Barracuda Web Filter App for Splunk

 

This application was designed to give users usable data surrounding the requests being sent to their Barracuda Web Filter. The application was designed using data from a Barracuda Web Filter 310, even though the access logs should be universal across the Barracuda Web Filter family of appliances I cannot guarantee it will work with other versions. This app is freely available on Splunkbase here:

http://splunk-base.splunk.com/apps/31192/splunk-for-barracuda-web-filter

Pre-deployment Assumptions:

1. You have enabled syslog logging on your Web Filter appliance.

2. The logs are being absorbed by Splunk and given a sourcetype name "barracuda"

3. You are using LDAP authentication. If you are not you may need to tweak the stanza named barracuda_without_ldap in transforms.conf

Reports in this Application:

  • Top Users by Spyware Type
  • Top Domains by Spyware Type
  • Top Spyware Types
  • Top Source IPs by Spyware Type
  • Weekly Bandwidth Usage
  • Top Ten Bandwidth Consumers by User ID
  • Bandwidth Consumed by Hour of Day
  • Bandwidth Consumed by Day of Week
  • Domains by Bandwidth Consumed
  • Users by Bandwidth Consumed
  • Content Type by Bandwidth Consumed
  • Source IP by Bandwidth Consumed
  • Dest IP by Bandwidth Consumed
  • Blocked/Allowed

Traffic Reports:

  • Domains by # of Requests
  • Domains by Category
  • Top Domains Accessed by User
  • Most Accessed Content Type by Domain
  • Most Accessed Category by Domain
  • Users by # of Requests
  • Categories by # of Requests
  • Top Category per User
  • Top Content Types
  • Source IPs by # of Requests
  • Dest IPs by # of Requests
  • Requests by Hour of Day
  • Requests by Day of Week

You can also use the "Log Search" tab to manually search the logs using the defined categories.

TODO:

1. Configure a setup screen to change sourcetype name and/or specify an index

2. Add summary indexes for some of the reports

Splunk App Question

How do you differentiate the log traffic?  When I use the IP address, it starts grabbing the Cisco ASA taffic as well since the IP address is also in the ASA traffic logs...

Submitted by Anonymous on Mon, 11/18/2013 - 13:30.