Understanding Syslog Messages for the Barracuda Web Filter

Understanding Syslog Messagesfor the Barracuda Web FilterOverviewThis document describes each element of a syslog message so you can better analyze whyyour Barracuda Web Filter performs a particular action for each traffic request.The Barracuda Web Filter uses syslog messages to log what happens to each traffic requestperformed by your users. The syslog messages are sent to a text file on the Barracuda WebFilter, as well as to a remote server specified by the Barracuda Web Filter administrator.Enabling SyslogTo enable syslog reporting on your Barracuda Web Filter, go to the Advanced > Syslogpage in the admin interface, and enter the IP address of the syslog server that you want todirect messages to. If you are running syslog on a UNIX machine, be sure to start the syslogdaemon process with the “-r” option so that it can receive messages from sources other thanitself. Windows users will have to install a separate program to use syslog because theWindows OS does not include syslog capabilities. Kiwi Syslog is a popular solution, butmany others are available that are both free and commercial.Syslog messages are sent to the standard syslog UDP port 514. If there are any firewallsbetween the Barracuda Web Filter and the server receiving the syslog messages, be surethat port 514 is open on the firewalls. The syslog messages arrive on the mail facility at thedebug priority level. As the Barracuda Web Filter uses the syslog messages internally for itsown message logging, it is not possible to change the facility or the priority level. For moreinformation about where the syslog messages will be placed, refer to the documentation ofyour syslog server.Syslog FormatEach syslog message contains three types of information:• Section 1: Basic Information• Section 2: Transparent Proxy Information• Section 3: Policy Engine InformationThis section identifies each element of the syslog using based on the following example:Sep 19 17:07:07 Barracuda httpscan[3365]: 1158710827 1 10.1.1.8 172.27.72.27 text/html 10.1.1.8http://www.sex.com/ 2704 3767734cc16059e52447ee498d31f822 ALLOWED CLEAN 2 1 0 1 3 - 1 adult 0 - 0sex.com adult,porn ANONUnderstanding the Syslog Messages 1

Syslog ExamplesThis section shows three syslog examples.Example 1. Clean, policy-allowed trafficThe following example shows a syslog message for clean traffic going to an allowed Website (CNN.com). The term “clean” represents traffic that does not contain viruses or spyware.Sep 19 17:06:59 Barracuda httpscan[3365]: 1158710819 1 10.1.1.8 64.236.16.139 image/gif 10.1.1.8http://i.cnn.net/cnn/.element/img/1.3/video/tab.middle.on.gif 1744 3767734cc16059e52447ee498d31f822ALLOWED CLEAN 2 0 0 0 0 - 0 - 0 - 0 cnn.net news ANONExample 2: Clean, policy-denied trafficThe following example shows “clean” traffic going to a Web site that is blocked by one of theBarracuda Web Filter policies. In this example, the web site sex.com is blocked by the…Sep 19 17:07:07 Barracuda httpscan[3365]: 1158710827 1 10.1.1.8 172.27.72.27 text/html 10.1.1.8http://www.sex.com/ 2704 3767734cc16059e52447ee498d31f822 ALLOWED CLEAN 2 1 0 1 3 - 1 adult 0 - 0sex.com adult,porn ANONUnderstanding the Syslog Messages 2

Example 3: Virus-infected traffic blocked by the Barracuda Web FilterThe following example shows traffic that has been blocked by the Barracuda Web Filterbecause the traffic contains a known virus.Sep 19 17:08:00 Barracuda httpscan[3365]: 1158710880 1 10.1.1.8 127.0.0.1 - 10.1.1.8http://www.eicar.org/download/eicar.com.txt 0 3767734cc16059e52447ee498d31f822 BLOCKED VIRUSstream=>Eicar-Test-Signature FOUND 2 0 0 0 0 - 0 - 0 - 0 eicar.org computing-technology ANONDetailed DescriptionThe following table describe each element of a syslog message.Field Name Example DescriptionEpoch Time 1158710827 Seconds since 1970, unix timestamp.Src IP 10.1.1.8 IP address of the client.Dest IP 172.27.72.27(72.32.54.242) IP address for the page that was blocked by theBarracuda Web Filter.Content Type text/html HTTP header designated content type.Src IP 10.1.1.8 IP address of the client.DestinationURLhttp://www.sex.comThe URL the client tried to visit.Data Size 2704 The size of the content.MD5 anchor 37…22 The anchor used for parsing. This information is notusually important.Action ALLOWED Action performed by the transparent proxy. The type ofactions include:• ALLOWED: Traffic was processed by thetransparent proxy and no virus or spyware wasdetected.• BLOCKED: Traffic was blocked by the transparentproxy most likely because the proxy detected virusor spyware.• DETECTED: Another process detected outboundspyware activity.Reason CLEAN Reason for the action:• CLEAN: Traffic does not contain any virus orspyware.• VIRUS: Traffic was blocked because it contains avirus.• SPYWARE: Traffic was blocked because itcontained spyware.Details(only forblocked traffic)Stream=>Eicar-Test-Signature FOUNDThe name of the virus or spyware that was detected inthe blocked traffic.Understanding the Syslog Messages 3

Field Name Example DescriptionFormat Ver 2 The version of the policy engine output. The most current 3.0 firmwareuses policy engine version 2.Match flag 1 Whether an existing policy matched the traffic. 1=Yes and 0=No.TQ flag 0 Whether the rule is time-qualified. For Example, during work hours 9am -5pm. 1=Yes and 0=No.Action Type 1 The action performed by the policy engine on this request:0 : allowed1 : denied2 : redirected3 : rewrote by add/set a new parameter in query4 : rewrote by delete an existing parameter in query5 : matched a rule and allowed but marked as monitored6 : branched to another rule set.Src Type 3 If matched by source, what is its type:0 : always, matches any source1 : group, matched by group id2 : ipv4addr, matched by an Ipv4 address3 : login, matched by login4 : login any, matched any authenticated user5 : min_score, matched due to minimum infection threshold breached.Src Detail - Any detail related to the matched source.Dst Type 1 If matched by destination, what is its type?0 : always, matched any destination1 : category, matched a particular category2 : category any, matched any category3 : domain, matched due to domain or subdomain4 : mimetype, matched due to mime-type5 : spyware hit, matched due to spyware hit6 : uri path regex, matched URI path7 : uri regex, matched any part of the URI8 : application, matches an application charactersticsDst Detail adult Detail of the matched destination. In this case it is the first matchedcategory, which is adult.Spy Type 0 If it is a spyware hit, what is its type:0: allow1: block2: infectionSpy ID - The name of the spyware if matched due to spyware hit.InfectionScore0 Weight of the infection. Currently, mostly 0.MatchedPartMatchedCategorysex.comadult,pornThe part of the rule that matched.The policy category that matched the traffic?Understanding the Syslog Messages 4

User Info ANON User information:• ANON: Anonymous, unauthenticated users• ldap: Username: LDAP user info• username: Non-LDAP user info (users created create in the admininterface).Understanding the Syslog Messages 5