diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 365acfcff0f5e..5959780760026 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -607,6 +607,11 @@ plaid/assets/logs/ @DataDog/saa /beyondtrust_identity_security_insights/manifest.json @DataDog/saas-integrations @DataDog/documentation /beyondtrust_identity_security_insights/assets/logs/ @DataDog/saas-integrations @DataDog/documentation @DataDog/logs-backend +/barracuda_secure_edge/ @DataDog/agent-integrations +/barracuda_secure_edge/*.md @DataDog/agent-integrations @DataDog/documentation +/barracuda_secure_edge/manifest.json @DataDog/agent-integrations @DataDog/documentation +/barracuda_secure_edge/assets/logs/ @DataDog/agent-integrations @DataDog/documentation @DataDog/logs-backend @DataDog/logs-core + /klaviyo/ @DataDog/saas-integrations /klaviyo/*.md @DataDog/saas-integrations @DataDog/documentation /klaviyo/manifest.json @DataDog/saas-integrations @DataDog/documentation diff --git a/.github/workflows/config/labeler.yml b/.github/workflows/config/labeler.yml index c245bc7c4aa00..dcdae22621096 100644 --- a/.github/workflows/config/labeler.yml +++ b/.github/workflows/config/labeler.yml @@ -751,6 +751,8 @@ integration/zero_networks: - zero_networks/**/* integration/zk: - zk/**/* +integration/barracuda_secure_edge: +- barracuda_secure_edge/**/* qa/skip-qa: - '**/__about__.py' - requirements-agent-release.txt diff --git a/barracuda_secure_edge/CHANGELOG.md b/barracuda_secure_edge/CHANGELOG.md new file mode 100644 index 0000000000000..1f151def7ae7c --- /dev/null +++ b/barracuda_secure_edge/CHANGELOG.md @@ -0,0 +1,4 @@ +# CHANGELOG - barracuda_secure_edge + + + diff --git a/barracuda_secure_edge/README.md b/barracuda_secure_edge/README.md new file mode 100644 index 0000000000000..b6d7ab218b5e6 --- /dev/null +++ b/barracuda_secure_edge/README.md @@ -0,0 +1,78 @@ +# Agent Integration: barracuda_secure_edge + +## Overview + +Barracuda Secure Edge is a unified Secure Access Service Edge (SASE) platform that includes Next-Generation Firewall (NGFW), zero trust, and secure Software-Defined Wide Area Network (SD-WAN) capabilities. This integration allows you to collect and analyze logs from your [barracuda_secure_edge][4] deployment to monitor security events, network traffic, and system activity. + +## Setup +### Prerequisites + +- Administrative access to Barracuda Secure Edge installed on your server. +- The Datadog Agent installed and running (on a server or container that can receive syslog messages). +- Network Access between the firewall and the Datadog Agent (usually port 514, but may be a custom value). +- Syslog support enabled in the Datadog Agent (with a TCP or UDP listener configured). + +### Setup configurations +1. Collecting logs is disabled by default in the Datadog Agent. Enable it in the `datadog.yaml` with: + + ```yaml + logs_enabled: true + ``` +2. Add this configuration block to your `secure_edge.d/conf.yaml` to start collecting your Secure Edge logs: + + ```yaml + logs: + - type: file + path: /var/log/secure_edge.log + source: secure_edge + service: + ``` + + Change the `path` and `service` parameter values for your environment. + +3. [Restart the Agent][3]. + +### Installation + +The barracuda_secure_edge check is included in the [Datadog Agent][2] package. + +### Validation + +1. Confirm the Datadog Agent is listening on the correct port (`514` in the following examples) + `sudo netstat -tunlp | grep 514` + If using TCP and UDP listeners, use the following command: + `sudo lsof -i :514` +2. Confirm logs are reaching the Agent from the correct log source. + `tail -f /var/phion/logs/*.log` +**Note**: If the file doesn't exist, verify that syslog logs are being written to a file by your configuration. +3. Use the tcpdump command to confirm network traffic. On the Datadog Agent host: + `sudo tcpdump -i any port 514` +After running this command, you should see traffic from the Secure Edge IP address. If you don't see any such traffic, check the firewall rules between Secure Edge and the Datadog Agent. Confirm the correct protocol (UDP or TCP) is being used on both sides. +4. Check the Datadog [Live Tail][5] in Datadog for logs from the source and service you defined in the `conf.yaml` file. +5. After following these steps, you can create a test log on the firewall by triggering an event. +6. Check for tags or facets to use them for better filtering based on the required data. + +## Data Collected +### Metrics +Barracuda_Secure_Edge does not include any metrics. + +### Events +The Barracuda Secure Edge integration does not include any events. + +### Logs +The Barracuda Secure Edge integration collects logs containing the following types of information: +- **Security Events**: Firewall actions (allow/deny), rule matches, and security policy violations +- **Network Traffic**: Source and destination IPs/ports, protocols, and network interfaces +- **Authentication**: User login attempts, successes, and failures +- **VPN Activity**: VPN connection events and status +- **System Events**: Device status, configuration changes, and system health + +## Troubleshooting + +Need help? Contact [Datadog support][1]. + +[1]: https://docs.datadoghq.com/help/ +[2]: /account/settings/agent/latest +[3]: https://docs.datadoghq.com/agent/guide/agent-commands/#start-stop-and-restart-the-agent +[4]: https://www.barracuda.com/products/network-protection/secureedge +[5]: /logs/livetail \ No newline at end of file diff --git a/barracuda_secure_edge/assets/configuration/spec.yaml b/barracuda_secure_edge/assets/configuration/spec.yaml new file mode 100644 index 0000000000000..e46da0dce8b54 --- /dev/null +++ b/barracuda_secure_edge/assets/configuration/spec.yaml @@ -0,0 +1,9 @@ +name: barracuda_secure_edge +files: +- name: barracuda_secure_edge.yaml + options: + - template: logs + example: + - type: file + path: /var/log/barracuda_secure_edge.log + source: barracuda_secure_edge diff --git a/barracuda_secure_edge/assets/dashboards/barracuda_secure_edge_overview.json b/barracuda_secure_edge/assets/dashboards/barracuda_secure_edge_overview.json new file mode 100644 index 0000000000000..f4636323cf549 --- /dev/null +++ b/barracuda_secure_edge/assets/dashboards/barracuda_secure_edge_overview.json @@ -0,0 +1,2498 @@ +{ + "title": "Barracuda Secure Edge", + "description": "SecureEdge dashboard provides a visual summary of firewall activity, security events, user access, and system health to help monitor and analyze network security in real time.", + "widgets": [ + { + "id": 1735739967105627, + "definition": { + "title": "", + "banner_img": "/api/v2/images/72076454-0aca-4881-a73b-ff421931b5dd", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [] + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 3 + } + }, + { + "id": 5634058441727079, + "definition": { + "type": "note", + "content": "Barracuda SecureEdge secures sites, devices, and users with an easy-to-deploy cloud-first platform that connects any device, application, or cloud/hybrid environment. SecureEdge provides Zero Trust application access to any type of application, cloud-based security for endpoints, and automated SD-WAN connectivity for sites and industrial facilities of any type or size. Remote users can access applications directly from any type of device, with Zero Trust enforcement, URL filtering, and traffic optimization to ensure application access is always optimized and makes the most of shared Internet lines. Barracuda SecureEdge provides an unprecedented level of control and visibility into user-generated traffic at each endpoint. Barracuda SecureEdge is also available as a service in Azure Virtual WAN and provides companies a way to securely connect to Microsoft Azure Virtual WAN and the Microsoft Global Network backbone.\n\n**Key Features**\n\n-Custom Categories for web filtering\n-Additional web filter actions: Alert and Warn\n-Web search monitoring for predefined categories and custom keywords\n-Silent ad blocking\n-Safe Search\n-Customizable Block pages*", + "background_color": "white", + "font_size": "14", + "text_align": "left", + "vertical_align": "top", + "show_tick": false, + "tick_pos": "50%", + "tick_edge": "left", + "has_padding": true + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 3 + } + }, + { + "id": 5684415529173769, + "definition": { + "title": "Barracuda Secure Edge Logs Overview", + "background_color": "vivid_blue", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 6603911867712278, + "definition": { + "title": "Total Log Volume", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:barracuda_secure_edge" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "area" + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 3, + "height": 2 + } + }, + { + "id": 4467476994731404, + "definition": { + "title": "Least Frequent Events", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:barracuda_secure_edge" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "service", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": {} + }, + "layout": { + "x": 3, + "y": 0, + "width": 6, + "height": 2 + } + }, + { + "id": 6884604226519708, + "definition": { + "title": "Total Number Of Logs Status Types", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query2", + "data_source": "logs", + "search": { + "query": "source:barracuda_secure_edge" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@level", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "conditional_formats": [ + { + "comparator": "<=", + "palette": "green_on_white", + "value": 0 + }, + { + "comparator": ">=", + "palette": "white_on_green", + "value": 0.25 + }, + { + "comparator": ">", + "palette": "white_on_green", + "value": 1 + } + ], + "formulas": [ + { + "formula": "query2" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 9, + "y": 0, + "width": 3, + "height": 2 + } + }, + { + "id": 3650800545814111, + "definition": { + "title": "All Secure Edge Logs", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:barracuda_secure_edge", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "host", + "width": "auto" + }, + { + "field": "service", + "width": "auto" + }, + { + "field": "content", + "width": "full" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 2, + "width": 8, + "height": 3 + } + }, + { + "id": 5036759899212035, + "definition": { + "title": "Distribution of Event Types", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "queries": [ + { + "name": "query2", + "data_source": "logs", + "search": { + "query": "source:barracuda_secure_edge" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "service", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "style": { + "palette": "datadog16" + }, + "formulas": [ + { + "formula": "query2" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "type": "sunburst", + "legend": { + "type": "automatic" + } + }, + "layout": { + "x": 8, + "y": 2, + "width": 4, + "height": 3 + } + } + ] + }, + "layout": { + "x": 0, + "y": 3, + "width": 12, + "height": 6 + } + }, + { + "id": 5871396828983642, + "definition": { + "title": "Authentication Events", + "title_align": "center", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 458567982736634, + "definition": { + "title": "Auth Logs", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:barracuda_secure_edge service:auth", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "host", + "width": "auto" + }, + { + "field": "service", + "width": "auto" + }, + { + "field": "content", + "width": "full" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 3 + } + }, + { + "id": 5911722575228412, + "definition": { + "title": "Total Auth Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:barracuda_secure_edge service:auth" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2 + }, + "layout": { + "x": 6, + "y": 0, + "width": 3, + "height": 2 + } + }, + { + "id": 697121533026454, + "definition": { + "title": "Login Attempts Over Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "auto", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:barracuda_secure_edge service:auth @action:\"LOGIN ATTEMPT\"" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count", + "interval": 7200000 + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "order_by": "values", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "line" + } + ] + }, + "layout": { + "x": 9, + "y": 0, + "width": 3, + "height": 2 + } + }, + { + "id": 5220439913775302, + "definition": { + "title": "Auth Events Timeline", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Count", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:barracuda_secure_edge service:auth" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "bars" + } + ], + "yaxis": { + "scale": "linear", + "label": "", + "include_zero": true, + "min": "auto", + "max": "auto" + }, + "markers": [] + }, + "layout": { + "x": 6, + "y": 2, + "width": 6, + "height": 3 + } + }, + { + "id": 3752445230216900, + "definition": { + "title": "Top Reasons For Auth Events", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:barracuda_secure_edge service:auth" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@message", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 6, + "height": 2 + } + }, + { + "id": 3905480411624703, + "definition": { + "title": "Total Id Logged", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "queries": [ + { + "data_source": "logs", + "name": "query1", + "search": { + "query": "source:barracuda_secure_edge service:auth @message:*Allowed*" + }, + "indexes": [ + "*" + ], + "compute": { + "aggregation": "count" + }, + "group_by": [], + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "area" + } + }, + "layout": { + "x": 0, + "y": 5, + "width": 6, + "height": 2 + } + }, + { + "id": 313116993642037, + "definition": { + "title": "Total Users Logged", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:barracuda_secure_edge service:auth" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "cardinality", + "metric": "host" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "area" + } + }, + "layout": { + "x": 6, + "y": 5, + "width": 3, + "height": 2 + } + }, + { + "id": 3261904984553408, + "definition": { + "title": "Total Login Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:barracuda_secure_edge service:auth @message:*LOGIN*" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count", + "metric": "@event_id" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "area" + } + }, + "layout": { + "x": 9, + "y": 5, + "width": 3, + "height": 2 + } + } + ] + }, + "layout": { + "x": 0, + "y": 9, + "width": 12, + "height": 8 + } + }, + { + "id": 1766485451208756, + "definition": { + "title": "Firewall Authentication", + "title_align": "center", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 3797561601451424, + "definition": { + "title": "Top IPs from Blocked Host", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:barracuda_secure_edge service:firewall @rule:* @action:Block" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@src_ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 2 + } + }, + { + "id": 2613847559834080, + "definition": { + "title": "Top IPs from Allowed Host", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:barracuda_secure_edge service:firewall @rule:* -@action:Block" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@src_ip", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + } + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 2 + } + }, + { + "id": 7426280462740333, + "definition": { + "title": "Firewall Logs", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:barracuda_secure_edge service:firewall", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "host", + "width": "auto" + }, + { + "field": "service", + "width": "auto" + }, + { + "field": "content", + "width": "full" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 2, + "width": 6, + "height": 3 + } + }, + { + "id": 368660122390839, + "definition": { + "title": "Total Firewall Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:barracuda_secure_edge service:firewall" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "area" + } + }, + "layout": { + "x": 6, + "y": 2, + "width": 3, + "height": 2 + } + }, + { + "id": 4415251969355039, + "definition": { + "title": "Firewall Event Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Count", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:barracuda_secure_edge service:firewall" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "bars" + } + ], + "yaxis": { + "scale": "linear", + "label": "", + "include_zero": true, + "min": "auto", + "max": "auto" + }, + "markers": [] + }, + "layout": { + "x": 6, + "y": 4, + "width": 6, + "height": 3 + } + }, + { + "id": 6603422114546555, + "definition": { + "title": "Top Reasons for Firewall Events", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:barracuda_secure_edge service:firewall @type:*" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@type", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 5, + "width": 6, + "height": 2 + } + } + ] + }, + "layout": { + "x": 0, + "y": 17, + "width": 12, + "height": 8 + } + }, + { + "id": 8811010146812934, + "definition": { + "title": "SSH Deamon", + "title_align": "center", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 3940852660122074, + "definition": { + "title": "SSH Deamon Logs", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:barracuda_secure_edge service:ssh", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "host", + "width": "auto" + }, + { + "field": "service", + "width": "auto" + }, + { + "field": "content", + "width": "full" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 5 + } + }, + { + "id": 8502877197814048, + "definition": { + "title": "Total SSH Deamon Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:barracuda_secure_edge service:ssh" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "area" + } + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 2 + } + }, + { + "id": 4000106987048186, + "definition": { + "title": "SSH Deamon Event Timeline", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Count", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:barracuda_secure_edge service:ssh" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "bars" + } + ], + "yaxis": { + "scale": "linear", + "label": "", + "include_zero": true, + "min": "auto", + "max": "auto" + }, + "markers": [] + }, + "layout": { + "x": 6, + "y": 2, + "width": 6, + "height": 3 + } + } + ] + }, + "layout": { + "x": 0, + "y": 25, + "width": 12, + "height": 6 + } + }, + { + "id": 4650294443133108, + "definition": { + "title": "Network", + "title_align": "center", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 5972068170566162, + "definition": { + "title": "Network Logs", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:barracuda_secure_edge service:network", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "host", + "width": "auto" + }, + { + "field": "service", + "width": "auto" + }, + { + "field": "content", + "width": "full" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 5 + } + }, + { + "id": 6917436848094152, + "definition": { + "title": "Total Network Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:barracuda_secure_edge service:network" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "area" + } + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 2 + } + }, + { + "id": 5966799396123124, + "definition": { + "title": "Network Event Timeline", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Count", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:barracuda_secure_edge service:network" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "bars" + } + ], + "yaxis": { + "scale": "linear", + "label": "", + "include_zero": true, + "min": "auto", + "max": "auto" + }, + "markers": [] + }, + "layout": { + "x": 6, + "y": 2, + "width": 6, + "height": 3 + } + } + ] + }, + "layout": { + "x": 0, + "y": 31, + "width": 12, + "height": 6 + } + }, + { + "id": 329528805270330, + "definition": { + "title": "Auth Access", + "title_align": "center", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 3647253314318828, + "definition": { + "title": "Auth Access Logs", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:barracuda_secure_edge service:access", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "host", + "width": "auto" + }, + { + "field": "service", + "width": "auto" + }, + { + "field": "content", + "width": "full" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 3 + } + }, + { + "id": 6606424025871952, + "definition": { + "title": "Total Auth Access Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:barracuda_secure_edge service:access" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "area" + } + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 2 + } + }, + { + "id": 6000789218138106, + "definition": { + "title": "Auth Access Event Timeline", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Count", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:barracuda_secure_edge service:access" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "bars" + } + ], + "yaxis": { + "scale": "linear", + "label": "", + "include_zero": true, + "min": "auto", + "max": "auto" + }, + "markers": [] + }, + "layout": { + "x": 6, + "y": 2, + "width": 6, + "height": 3 + } + }, + { + "id": 3172417779844822, + "definition": { + "title": "Auth Access Event Level", + "title_size": "16", + "title_align": "left", + "type": "toplist", + "requests": [ + { + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:barracuda_secure_edge service:access" + }, + "indexes": [ + "*" + ], + "group_by": [ + { + "facet": "@level", + "limit": 10, + "sort": { + "aggregation": "count", + "order": "desc", + "metric": "count" + }, + "should_exclude_missing": true + } + ], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar", + "formulas": [ + { + "formula": "query1" + } + ], + "sort": { + "count": 10, + "order_by": [ + { + "type": "formula", + "index": 0, + "order": "desc" + } + ] + } + } + ], + "style": { + "display": { + "type": "stacked", + "legend": "automatic" + } + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 6, + "height": 2 + } + } + ] + }, + "layout": { + "x": 0, + "y": 37, + "width": 12, + "height": 6, + "is_column_break": true + } + }, + { + "id": 3604232723214272, + "definition": { + "title": "Admin", + "title_align": "center", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 6657035932032435, + "definition": { + "title": "Admin Logs", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:barracuda_secure_edge service:admin", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "host", + "width": "auto" + }, + { + "field": "service", + "width": "auto" + }, + { + "field": "content", + "width": "full" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 7 + } + }, + { + "id": 8541384413985739, + "definition": { + "title": "Total Admin Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:barracuda_secure_edge service:admin" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "area" + } + }, + "layout": { + "x": 6, + "y": 0, + "width": 3, + "height": 2 + } + }, + { + "id": 2510431670294930, + "definition": { + "title": "Total Admin Error Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:barracuda_secure_edge service:admin @level:Error" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "area" + } + }, + "layout": { + "x": 9, + "y": 0, + "width": 3, + "height": 2 + } + }, + { + "id": 3014667008426488, + "definition": { + "title": "Admin Event Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Count", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:barracuda_secure_edge service:admin" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "bars" + } + ], + "yaxis": { + "scale": "linear", + "label": "", + "include_zero": true, + "min": "auto", + "max": "auto" + }, + "markers": [] + }, + "layout": { + "x": 6, + "y": 2, + "width": 6, + "height": 5 + } + } + ] + }, + "layout": { + "x": 0, + "y": 43, + "width": 12, + "height": 8 + } + }, + { + "id": 4593813335587080, + "definition": { + "title": "System", + "title_align": "center", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 930056298424580, + "definition": { + "title": "System Logs", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:barracuda_secure_edge service:system", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "host", + "width": "auto" + }, + { + "field": "service", + "width": "auto" + }, + { + "field": "content", + "width": "full" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 7 + } + }, + { + "id": 2462032028969260, + "definition": { + "title": "Total System Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:barracuda_secure_edge service:system" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "area" + } + }, + "layout": { + "x": 6, + "y": 0, + "width": 3, + "height": 2 + } + }, + { + "id": 7734007763549699, + "definition": { + "title": "Total System Error Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:barracuda_secure_edge service:system @level:\"Error\"" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "area" + } + }, + "layout": { + "x": 9, + "y": 0, + "width": 3, + "height": 2 + } + }, + { + "id": 6896383809812739, + "definition": { + "title": "System Event Time", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Count", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:barracuda_secure_edge service:system" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "bars" + } + ], + "yaxis": { + "scale": "linear", + "label": "", + "include_zero": true, + "min": "auto", + "max": "auto" + }, + "markers": [] + }, + "layout": { + "x": 6, + "y": 2, + "width": 6, + "height": 5 + } + } + ] + }, + "layout": { + "x": 0, + "y": 51, + "width": 12, + "height": 8 + } + }, + { + "id": 7554666130431466, + "definition": { + "title": "VPN", + "title_align": "center", + "background_color": "vivid_orange", + "show_title": true, + "type": "group", + "layout_type": "ordered", + "widgets": [ + { + "id": 5124118448435917, + "definition": { + "title": "VPN Logs", + "title_size": "16", + "title_align": "left", + "requests": [ + { + "response_format": "event_list", + "query": { + "data_source": "logs_stream", + "query_string": "source:barracuda_secure_edge service:vpn", + "indexes": [], + "storage": "hot" + }, + "columns": [ + { + "field": "status_line", + "width": "auto" + }, + { + "field": "timestamp", + "width": "auto" + }, + { + "field": "host", + "width": "auto" + }, + { + "field": "service", + "width": "auto" + }, + { + "field": "content", + "width": "full" + } + ] + } + ], + "type": "list_stream" + }, + "layout": { + "x": 0, + "y": 0, + "width": 6, + "height": 3 + } + }, + { + "id": 1536021238409371, + "definition": { + "title": "Total VPN Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:barracuda_secure_edge service:vpn" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "area" + } + }, + "layout": { + "x": 6, + "y": 0, + "width": 6, + "height": 2 + } + }, + { + "id": 3545920037460380, + "definition": { + "title": "VPN Event Timeline", + "title_size": "16", + "title_align": "left", + "show_legend": true, + "legend_layout": "horizontal", + "legend_columns": [ + "avg", + "min", + "max", + "value", + "sum" + ], + "type": "timeseries", + "requests": [ + { + "formulas": [ + { + "alias": "Count", + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:barracuda_secure_edge service:vpn" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "timeseries", + "style": { + "palette": "dog_classic", + "line_type": "solid", + "line_width": "normal" + }, + "display_type": "bars" + } + ], + "yaxis": { + "scale": "linear", + "label": "", + "include_zero": true, + "min": "auto", + "max": "auto" + }, + "markers": [] + }, + "layout": { + "x": 6, + "y": 2, + "width": 6, + "height": 3 + } + }, + { + "id": 4814940186544051, + "definition": { + "title": "Total VPN Error Events", + "title_size": "16", + "title_align": "left", + "type": "query_value", + "requests": [ + { + "formulas": [ + { + "formula": "query1" + } + ], + "queries": [ + { + "name": "query1", + "data_source": "logs", + "search": { + "query": "source:barracuda_secure_edge service:vpn @level:Error" + }, + "indexes": [ + "*" + ], + "group_by": [], + "compute": { + "aggregation": "count" + }, + "storage": "hot" + } + ], + "response_format": "scalar" + } + ], + "autoscale": true, + "precision": 2, + "timeseries_background": { + "type": "area" + } + }, + "layout": { + "x": 0, + "y": 3, + "width": 6, + "height": 2 + } + } + ] + }, + "layout": { + "x": 0, + "y": 59, + "width": 12, + "height": 6 + } + } + ], + "template_variables": [], + "layout_type": "ordered", + "notify_list": [], + "reflow_type": "fixed" +} \ No newline at end of file diff --git a/barracuda_secure_edge/assets/logs/barracuda_secure_edge.yaml b/barracuda_secure_edge/assets/logs/barracuda_secure_edge.yaml new file mode 100644 index 0000000000000..613dcaa4dde80 --- /dev/null +++ b/barracuda_secure_edge/assets/logs/barracuda_secure_edge.yaml @@ -0,0 +1,475 @@ +# bypass-global-grok-parser-rules-checks +id: barracuda_secure_edge +metric_id: barracuda-secure-edge +backend_only: false +installation_sources: + - barracuda_secure_edge +facets: + - description: "Destination IP address of secure edge event" + facetType: list + groups: + - Barracuda SecureEdge + name: dest_ip + path: secure_edge.dest_ip + source: log + type: string + - description: "Event ID of the secure edge event" + facetType: list + groups: + - Barracuda SecureEdge + name: event_id + path: secure_edge.event_id + source: log + type: string + - description: "Event name of the secure edge event" + facetType: list + groups: + - Barracuda SecureEdge + name: eventname + path: secure_edge.eventname + source: log + type: string + - description: "Level of the secure edge event" + facetType: list + groups: + - Barracuda SecureEdge + name: level + path: secure_edge.level + source: log + type: string + - description: "Module of the secure edge event" + facetType: list + groups: + - Barracuda SecureEdge + name: module + path: secure_edge.module + source: log + type: string + - description: "Product name of the secure edge event" + facetType: list + groups: + - Barracuda SecureEdge + name: productname + path: secure_edge.productname + source: log + type: string + - description: "Protocol of the secure edge event" + facetType: list + groups: + - Barracuda SecureEdge + name: protocol + path: secure_edge.protocol + source: log + type: string + - description: "Rule of the secure edge event" + facetType: list + groups: + - Barracuda SecureEdge + name: rule + path: secure_edge.rule + source: log + type: string + - description: "Source IP address of the secure edge event" + facetType: list + groups: + - Barracuda SecureEdge + name: src_ip + path: secure_edge.src_ip + source: log + type: string +pipeline: + type: pipeline + name: Barracuda_Secure_Edge + enabled: true + filter: + query: source:barracuda_secure_edge + processors: + - type: pipeline + name: Box Auth Access + enabled: true + filter: + query: source:barracuda_secure_edge service:auth + processors: + - type: grok-parser + name: Box Auth Access + enabled: true + source: message + samples: + - "2025 04 02 12:20:39 +00:00 Notice root : TTY=pts/0 ; + PWD=/etc/yum.repos.d ; USER=root ; COMMAND=/bin/systemctl rsyslog + status" + - "2025 04 02 12:20:39 +00:00 Info : pam_unix(sudo:session): + session opened for user root by root(uid=0)" + - "2025 03 31 11:46:17 +00:00 Info LOGIN ATTEMPT: control[5405]: + Login localhost_hapair_daemon from 127.0.0.1 : Allowed." + - "2025 03 31 12:16:35 +00:00 Info boxconfig[26379]: Session + localhost_CloudGen-WAN: Closed" + - "2025 05 27 19:47:27 +00:00 Info : pam_unix(sudo:session): + Login root from 10.10.16.1: Denied: Invalid password" + grok: + supportRules: "" + matchRules: >- + autoFilledRule1 %{date("yyyy MM dd HH:mm:ss Z"):timestamp}\s*%{word:level}\s*%{word:module}\s*:\s*%{greedyData:message} + + autoFilledRule2 %{date("yyyy MM dd HH:mm:ss Z"):timestamp}\s*%{word:level}\s*%{data:action}:\s*%{word:type}\[%{number:type_id}\]:\s*%{greedyData:message} + + autoFilledRule3 %{date("yyyy MM dd HH:mm:ss Z"):timestamp}\s*%{word:level}\s*(:\s+)?%{greedyData:message} + - type: pipeline + name: Box Firewall Activity + enabled: true + filter: + query: source:barracuda_secure_edge service:firewall + processors: + - type: grok-parser + name: Box Firewall Activity + enabled: true + source: message + samples: + - "2025 04 02 12:20:51 +00:00 Security Block: + FWD|UDP|p1|10.10.17.18|137|00:41:0e:93:aa:91|10.10.17.255|137|net\ + bios-ns||BLOCKALL|4002|||0|1|40|30|20|10||||||" + - "2025 04 02 12:21:07 +00:00 Info Allow: + LOUT|UDP|p2|10.10.16.116|123|00:0c:29:ca:a2:3c|14.139.60.103|123|\ + ntp||BOX-NTP-OUT|0|10.10.16.116|14.139.60.103|0|1|0|0|0|0||||||" + - "2025 04 02 12:20:12 +00:00 Security Block: + |UDP|p2|10.10.17.18|0|00:00:00:00:00:00|10.10.17.255|\ + 137|||BLOCKALL|4002|||0|2|0|0|0|0||||||" + grok: + supportRules: "" + matchRules: >- + autoFilledRule1 %{date("yyyy MM dd HH:mm:ss Z"):timestamp}\s+%{word:level}\s*%{word:action}:\s*\[%{word:event_type}\]\s*%{word:module}:\s*%{data:message} + + autoFilledRule2 %{date("yyyy MM dd HH:mm:ss Z"):timestamp}\s+%{word:level}\s*%{word:action}:%{data::csv("type,protocol,src_if,src_ip,src_port,src_mac,dest_ip,dest_port,dest_service,dest_if,rule,info,src_nat, dst_nat,duration,count,received_bytes,sent_bytes,received_packets,sent_packets, user,prot,application,target,content,uricat","|")} + + autoFilledRule3 %{date("yyyy MM dd HH:mm:ss Z"):timestamp}\s+%{word:level}\s*%{word:action}:%{data:message} + - type: grok-parser + name: Box Firewall + enabled: true + source: message + samples: + - "2025 03 31 13:15:47 +00:00 Notice firewall: [Request] Rule: + /opt/phion/bin/acpffwdrule prefixwrite + /opt/phion/config/active/servers/CSC/services/NGFW/active.fwrule + /opt/phion/run/rule.prefix &" + - "2025 03 31 13:16:17 +00:00 Warning firewall: [DNS] Operation: + DNS server with IP 127.0.0.1 now considererd dead after 4 failed + health checks. Will be re-employed when reachable again." + - "2025 03 31 13:18:20 +00:00 Info firewall: [Request] + Configuration: Maximum forward pending connections per source = + 64" + - "2025 03 31 13:16:17 +00:00 Error firewall: [DNS] Operation: + Every single specified DNS server has been unreachable for at + least 4 retries with 3000ms between them. Hostname resolution + implicitly suspended until a reachable DNS server is configured or + an existing one becomes reachable again." + grok: + supportRules: "" + matchRules: autoFilledRule1 %{date("yyyy MM dd HH:mm:ss + ZZ"):timestamp}\s+%{word:level}\s+%{word:log_source}:\s+\[%{word:service}\]\s+%{word:operation_type}:\s+%{data:message} + - type: pipeline + name: "SSH" + enabled: true + filter: + query: source:barracuda_secure_edge service:ssh + processors: + - type: grok-parser + name: Box SSH sshd + enabled: true + source: message + samples: + - "2025 03 31 11:45:34 +00:00 Info sshd: Server listening on + 169.254.128.2 port 22." + - "2025 04 01 06:05:31 +00:00 Info LOGIN ATTEMPT: sshd[26823]: + Login (password) root from 10.10.16.1 port 55827 Accepted" + - "2025 04 02 08:19:55 +00:00 Notice sshd: notice: Shell + (/bin/bash) opened for user root@10.10.16.1:57129 (uid=0)" + - "2025 04 02 11:37:23 +00:00 Notice sshd: notice: Starting + session: shell on pts/0 for root from 10.10.16.1 port 63675 id 0" + grok: + supportRules: "" + matchRules: >- + autoFilledRule1 %{date("yyyy MM dd HH:mm:ss ZZ"):timestamp}\s*%{word:level}\s*%{data:type}:\s*(%{data:module})?(\[%{number:id}\])?:\s*%{data:message} + + autoFilledRule2 %{date("yyyy MM dd HH:mm:ss ZZ"):timestamp}\s*%{word:level}\s*%{data:type}:\s*%{data:message} + + - type: grok-parser + name: Box SSH config + enabled: true + source: message + samples: + - "2025 03 31 11:45:26 +00:00 Internal [0210108] writeSSHdconf(): + starting handling of ssh daemon configuration " + - "2025 03 31 11:45:27 +00:00 Internal [0210112] writeSSHdconf(): + finished activation of ssh daemon configuration " + - "2025 03 31 11:45:27 +00:00 Info [0213014] writeSSHdconf(): + -------------- END ---------------------------- " + grok: + supportRules: "" + matchRules: autoFilledRule1 %{date("yyyy MM dd HH:mm:ss + ZZ"):timestamp}\s+%{word:level}\s+\[%{number:event_id}\]\s+%{data:function}:\s+%{data:message} + - type: pipeline + name: Network + enabled: true + filter: + query: source:barracuda_secure_edge service:network + processors: + - type: grok-parser + name: Box Network activation + enabled: true + source: message + samples: + - "2025 03 31 13:18:30 +00:00 Internal [0140200] 0 0 boxnet(p,ARGS): + wrote outer line control parametrisation for xDHCP links to + /var/phion/preserve/boxnet/DHCP/xDHCP.opconf" + - "2025 03 31 11:45:32 +00:00 Internal [0140000] 0 boxnet(Q,ARGS): + Logical Check Sequence Begin " + - "2025 03 31 11:45:31 +00:00 Internal [0140200] make_box(b,ARGS): + conf-file checksum 12509353523906182422 mismatches last known good + value 0, fast activation decision deferred " + grok: + supportRules: "" + matchRules: autoFilledRule1 %{date("yyyy MM dd HH:mm:ss + ZZ"):timestamp}\s+%{word:level}\s+\[%{number:event_id}\]\s+%{data:function}:\s+%{data:message} + - type: pipeline + name: VPN + enabled: true + filter: + query: source:barracuda_secure_edge service:vpn + processors: + - type: grok-parser + name: VPN vpn + enabled: true + source: message + samples: + - 2025 03 31 11:46:44 +00:00 Info -------- VPN Server Startup + Version = 5.0.0.1 (pid=9451, ppid=1, inst=CSC_VPN) ----------- + - "2025 03 31 11:46:29 +00:00 Info L2TP server config file + changed. restart required " + - "2025 03 31 13:15:41 +00:00 Notice BIND: Reload service.conf" + - "2025 03 31 13:15:41 +00:00 Notice Wait: No valid license found." + - "2025 05 08 11:46:30 +00:00 Info PPTP options config file + changed. restart required " + grok: + supportRules: "" + matchRules: >- + autoFilledRule1 %{date("yyyy MM dd HH:mm:ss + ZZ"):timestamp}\s*%{word:level}\s*%{word:module}\:%{data:message} + + autoFilledRule2 %{date("yyyy MM dd HH:mm:ss ZZ"):timestamp}\s*%{word:level}\s*%{data:message} + - type: grok-parser + name: VPN sslvpn + enabled: true + source: message + samples: + - "2025 03 31 11:46:35 +00:00 Info sslvpn: SSL Cipher Spec + unspecified - strong ciphers only selected - using: + 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:-SSLv2'" + - "2025 03 31 11:46:35 +00:00 Error sslvpn: ACTIVATE Self-signed + certificate key is empty" + grok: + supportRules: "" + matchRules: autoFilledRule1 %{date("yyyy MM dd HH:mm:ss + ZZ"):timestamp}\s+%{word:level}\s+%{word:log_source}:\s+(%{word:event_type})?\s+%{data:message} + - type: pipeline + name: Box System mgmaccess + enabled: true + filter: + query: source:barracuda_secure_edge service:access + processors: + - type: grok-parser + name: Box System mgmaccess + enabled: true + source: message + samples: + - 2025 03 31 11:46:16 +00:00 Notice Starting Management Access + Server ... + - 2025 03 31 11:46:17 +00:00 Info Opened listen socket on + 169.254.128.2:807 + - "2025 04 01 10:54:57 +00:00 Info Handler #17 returned with + code 2 (IOStreamSock: Connect(10.10.16.116:814): Connection + refused)" + - "2025 04 01 10:55:14 +00:00 Info Connected new handler #23 of + type 'Firewall'" + - 2025 03 31 11:46:16 +00:00 Notice Running in box group + grok: + supportRules: "" + matchRules: >- + autoFilledRule1 %{date("yyyy MM dd HH:mm:ss + ZZ"):timestamp}\s*%{word:level}\s*%{data}%{ip:ip}:%{number:port}\):\s+%{data:message}\) + + autoFilledRule2 %{date("yyyy MM dd HH:mm:ss ZZ"):timestamp}\s*%{word:level}\s*%{data:message} + - type: pipeline + name: Admin + enabled: true + filter: + query: source:barracuda_secure_edge service:admin + processors: + - type: grok-parser + name: Box Config admin + enabled: true + source: message + samples: + - "2025 04 02 01:45:51 +00:00 Notice 127.0.0.1:23697 login + succeeded: localhost_CloudGen-WAN Valid password and valid + challenge" + - 2025 04 02 02:15:51 +00:00 Info New Session + GCSID_localhost_CloudGen-WAN_127.0.0.1_63219_19688 + - "2025 04 01 11:11:24 +00:00 Notice 127.0.0.1:4425 login + succeeded: root Valid token" + - 2025 04 01 06:15:51 +00:00 Info New Session + GCSID_localhost_CloudGen-WAN_127.0.0.1_22883_31238 + - "2025 03 31 11:46:39 +00:00 + Info [localhost_wanhub@127.0.0.1_43774] Commit operation: 0 + Remove(disabled) + /opt/phion/config/active/servers/CSC/services/DHCPR/service.conf" + grok: + supportRules: "" + matchRules: >- + autoFilledRule1 %{date("yyyy MM dd HH:mm:ss ZZ"):timestamp}\s+%{word:level}\s*(%{ip:source_ip}:%{number:source_port})?\s+%{data:message} + + autoFilledRule2 %{date("yyyy MM dd HH:mm:ss ZZ"):timestamp}\s+%{word:level}\s+%{data:message} + - type: grok-parser + name: Box Config changes + enabled: true + source: message + samples: + - 2025 05 23 11:46:38 +00:00 + Info [localhost_wanhub@127.0.0.1_43774] COMMIT(add) + servers/CSC/services/DHCPR (Generic Service directory for DHCPR) + - 2025 03 31 11:46:23 +00:00 Info [init] COMMIT(add) + servers/CSC/services/DHCP/dhcpe (DHCP Enterprise Configuration) + - 2025 04 02 09:24:16 +00:00 + Info [root@10.10.16.1_63632] Deleting session + GCSID_root_10.10.16.1_63632_11026 + grok: + supportRules: "" + matchRules: >- + autoFilledRule1 %{date("yyyy MM dd HH:mm:ss + ZZ"):timestamp}\s+%{word:level}\s+\[%{data:initiator}\]\s+%{word}\(%{word:commit_action}\)\s+%{notSpace:path}\s+\(%{data:message}\) + + autoFilledRule2 %{date("yyyy MM dd HH:mm:ss ZZ"):timestamp}\s+%{word:level}\s+\[%{data:initiator}\]\s+%{data:message} + - type: grok-parser + name: Box Config sync + enabled: true + source: message + samples: + - 2025 05 12 11:46:36 +00:00 Notice Starting main loop pid=9123 + - 2025 05 12 13:15:40 +00:00 Notice Starting main loop pid=7232 + grok: + supportRules: "" + matchRules: autoFilledRule1 %{date("yyyy MM dd HH:mm:ss + ZZ"):timestamp}\s+%{word:level}\s*%{data:message}\s+pid=%{number:process_id} + - type: grok-parser + name: Box Control AuthService + enabled: true + source: message + samples: + - "2025 04 01 06:26:28 +00:00 Internal phibs: SAML: process binary + for SAML/ADFS authentication." + - 2025 04 02 11:00:01 +00:00 Info MSAD-Offline-Groups Setting + MSAD offline group sync cache to 117.49 MByte (auto-calculated) + - '2025 03 31 11:46:20 +00:00 Notice phibs: Configuration: Adding + scheme certvalidate of type "Certificate-Validator"' + grok: + supportRules: "" + matchRules: >- + autoFilledRule1 %{date("yyyy MM dd HH:mm:ss + ZZ"):timestamp}\s+%{word:level}\s+%{word:auth_component}:\s+%{word:auth_process}:\s+%{data:event}\s+for\s+%{data:auth_type} + + autoFilledRule2 %{date("yyyy MM dd HH:mm:ss ZZ"):timestamp}\s+%{word:level}\s+(%{word:auth_component}:\s+%{word:auth_process}:\s+)?%{data:message} + - type: pipeline + name: Box Network dhcp + enabled: true + filter: + query: source:barracuda_secure_edge service:dhcp + processors: + - type: grok-parser + name: Box Network dhcp + enabled: true + source: message + samples: + - "2025 03 31 11:45:37 +00:00 Info openxdhcp[4500]: START, + operation mode=daemon" + - "2025 03 31 11:45:37 +00:00 Notice openxdhcp[4500]: start worker + xdhcp1 for active link provider" + - "2025 03 31 11:45:52 +00:00 Info xdhcp1[4530]: interface dhcp + addresses are local=10.10.17.114 and gateway=10.10.16.1" + - "2025 03 31 11:45:52 +00:00 Notice xdhcp1[4530]: local interface + dhcp IP changed 0.0.0.0->10.10.17.114" + - "2025 03 31 13:14:18 +00:00 Info xdhcp1[5102]: common link + parameters: link probing mode=, accept DNS assignment=yes accept + DOMAIN=no " + grok: + supportRules: "" + matchRules: >- + autoFilledRule1 %{date("yyyy MM dd HH:mm:ss ZZ"):timestamp}\s*%{word:level}\s*%{word:process}\[%{number:process_id}\]:\s+%{data:message} + + autoFilledRule4 %{date("yyyy MM dd HH:mm:ss ZZ"):timestamp}\s*%{word:level}\s*\[%{number:process_id}\]\s*%{data}\s*\:\s*%{word:action}\s*%{data:message} + + autoFilledRule2 %{date("yyyy MM dd HH:mm:ss ZZ"):timestamp}\s*%{word:level}\s*%{data:module}\s:*%{data}=\s*%{ip:local_ip}\s*%{data}=%{ip:gateway_ip} + + autoFilledRule3 %{date("yyyy MM dd HH:mm:ss ZZ"):timestamp}\s*%{word:level}\s*%{data:message} + - type: pipeline + name: System + enabled: true + filter: + query: source:barracuda_secure_edge service:system + processors: + - type: grok-parser + name: Box Event eventS + enabled: true + source: message + samples: + - "2025 04 02 09:37:14 +00:00 Info event: [1071065] Insert Event + from 127.0.0.1:43134 - (D|2|ccactivate|1|License|4700|Query + Activation State for Failed|CloudGen-WAN|1743586634|Querying + licensing servers for the license activation state failed)" + - "2025 04 02 06:09:42 +00:00 Info event: [1071065] Insert Event + from 127.0.0.1:42081 - + (D|2|NGAdmin|2|Login|2420|root|CloudGen-WAN|1743574182|Login root + from 10.10.16.1 : Allowed.)" + grok: + supportRules: "" + matchRules: >- + autoFilledRule1 %{date("yyyy MM dd HH:mm:ss ZZ"):timestamp}\s+%{word:level}\s+event:\s+\[%{number:id}\]\s+%{data:text}%{ip:ip_address}\:%{port:port}\s+\-\s+\(%{data::csv("type,notification_id,module,severity,eventname,event_id,demo,productname,epoch,message","|")}\) + - type: grok-parser + name: Box Event operative + enabled: true + source: message + samples: + - "2025 03 31 11:46:20 +00:00 Internal event: [1070045] Startup + CheckEventState (pid=6397): check every 30 sec" + - "2025 04 01 11:05:27 +00:00 Error event: [1070256] (11) + IOStreamSock: Receive() error:068000DF:asn1 encoding routines::too + large" + - "2025 04 01 06:26:09 +00:00 Internal event: [1070310] Confirm + (worker: 2759) from 10.10.16.1, User [root] - + (D|2|boxconfig|2|Login|2420|root|CloudGen-WAN)" + - "2025 04 02 09:24:16 +00:00 Notice event: [1071200] starting + worker 11022: connected from 10.10.16.116:6752" + grok: + supportRules: "" + matchRules: >- + autoFilledRule1 %{date("yyyy MM dd HH:mm:ss ZZ"):timestamp}\s+%{word:level}\s*%{word}:\s+\[%{number:event_id}\]\s+%{word:event_action}\s+\(worker:%{number:worker_id}\)\s+from\s+%{ip:source_ip},\s+User\s+\[%{data}\]\s+-\s+\(%{data::csv("type,severity,component,code,action,session_id,username,system_name","|")}\) + + autoFilledRule2 %{date("yyyy MM dd HH:mm:ss ZZ"):timestamp}\s+%{word:level}\s*%{word}:\s+\[%{number:event_id}\]\s+%{data:message} + - type: status-remapper + name: Status Remapper from Level to Status + enabled: true + sources: + - level + - type: attribute-remapper + name: "Map timestamp to syslog.timestamp" + enabled: true + sources: + - timestamp + sourceType: attribute + target: syslog.timestamp + targetType: attribute + preserveSource: true + overrideOnConflict: false + - type: date-remapper + name: "Define `timestamp` as the official date of the log" + enabled: true + sources: + - timestamp diff --git a/barracuda_secure_edge/assets/logs/barracuda_secure_edge_tests.yaml b/barracuda_secure_edge/assets/logs/barracuda_secure_edge_tests.yaml new file mode 100644 index 0000000000000..72753310ce2c5 --- /dev/null +++ b/barracuda_secure_edge/assets/logs/barracuda_secure_edge_tests.yaml @@ -0,0 +1,75 @@ +id: barracuda_secure_edge +tests: + - sample: "2025 04 02 12:20:39 +00:00 Notice root : TTY=pts/0 ; PWD=/etc/yum.repos.d ; USER=root ; COMMAND=/bin/systemctl rsyslog status" + service: "auth" + result: null + - sample: "2025 04 02 12:20:51 +00:00 Security Block: + FWD|UDP|p1|10.10.17.18|137|00:41:0e:93:aa:91|10.10.17.255|137|netbios-ns|\ + |BLOCKALL|4002|||0|1|40|30|20|10||||||" + service: "firewall" + result: null + - sample: "2025 03 31 13:16:17 +00:00 Warning firewall: [DNS] Operation: DNS + server with IP 127.0.0.1 now considererd dead after 4 failed health + checks. Will be re-employed when reachable again." + service: "firewall" + result: null + - sample: "2025 04 02 08:19:55 +00:00 Notice sshd: notice: Shell (/bin/bash) + opened for user root@10.10.16.1:57129 (uid=0)" + service: "ssh" + result: null + - sample: "2025 03 31 11:45:27 +00:00 Internal [0210112] writeSSHdconf(): finished + activation of ssh daemon configuration " + service: "ssh" + result: null + - sample: "2025 03 31 13:18:30 +00:00 Internal [0140200] 0 0 boxnet(p,ARGS): wrote + outer line control parametrisation for xDHCP links to + /var/phion/preserve/boxnet/DHCP/xDHCP.opconf" + service: "network" + result: null + - sample: "2025 03 31 11:46:29 +00:00 Info L2TP server config file changed. + restart required " + service: "vpn" + result: null + - sample: "2025 03 31 11:46:35 +00:00 Info sslvpn: SSL Cipher Spec unspecified + - strong ciphers only selected - using: + 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:-SSLv2'" + service: "vpn" + result: null + - sample: "2025 04 01 10:54:57 +00:00 Info Handler #17 returned with code 2 + (IOStreamSock: Connect(10.10.16.116:814): Connection refused)" + service: "access" + result: null + - sample: "2025 04 02 01:45:51 +00:00 Notice 127.0.0.1:23697 login succeeded: + localhost_CloudGen-WAN Valid password and valid challenge" + service: "admin" + result: null + - sample: 2025 05 23 11:46:38 +00:00 + Info [localhost_wanhub@127.0.0.1_43774] COMMIT(add) + servers/CSC/services/DHCPR (Generic Service directory for DHCPR) + service: "admin" + result: null + - sample: 2025 05 12 11:46:36 +00:00 Notice Starting main loop pid=9123 + service: "admin" + result: null + - sample: "2025 04 02 01:45:51 +00:00 Notice 127.0.0.1:23697 login succeeded: + localhost_CloudGen-WAN Valid password and valid challenge" + service: "admin" + result: null + - sample: 2025 04 02 11:00:01 +00:00 Info MSAD-Offline-Groups Setting MSAD + offline group sync cache to 117.49 MByte (auto-calculated) + service: "admin" + result: null + - sample: "2025 03 31 11:45:52 +00:00 Info xdhcp1[4530]: interface dhcp + addresses are local=10.10.17.114 and gateway=10.10.16.1" + service: "dhcp" + result: null + - sample: "2025 04 02 09:37:14 +00:00 Info event: [1071065] Insert Event from + 127.0.0.1:43134 - (D|2|ccactivate|1|License|4700|Query Activation State + for Failed|CloudGen-WAN|1743586634|Querying licensing servers for the + license activation state failed)" + service: "system" + result: null + - sample: "2025 03 31 11:46:20 +00:00 Internal event: [1070045] Startup + CheckEventState (pid=6397): check every 30 sec" + service: "system" + result: null \ No newline at end of file diff --git a/barracuda_secure_edge/changelog.d/20423.added b/barracuda_secure_edge/changelog.d/20423.added new file mode 100644 index 0000000000000..aa949b47b7b41 --- /dev/null +++ b/barracuda_secure_edge/changelog.d/20423.added @@ -0,0 +1 @@ +Initial Release \ No newline at end of file diff --git a/barracuda_secure_edge/datadog_checks/barracuda_secure_edge/__about__.py b/barracuda_secure_edge/datadog_checks/barracuda_secure_edge/__about__.py new file mode 100644 index 0000000000000..1bde5986a04b2 --- /dev/null +++ b/barracuda_secure_edge/datadog_checks/barracuda_secure_edge/__about__.py @@ -0,0 +1,4 @@ +# (C) Datadog, Inc. 2025-present +# All rights reserved +# Licensed under a 3-clause BSD style license (see LICENSE) +__version__ = '0.0.1' diff --git a/barracuda_secure_edge/datadog_checks/barracuda_secure_edge/__init__.py b/barracuda_secure_edge/datadog_checks/barracuda_secure_edge/__init__.py new file mode 100644 index 0000000000000..b408666583b85 --- /dev/null +++ b/barracuda_secure_edge/datadog_checks/barracuda_secure_edge/__init__.py @@ -0,0 +1,6 @@ +# (C) Datadog, Inc. 2025-present +# All rights reserved +# Licensed under a 3-clause BSD style license (see LICENSE) +from .__about__ import __version__ + +__all__ = ['__version__'] diff --git a/barracuda_secure_edge/datadog_checks/barracuda_secure_edge/data/conf.yaml.example b/barracuda_secure_edge/datadog_checks/barracuda_secure_edge/data/conf.yaml.example new file mode 100644 index 0000000000000..d4bf13d008f85 --- /dev/null +++ b/barracuda_secure_edge/datadog_checks/barracuda_secure_edge/data/conf.yaml.example @@ -0,0 +1,19 @@ +## Log Section +## +## type - required - Type of log input source (tcp / udp / file / windows_event). +## port / path / channel_path - required - Set port if type is tcp or udp. +## Set path if type is file. +## Set channel_path if type is windows_event. +## source - required - Attribute that defines which integration sent the logs. +## encoding - optional - For file specifies the file encoding. Default is utf-8. Other +## possible values are utf-16-le and utf-16-be. +## service - optional - The name of the service that generates the log. +## Overrides any `service` defined in the `init_config` section. +## tags - optional - Add tags to the collected logs. +## +## Discover Datadog log collection: https://docs.datadoghq.com/logs/log_collection/ +# +# logs: +# - type: file +# path: /var/log/barracuda_secure_edge.log +# source: barracuda_secure_edge diff --git a/barracuda_secure_edge/images/secureEdge1.png b/barracuda_secure_edge/images/secureEdge1.png new file mode 100644 index 0000000000000..90d5372d1df23 Binary files /dev/null and b/barracuda_secure_edge/images/secureEdge1.png differ diff --git a/barracuda_secure_edge/images/secureEdge2.png b/barracuda_secure_edge/images/secureEdge2.png new file mode 100644 index 0000000000000..7b250d3782b61 Binary files /dev/null and b/barracuda_secure_edge/images/secureEdge2.png differ diff --git a/barracuda_secure_edge/images/secure_edge_overview.png b/barracuda_secure_edge/images/secure_edge_overview.png new file mode 100644 index 0000000000000..ff25b10802222 Binary files /dev/null and b/barracuda_secure_edge/images/secure_edge_overview.png differ diff --git a/barracuda_secure_edge/manifest.json b/barracuda_secure_edge/manifest.json new file mode 100644 index 0000000000000..407e5d391e655 --- /dev/null +++ b/barracuda_secure_edge/manifest.json @@ -0,0 +1,63 @@ +{ + "manifest_version": "2.0.0", + "app_uuid": "c0acbaef-4769-4ea9-aa77-b208440f9303", + "app_id": "barracuda-secure-edge", + "display_on_public_website": false, + "tile": { + "overview": "README.md#Overview", + "configuration": "README.md#Setup", + "support": "README.md#Support", + "changelog": "CHANGELOG.md", + "description": "SecureEdge is a unified SASE platform that includes NGFW, zero trust and secure SD-WAN", + "title": "barracuda_secure_edge", + "media": [ + { + "media_type": "image", + "caption": "Barracuda SecureEdge Overview", + "image_url": "images/secure_edge_overview.png" + }, + { + "media_type": "image", + "caption": "Other Event types of SecureEdge", + "image_url": "images/secureEdge1.png" + }, + { + "media_type": "image", + "caption": "Some more Events types of SecureEdge", + "image_url": "images/secureEdge2.png" + } + ], + "classifier_tags": [ + "Supported OS::Linux", + "Supported OS::Windows", + "Supported OS::macOS", + "Category::Log Collection", + "Category::Security", + "Offering::Integration", + "Queried Data Type::Logs", + "Submitted Data Type::Logs" + ] + }, + "assets": { + "integration": { + "auto_install": true, + "source_type_id": 48860633, + "source_type_name": "barracuda_secure_edge", + "configuration": { + "spec": "assets/configuration/spec.yaml" + }, + "events": { + "creates_events": false + } + }, + "dashboards": { + "Barracuda Secure Edge overview": "assets/dashboards/barracuda_secure_edge_overview.json" + } + }, + "author": { + "support_email": "help@datadoghq.com", + "name": "Datadog", + "homepage": "https://www.datadoghq.com", + "sales_email": "info@datadoghq.com" + } +} diff --git a/barracuda_secure_edge/pyproject.toml b/barracuda_secure_edge/pyproject.toml new file mode 100644 index 0000000000000..8936762a489ce --- /dev/null +++ b/barracuda_secure_edge/pyproject.toml @@ -0,0 +1,59 @@ +[build-system] +requires = [ + "hatchling>=0.13.0", +] +build-backend = "hatchling.build" + +[project] +name = "datadog-barracuda-secure-edge" +description = "The barracuda_secure_edge check" +readme = "README.md" +license = "BSD-3-Clause" +keywords = [ + "datadog", + "datadog agent", + "datadog check", + "barracuda_secure_edge", +] +authors = [ + { name = "Datadog", email = "packages@datadoghq.com" }, +] +classifiers = [ + "Development Status :: 5 - Production/Stable", + "Intended Audience :: Developers", + "Intended Audience :: System Administrators", + "License :: OSI Approved :: BSD License", + "Private :: Do Not Upload", + "Programming Language :: Python :: 3.12", + "Topic :: System :: Monitoring", +] +dependencies = [ + "datadog-checks-base>=4.2.0", +] +dynamic = [ + "version", +] + +[project.optional-dependencies] +deps = [] + +[project.urls] +Source = "https://github.com/DataDog/integrations-core" + +[tool.hatch.version] +path = "datadog_checks/barracuda_secure_edge/__about__.py" + +[tool.hatch.build.targets.sdist] +include = [ + "/datadog_checks", + "/tests", + "/manifest.json", +] + +[tool.hatch.build.targets.wheel] +include = [ + "/datadog_checks/barracuda_secure_edge", +] +dev-mode-dirs = [ + ".", +]