Barracuda Web Filter App for Splunk

This application was designed to give users usable data surrounding the requests being sent to their Barracuda Web Filter. The application was designed using data from a Barracuda Web Filter 310, even though the access logs should be universal across the Barracuda Web Filter family of appliances I cannot guarantee it will work with other versions.

This app is freely available on Splunkbase here: http://splunk-base.splunk.com/apps/31192/splunk-for-barracuda-web-filter

Pre-deployment Assumptions:

1. You have enabled syslog logging on your Web Filter appliance.
2. The logs are being absorbed by Splunk and given a sourcetype name "barracuda"
3. You are using LDAP authentication. If you are not you may need to tweak the stanza named barracuda_without_ldap in transforms.conf

Reports in this Application:

Top Users by Spyware Type
Top Domains by Spyware Type
Top Spyware Types
Top Source IPs by Spyware Type
Weekly Bandwidth Usage
Top Ten Bandwidth Consumers by User ID
Bandwidth Consumed by Hour of Day
Bandwidth Consumed by Day of Week
Domains by Bandwidth Consumed
Users by Bandwidth Consumed
Content Type by Bandwidth Consumed
Source IP by Bandwidth Consumed
Dest IP by Bandwidth Consumed

Blocked/Allowed Traffic Reports:

Domains by # of Requests
Domains by Category
Top Domains Accessed by User
Most Accessed Content Type by Domain
Most Accessed Category by Domain
Users by # of Requests
Categories by # of Requests
Top Category per User
Top Content Types
Source IPs by # of Requests
Dest IPs by # of Requests
Requests by Hour of Day
Requests by Day of Week

You can also use the "Log Search" tab to manually search the logs using the defined categories.

TODO:

1. Configure a setup screen to change sourcetype name and/or specify an index
2. Add summary indexes for some of the reports