This application was designed to give users usable data surrounding the requests being sent to their Barracuda Web Filter. The application was designed using data from a Barracuda Web Filter 310, even though the access logs should be universal across the Barracuda Web Filter family of appliances I cannot guarentee it will work with other versions.
1. You have enabled syslog logging on your Web Filter appliance.
2. The logs are being absorbed by Splunk and given a sourcetype name "barracuda"
3. You are using LDAP authentication. If you are not you may need to tweak the stanza named barracuda_without_ldap in transforms.conf
Reports in this Application:
Blocked/Allowed Traffic Reports:
You can also use the "Log Search" tab to manually search the logs using the defined categories.
1. Configure a setup screen to change sourcetype name and/or specify an index
2. Add summary indexes for some of the reports
Small fixes for lookups.
Updates in version 1.7:
- New "Threat Intelligence" tab that will be used to collect external threat intelligence feeds and provide insight on any correlations that are found in your event data. Currently has support for phishtank.com through a scripted input that runs every 24 hours. More to be added soon.
- Updates to the regex's in transforms.conf
- Sourcetype renaming was added to match barracuda web filter syslog events and rename the sourcetype to "barracuda"
Some more clean up of the app. No major changes/fixes.
This release addresses two issues:
1. Saved search "Blocked Users by Requests" could not be found
2. Same values were appearing for "Top 10 Blocked Users" and "Top 10 Users by Allowed Requests"
Credit goes to Kirk G. from TekSecure Labs for finding the issues.
Very minor fix that was missed in last release
- Updated the log search page to properly incorporate the Action field and display it in the results.
- Fixed two blocked reports in the activity by domain dashboard that were improperly labelled.
- Changed the bandwidth by day report to be over the last 7 days by default.
- Added Blocked traffic
- Separated menus into "Allowed" and "Blocked" traffic
- Added action type (blocked/allowed) to the log search dashboard
- Reorganized the reports on each dashboard
- Added a specific "Bandwidth Usage" dashboard
- Results will update when a new date/time frame is select from the drop down menu
- Added category definitions so the user can reference what criteria makes up a given category.
- Fixed font type so it's a little prettier
- Changed the title on one of the charts
- Remove the defined time bucket on the Bandwidth Usage search.
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.