Barracuda Web Filter application for Splunk
Overview
Details
This application was designed to give users usable data surrounding the requests being sent to their Barracuda Web Filter. The application was designed using data from a Barracuda Web Filter 310, even though the access logs should be universal across the Barracuda Web Filter family of appliances I cannot guarentee it will work with other versions.
Pre-deployment Assumptions:
1. You have enabled syslog logging on your Web Filter appliance.
2. The logs are being absorbed by Splunk and given a sourcetype name "barracuda"
3. You are using LDAP authentication. If you are not you may need to tweak the stanza named barracuda_without_ldap in transforms.conf
Reports in this Application:
- Top Users by Spyware Type
- Top Domains by Spyware Type
- Top Spyware Types
- Top Source IPs by Spyware Type
- Weekly Bandwidth Usage
- Top Ten Bandwidth Consumers by User ID
- Bandwidth Consumed by Hour of Day
- Bandwidth Consumed by Day of Week
- Domains by Bandwidth Consumed
- Users by Bandwidth Consumed
- Content Type by Bandwidth Consumed
- Source IP by Bandwidth Consumed
- Dest IP by Bandwidth Consumed
Blocked/Allowed Traffic Reports:
- Domains by # of Requests
- Domains by Category
- Top Domains Accessed by User
- Most Accessed Content Type by Domain
- Most Accessed Category by Domain
- Users by # of Requests
- Categories by # of Requests
- Top Category per User
- Top Content Types
- Source IPs by # of Requests
- Dest IPs by # of Requests
- Requests by Hour of Day
- Requests by Day of Week
You can also use the "Log Search" tab to manually search the logs using the defined categories.
TODO:
1. Configure a setup screen to change sourcetype name and/or specify an index
2. Add summary indexes for some of the reports
Release Notes
Version 1.8
Small fixes for lookups.
Version 1.7
Updates in version 1.7:
- New "Threat Intelligence" tab that will be used to collect external threat intelligence feeds and provide insight on any correlations that are found in your event data. Currently has support for phishtank.com through a scripted input that runs every 24 hours. More to be added soon.
- Updates to the regex's in transforms.conf
- Sourcetype renaming was added to match barracuda web filter syslog events and rename the sourcetype to "barracuda"
Version 1.6
Some more clean up of the app. No major changes/fixes.
Version 1.5
This release addresses two issues:
1. Saved search "Blocked Users by Requests" could not be found
2. Same values were appearing for "Top 10 Blocked Users" and "Top 10 Users by Allowed Requests"
Credit goes to Kirk G. from TekSecure Labs for finding the issues.
Version 1.4
Very minor fix that was missed in last release
Version 1.3
- Updated the log search page to properly incorporate the Action field and display it in the results.
- Fixed two blocked reports in the activity by domain dashboard that were improperly labelled.
- Changed the bandwidth by day report to be over the last 7 days by default.
Version 1.2
- Added Blocked traffic
- Separated menus into "Allowed" and "Blocked" traffic
- Added action type (blocked/allowed) to the log search dashboard
- Reorganized the reports on each dashboard
- Added a specific "Bandwidth Usage" dashboard
- Results will update when a new date/time frame is select from the drop down menu
Version 1.1
- Added category definitions so the user can reference what criteria makes up a given category.
- Fixed font type so it's a little prettier
- Changed the title on one of the charts
- Remove the defined time bucket on the Bandwidth Usage search.