Ask the Community
Groups
How do I configure remote syslog logging for a Barracuda Firewall - Connect IT Community | Kaseya
<main> <article class="userContent"> <h2 data-id="this-article-will-walk-through-the-steps-to-configure-barracuda-firewalls-to-send-syslog-messages-to-the-rocketagent-syslog-server">This article will walk through the steps to configure Barracuda firewalls to send Syslog messages to the RocketAgent Syslog Server</h2> <p data-depth="4">The following steps are performed from the Barracuda Firewall Management Interface</p> <h4 data-depth="4" data-id="enable-audit-logs">Enable Audit Logs</h4> <p>Activate the generation of Firewall Audit data:</p> <ol><li>Go to <strong>CONFIGURATION > Full Configuration > Box ></strong><strong> Infrastructure Services > </strong><strong>General Firewall Configuration</strong>.</li> <li>In the left menu, select <strong>Audit and Reporting</strong>.</li> <li>Expand the <strong>Configuration Mode</strong> menu and select <strong>Switch to Advanced View</strong>.</li> <li>Click <strong>Lock</strong>.</li> <li>In the <strong>Log Policy </strong>section enable <strong>Generate Audit Log</strong>.</li> <li>Click <strong>Set</strong> next to <strong>Audit Log Data</strong><em>.</em> </li> <li>From the <strong>Audit, Delivery</strong> list select how to audit log data is stored or processed</li> <li>Select <strong>Syslog-Proxy </strong>from the<strong> Audit Delivery </strong>drop-down.</li> <li>Click <strong>OK</strong>.</li> <li>Click <strong>Send Changes</strong> and <strong>Activate</strong>.</li> </ol><h4 data-depth="4" data-id="enable-the-syslog-service">Enable the Syslog Service</h4> <ol><li>Go to <strong>CONFIGURATION > Full Configuration > Box > Infrastructure Services > Syslog Streaming</strong>.</li> <li>Click <strong>Lock</strong>.</li> <li>Set <strong>Enable Syslog Streaming</strong> to <strong>yes</strong>.<br><img src="https://us.v-cdn.net/6032361/uploads/migrated/8GYNVS9MZZNM/syslog-stream-barracuda.png" alt="syslog_stream_barracuda.png" class="embedImage-img importedEmbed-img"></img></li> <li>Click <strong>Send Changes</strong> and <strong>Activate</strong>.</li> </ol><h4 data-depth="4" data-id="configure-logdata-filters">Configure Logdata Filters</h4> <p>Define profiles specifying the log file types to be transferred/streamed to the RocketAgent.</p> <ol><li>Go to <strong>CONFIGURATION > Full Configuration > Box ></strong><strong> Infrastructure Services > </strong><strong>Syslog Streaming</strong>.</li> <li>In the left menu, select Log data<strong> Filters</strong>.</li> <li>Expand the <strong>Configuration Mode</strong> menu and select <strong>Switch to Advanced View</strong>.</li> <li>Click <strong>Lock</strong>.</li> <li>Click the <strong>+</strong> icon to add a new entry. </li> <li>Enter RocketCyber in the <strong>Filters</strong> dialog and click <strong>OK</strong>.</li> <li>In the <strong>Data Selection </strong>table, add the log files to be streamed. Select: <ul><li> <strong>Firewall_Audit_Log</strong> – The log contents of the firewall's machine-readable audit data stream. Weather data is streamed into the Firewall_Audit_Log has to be configured in the <strong>General Firewall Configuration</strong> settings on box-level, section <strong>Audit Log Handling </strong>><strong>Audit-Delivery</strong>: Syslog-Proxy (see: <a rel="nofollow" href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fcampus.barracuda.com%2Fdoc%2F53248431%2F">FW Audit</a>). The log instance name corresponding to Syslog-Proxy selected will be trans7.</li> <li> <p><strong>Panic_log</strong> – log contents of the panic log (log instance name:<em> panic</em>)</p> <div> <p>When <em>Log-File</em> is selected in the firewall's configuration, the data will go into a log file named <em>Box->Firewall->audit</em> (which means the instance is named <em>box_Firewall_audit</em>) and thus this filter setting is not applicable. The pertinent one then would be a selection of category <em>Firewall</em> within the box selection portion of the filter.</p> </div> </li> </ul></li> <li>In the<strong> Affected Box Log data </strong>section, define what kind of box logs are to be affected by the Syslog daemon from the <strong>Data Selection</strong> list.</li> <li>Choose <strong>Selection </strong>(default), <ol><li>Click the <strong>+</strong> icon next to <strong>Data Selection</strong> to add an entry.</li> <li>Enter a descriptive name for the group and click <strong>OK</strong>. The <strong>Data Selection</strong> window opens.</li> <li>Add the <strong>Log Gr</strong><strong>oups</strong> table select <strong>Other</strong> and specify the following:<br><strong>Auth</strong><strong>Event</strong><br><strong>Firewall</strong><br><strong>Network</strong><br><strong>SSH</strong><br><strong>virscan</strong><br><strong>proxy</strong><br><strong>sslprx</strong><br><strong>cofs</strong><br><strong>sslprx</strong><br><strong>spamfilter</strong><br><strong>sshprx</strong><br><strong>vpnserver</strong> </li> <li>(Optional) Set a <strong>Log Message Filter</strong>. When choosing <strong>Selection</strong>, <ul><li>Add the explicit log type to the <strong>Selected Message Types</strong> table.</li> </ul></li> <li>Click <strong>OK</strong>.</li> </ol></li> <li>In the <strong>Affected Service Log data </strong>section, define what kind of logs created by services are to be sent by the Syslog daemon from the <strong>Data Selection</strong> list.</li> <li>Choose <strong>Selection </strong>(default), <ol><li>Click the <strong>+</strong> icon next to <strong>Data Selection </strong>to add an entry.</li> <li>Enter a descriptive name for the group and click <strong>OK</strong>. The <strong>Data Selection</strong> window opens.</li> <li>In the <strong>Log Gr</strong><strong>oups</strong> table, select <strong>Other</strong> and specify the following:<br><br><strong>virscan_cas</strong><br><strong>firewall_auth</strong><br><strong>firewall_Rule*</strong> </li> </ol></li> </ol><ol><li> <ol><li>(Optional) Set a <strong>Log Message Filter</strong>. When choosing <strong>Selection</strong>, <ul><li>Add the explicit log type to the <strong>Selected Message Types</strong> table.</li> </ul></li> <li>Click <strong>OK</strong>.</li> </ol></li> <li> <p>Click <strong>Send Changes</strong> and <strong>Activate</strong>.</p> </li> </ol><div> <h4 data-depth="4" data-id="configure-logstream-destinations">Configure Logstream Destinations</h4> <ol><li>Go to <strong>CONFIGURATION > Full Configuration > Box ></strong><strong> Infrastructure Services > </strong><strong>Syslog Streaming</strong>.</li> <li>In the left menu, select Log stream<strong> Destinations</strong>.</li> <li>Expand the <strong>Configuration Mode</strong> menu and select <strong>Switch to Advanced View</strong>.</li> <li>Click <strong>Lock</strong>.</li> <li>Click the <strong>+</strong> icon to add a new entry.</li> <li>Enter RocketCyber in the upcoming dialog and click <strong>OK</strong>. The <strong>Destinations</strong> window opens.</li> <li>Select the <strong>Logtream Destination</strong>. When an external log host is used, <ol><li>Select <strong>Explicit IP</strong>.</li> <li>Enter the destination IP address in the<strong> Destination IP Address</strong> field. This is the IP address of the RocketAgent Syslog Server</li> </ol></li> <li> <p>Enter the <strong>Destination Port</strong> for delivering Syslog messages, enter <strong>514.</strong> This is the default port that the RocketCyber Syslog Server listens on.</p> </li> <li> <p>Select the <strong>Transmission Mode</strong> <strong>UDP</strong> </p> </li> <li>Click <strong>OK</strong>.</li> <li>Click <strong>Send Changes</strong> and <strong>Activate</strong>.</li> </ol></div> </article> </main>