Ingest Logs
Prerequisites
Logpoint: v6.7.0 or later
Logpoint: v7.4.0 or later for log source template
Barracuda Access: Syslog forwarding configured on Barracuda devices to send logs to Logpoint
Install Barracuda
Download the .pak file from the Marketplace.
Go to Settings >> System Settings from the navigation bar.
Click Applications.
Click Import.
Browse to the downloaded .pak file.
Click Upload.
After installation, verify if the integration appears under Settings >> System Settings >> Plugins.
Configure Barracuda
Configure Barracuda using two methods:
Log Source Template (recommended), which provides a centralized interface for all integrations and minimizes setup requirements
Devices
Method 1: Configure via Log Source Template
For Logpoint v7.4.0 and above:
You must create a log source using the log source template to receive the normalized Barracuda logs.
Go to Settings >> Log Sources from the navigation bar.
Click Browse Log Source Templates and select Barracuda.
Source
Configure the log source settings.
Click Source.
Enter the Log Source's Name.
Select the Device Addresses.
Select the Device Groups.
Select a Time Zone. The device's timezone must match its log source.
Configure the Risk Values for Confidentiality, Integrity, and Availability used to calculate the risk levels of the alerts generated from the device.
Connector
Configure the connection to Barracuda.
Click Connector.
Select Syslog Parser as Parser.
Select the Charset.
In Proxy Server, select None (or configure proxy settings if required).
Routing
Set up log storage and routing:
Create Repository
Click Routing and + Create Repo.
Enter a Repo name.
In Path, specify the location to store incoming logs.
In Retention (Days), set how long logs are kept before automatic deletion.
In Availability, select the Remote logpoint and Retention (Days).
Click Create Repo.
Select the created repo in Repo.
Create Routing Criteria
Click + Add row.
Enter a Key and Value for log filtering.
Select log handling options:
Store raw message: Store both incoming and normalized logs.
Discard raw message: Keep only normalized logs.
Discard entire event: Discard both incoming and normalized logs.
Select the target Repository.
Normalization
Set up log normalization:
Click Normalization.
Either:
Select a previously created normalization policy from the dropdown, or
Select BarracudaCompiledNormalizer from the following list based on your Barracuda products:
LP_Barracuda Email Security Gateway
LP_Barracuda NG Firewall
LP_Barracuda Web Application Firewall
LP_Barracuda WAF CEF
LP_Barracuda Firewall
LP_Barracuda Web Filter
LP_Barracuda Load Balancer
LP_Barracuda ADC 540Vx Loadbalancer
LP_Barracuda Cloud Email Filter
Click the swap icon.
Click Create Log Source to save above configurations.
Method 2: Configure via Devices
Configuring a Repo
Go to Settings >> Configuration from the navigation bar and click Repos.
Click Add.
Enter a Repo Name.
Select a Repo Path to store incoming logs.
Set a Retention Day to keep logs in a repository before they are automatically deleted. You can add and remove multiple Repo Paths and Retention Days.
Select a Remote LogPoint and set an Available for (day).
Click Submit.
Adding a Normalization Policy
Normalization policies normalize and standardize logs for efficient storage, analysis, and retrieval.
Go to Settings >> Configuration in the navigation bar, then click Normalization Policies.
Click Add.
Enter a Policy Name.
In Compiled Normalizer, select BarracudaCompiledNormalizer.
In Normalization Packages, select the required normalization package(s) based on your Barracuda products:
LP_Barracuda Email Security Gateway
LP_Barracuda NG Firewall
LP_Barracuda Web Application Firewall
LP_Barracuda WAF CEF
LP_Barracuda Firewall
LP_Barracuda Web Filter
LP_Barracuda Load Balancer
LP_Barracuda ADC 540Vx Loadbalancer
LP_Barracuda Cloud Email Filter
Click Submit.
Configuring a Processing Policy
Processing policy dictates how Barracuda logs are handled, processed, and stored to enhance their usability and accessibility for monitoring, reporting, and alerting purposes.
Go to Settings >> Configuration from the navigation bar and click Processing Policies.
Click Add.
Enter a Policy Name.
Select the previously created normalization policy.
Select the Enrichment Policy.
Select the Routing Policy.
Adding Barracuda as a Device
Go to Settings >> Configuration from the navigation bar and click Devices.
Click Add.
Enter a device Name.
Enter the Barracuda server IP address(es).
Select the Device Groups.
Select an appropriate Log Collection Policy for the logs.
Select a collector or a forwarder from the Distributed Collector drop-down. It is optional to select the Device Groups, the Log Collection Policy, and the Distributed Collector.
Select a Time Zone. The timezone of the device must bethe same as its log source.
Configure the Risk Values for Confidentiality, Integrity, and Availability used to calculate the risk levels of the alerts generated from the device.
Click Submit.
Configuring the Syslog Collector
Go to Settings >> Configuration in the navigation bar, then click Devices.
Click the Add collectors/fetchers icon under Actions of the previously added device.
Click Syslog Collector.
Select Syslog Parser as Parser.
Select the previously created Processing Policy.
Select the Charset.
In Proxy Server, select None (or configure proxy settings if required).
Click Submit.
Verify Ingestion
Check Log Ingestion
Use the following query to verify Barracuda logs are being ingested:
Or search by specific Barracuda product:
Verify Data Flow
Check Syslog Collector Status: Ensure the Barracuda collector is running without errors.
Monitor Log Volume: Verify expected log volumes are being processed.
Validate Normalization: Confirm logs are correctly parsed and normalized using the BarracudaCompiledNormalizer.
Test Dashboards: Access Barracuda dashboards to verify data visualization.
Last updated
Was this helpful?