index of Barracuda. I have added the Barracuda index as on of the default indexes. But I get no data in Barracuda Web Filter.
I guess the main question is should I use the Barracuda Web Filter for this? I tried using the Web Analytics and other IIS tools (passing over W3C formats) before installing the WAF/ADC add-on and those did not seem to work.
Any ideas with what I am doing wrong or am I overcomplicating things?

Cheers

dgraham7 · ‎05-30-2018

Thanks, Josh. Trying to get Splunk up and running as a proof of concept so this has been fun. Not sure if the ADC should send as W3C format, Default format, Splunk format or any other format types. The data comes back as barracuda:log (first 2) and barracuda:wf (last 2) respectively below.

May 30 13:01:08 172.16.1.233 May 30 13:01:20 INWDPLB01 2018-05-30 13:01:20.783 -0500 209.41.122.98 "-" POST "-" "-" /form.aspx/CheckUnlockStatus https://site.mysite.com/form.aspx?pid=44026f71-62a6-43dd-ad40-fb294ffeba58&formid=&forminstid=b75a90...

May 30 13:04:09 172.16.1.233 May 30 13:04:21 INWDPLB01 2018-05-30 13:04:21.788 -0500 209.41.122.98 "-" POST "-" "-" /form.aspx/CheckUnlockStatus https://site.mysite.com/form.aspx?pid=44026f71-62a6-43dd-ad40-fb294ffeba58&formid=&forminstid=2512cd...

May 30 13:04:09 172.16.1.233 May 30 13:04:21 INWDPLB01 2018-05-30 13:04:21.915 -0500 INWDPLB01 WF ALER UNKNOWN_CONTENT_TYPE 209.41.122.98 24706 172.16.1.233 443 LOG NONE [Content-type="application/json" PathInfo="CheckUnlockStatus"] POST site.mysite.com/form.aspx TLSv1.2 209.41.122.98 24706
May 30 13:03:56 172.16.1.233 May 30 13:04:08 INWDPLB01 2018-05-30 13:04:08.604 -0500 INWDPLB01 WF ALER UNKNOWN_CONTENT_TYPE 209.41.122.100 35419 172.16.1.233 443 LOG NONE [Content-type="application/json"] POST site2.mysite.com/owa/service.svc TLSv1.2 209.41.122.100 35419

Seems like it should be a simple web parsing, but my lack of Splunk knowledge and pulling things in just may be the problem here.

Hope that helps clear this up some.

Cheers

joshd · ‎05-30-2018

I originally wrote the Barracuda Web Filter application a longgg time ago (first published in 2011 with last update in 2014) and it was intended only for use with Barracuda Web Filter appliances. The app is in much need of a refresh as a whole and its also possible the format of your data may not match expectations of the app.

With that said, if you wish to supply me with a sample of your data I can assess if it makes sense to do it within that app or building a separate app is better. Let me know if you can supply a sample and we can take the communication off-forum.

Reports from Barracuda Load Balancer ADC

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...