TEAM: Huntress Managed Security Information and Event Management (SIEM)
PRODUCT: SIEM Syslog
ENVIRONMENT: Barracuda CloudGen Firewall
SUMMARY: Configuration Guide for Barracuda CloudGen Firewalls

• Vendor Information
• Device Configuration Checklist
  • Enable the Syslog Service
  • Configure Logdata Filters
  • Configure Logstream Destination
  • Configure Logdata Streams
• Example Log Messages
  • Firewall Traffic

This page only covers the device-specific configuration, you'll still need to read Huntress Managed SIEM Syslog Guide to complete the Huntress Managed SIEM setup as well as opening a port in Microsoft Defender Firewall.

Vendor Information

Please note that Huntress provides third party vendor instructions as a best effort to expedite onboarding. Vendor documentation and versions frequently change and so it may be necessary to find the appropriate documentation for syslog logging for your version of the vendor software or service.

Please note the link in the Vendor Links above to the latest documentation at the time of this writing.

Device Configuration Checklist

Enable the Syslog Service

1. Go to CONFIGURATION > Full Configuration > Box > Infrastructure Services > Syslog Streaming

2. Click Lock

3. Set Enable Syslog Streaming to yes

4. Click Send Changes and Activate

Note: Huntress SIEM does not support TLS or receiving encrypted data from syslog sources. If you setup your source with TLS Huntress will not be able to ingest data from that source.

Configure Logdata Filters

1. Go to CONFIGURATION > Full Configuration > Box > Infrastructure Services > Syslog Streaming

2. In the left menu, select Logdata Filters

3. Expand the Configuration Mode menu and select Switch to Advanced View

4. Click Lock

5. Click the + icon to add a new entry

6. Enter a descriptive name in the Filters dialog and click OK.

7. In the Affected Box Logdata section, choose the box logs sent via syslog

   1. Click the + next to Data Selection to add an entry

   2. Enter a descriptive name for the group and click OK. The Data Selection window opens.

   3. Choose the following items from the Data Selection window: Auth-All, Config-All, Control-All, Event-All, Firewall-Activity-Only, Firewall-Threat-Only, Network-All, Settings-All, SSH-All, System-All, Watchdog-All

   4. Choose the following items from Message Types: Panic, Security, Fatal, Error, Warning, Notice

   5. Click OK

8. Click Send Changes and Activate

Configure Logstream Destination

1. Go to CONFIGURATION > Full Configuration > Box > Infrastructure Services > Syslog Streaming

2. In the left menu, select Logstream Destinations

3. Expand the Configuration Mode menu and select Switch to Advanced View

4. Click Lock

5. Click the + icon to add a new entry

6. Enter a descriptive name for the destination (such as Huntress Collector) and click OK. The Destinations window opens.

7. Select the Logstream Destination

   1. Select Explicit IP

   2. Set the Destination IP Address to the Internal IP of the Huntress agent configured to receive syslog

8. Set the Destination Port to 514

9. Set the Transmission Mode to UDP

10. Click OK

11. Click Send Changes and Activate

Configure Logdata Streams

1. Go to CONFIGURATION > Full Configuration > Box > Infrastructure Services > Syslog Streaming

2. In the left menu, select Logdata Streams

3. Expand the Configuration Mode menu and select Switch to Advanced View

4. Click Lock

5. Click the + icon to add a new entry

6. Enter a descriptive name for the new configuration (such as Huntress Log Stream) and click OK

7. Configure the following settings

   1. Active Streams to yes

   2. Log Destinations to the destination created above

   3. Log Filters to the filter created above

8. Click Send Changes and Activate

Example Log Messages

Firewall Traffic

<14>Feb 6 19:14:59 hostname hostname/box_Firewall_Activity: Info hostname Allow: FWD|TCP|p1|10.36.87.167|63102|e4:54:e8:81:49:42|142.250.187.227|80|http|p2|BOX-LAN-2-INTERNET|0|195.224.222.166|142.250.187.227|0|1|0|0|0|0||||||