cef0.barracuda.waf
- Juan Tomás Alonso Nieto (Unlicensed)
Introduction
The table cef0.barracuda.waf identifies events in CEF format generated by Barracuda Web Application Firewall.
Tag structure
Events in CEF format don't have a specific tag structure, as explained in Technologies supported in CEF syslog format. They are always sent to a table with the structure cef0.deviceVendor.deviceProduct.
In this case, the valid data tables are:
cef0.barracuda.waf
How is the data sent to Devo?
Learn more about CEF syslog format and how Devo tags these events in Technologies supported in CEF syslog format.
Log samples
The following are sample logs sent to cef0.barracuda.waf. Find how the information will be parsed in your data table under each sample log.
Extra columns
Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.
cef0.barracuda.waf
2021-09-01 08:17:48.919 localhost=127.0.0.1 14 CEF: 0|Barracuda|WAF|10.0.1.005|WF|Web Firewall Event|Medium| eventId=41940 app=HTTP customerURI=/All Customers/MSSP/EFZ_Customer/Customer art=1629271519917 deviceSeverity=4 act=DENY rt=1629271519917 src=217.99.150.19 sourceZoneURI=/All Zones/ArcSight System/Public Address Space Zones/ARIN/214.0.0.0-219.253.255.255 (ARIN) spt=61212 dst=190.29.0.184 destinationZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 190.16.0.0-190.31.255.255 dpt=80 duser=""-"" request=thewright.nyc/.env requestMethod=GET requestContext=""-"" requestClientApplication=""Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/513.36 (KHTML, like Gecko) Chrome/81.0.1234.129 Safari/523.36"" cs1=NONE cs2=[""-""] cs3=""-"" cs4=217.99.150.19 cs5=SLASH_DOT_IN_URL flexString1=security-policy flexString2=GLOBAL cn1=61212 deviceCustomDate1=1629242639000 cs1Label=Followup Action cs2Label=Attack Details cs3Label=SessionID cs4Label=Proxy IP cs5Label=Attack Type cn1Label=Proxy Port deviceCustomDate1Label=Event date c6a4Label=North America flexString1Label=Rule flexString2Label=RuleType ahost=10.1.110.30 agt=10.1.110.30 agentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 10.1.0.0-10.1.255.255 amac=A8-15-63-BC-2F-AD av=8.0.0.8322.0 atz=UTC at=cef_multifolder_file dtz=UTC deviceProcessName=barracuda6 geid=9631526338573251840 _cefVer=0.1 aid=3TbWRKnsBABCACH-4e8Az9g\\=\\=
And this is how the log would be parsed:
Field | Value | Type | Extra fields | Source field name |
|---|---|---|---|---|
eventdate |
|
| ||
hostname |
|
| ||
priorityCode |
|
| ||
cefTag |
|
| ||
cefVersion |
|
| ||
embDeviceVendor |
|
| ||
embDeviceProduct |
|
| ||
deviceVersion |
|
| ||
signatureID |
|
| ||
name |
|
| ||
severity |
|
| ||
_cefVer |
|
| ||
act |
|
| ||
app |
|
| ||
c6a4Label |
|
| ||
cfp1Label |
|
| ||
cfp1 |
|
| ||
cn1Label |
|
| ||
cn1 |
|
| ||
cn2Label |
|
| ||
cn2 |
|
| ||
cn3Label |
|
| ||
cn3 |
|
| ||
cs1Label |
|
| ||
cs1 |
|
| ||
cs2Label |
|
| ||
cs2 |
|
| ||
cs3Label |
|
| ||
cs3 |
|
| ||
cs4Label |
|
| ||
cs4 |
|
| ||
cs5Label |
|
| ||
cs5 |
|
| ||
destinationTranslatedAddress |
|
| ||
deviceCustomDate1Label |
|
| ||
deviceCustomDate1 |
|
| ||
deviceProcessName |
|
| ||
dhost |
|
| ||
dst |
|
| ||
dpt |
|
| ||
duid |
|
| ||
duser |
|
| ||
in |
| |||
msg |
|
| ||
out |
|
| ||
requestClientApplication |
|
| ||
requestCookies |
|
| ||
requestMethod |
|
| ||
request |
|
| ||
rt |
|
| ||
src |
|
| ||
spt |
|
| ||
suid |
|
| ||
agentZoneURI |
|
| ||
agt |
|
| ||
ahost |
|
| ||
aid |
|
| ||
amac |
|
| ||
art |
|
| ||
at |
|
| ||
atz |
|
| ||
av |
|
| ||
customerURI |
|
| ||
destinationTranslatedZoneURI |
|
| ||
destinationZoneURI |
|
| ||
deviceSeverity |
|
| ||
dtz |
|
| ||
eventId |
|
| ||
flexString1 |
|
| ||
flexString1Label |
|
| ||
flexString2 |
|
| ||
flexString2Label |
|
| ||
geid |
|
| ||
requestContext |
|
| ||
sourceZoneURI |
|
| ||
hostchain |
|
| ✓ | |
tag |
|
| ✓ |
|
rawMessage |
| ✓ |