This document explains how to collect Barracuda Web Application Firewall (WAF) logs using Bindplane. The parser extracts fields from logs in JSON and Syslog formats, normalizes them, and maps them to the Unified Data Model (UDM). It handles various log types (traffic, web firewall) and performs conditional transformations based on field values, including IP address/hostname resolution, directionality mapping, and severity normalization.
Before you begin
Ensure that you have a Google Security Operations instance.
Ensure that you are using Windows 2016 or later, or a Linux host with systemd.
If running behind a proxy, ensure firewall ports are open.
Ensure that you have privileged access to the Barracuda WAF.
Get Google SecOps ingestion authentication file
Sign in to the Google SecOps console.
Go to SIEM Settings > Collection Agents.
Download the Ingestion Authentication File. Save the file securely on the
system where Bindplane will be installed.
Get Google SecOps customer ID
Sign in to the Google SecOps console.
Go to SIEM Settings > Profile.
Copy and save the Customer ID from the Organization Details section.
Install the Bindplane agent
Windows installation
Open the Command Prompt or PowerShell as an administrator.
Configure the Bindplane agent to ingest Syslog and send to Google SecOps
Access the configuration file:
Locate the config.yaml file. Typically, it's in the /etc/bindplane-agent/ directory on Linux or in the installation directory on Windows.
Open the file using a text editor (for example, nano, vi, or Notepad).
Edit the config.yaml file as follows:
receivers:tcplog:# Replace the port and IP address as requiredlisten_address:"0.0.0.0:54525"exporters:chronicle/chronicle_w_labels:compression:gzip# Adjust the path to the credentials file you downloaded in Step 1creds:'/path/to/ingestion-authentication-file.json'# Replace with your actual customer ID from Step 2customer_id:<customer_id>
endpoint:malachiteingestion-pa.googleapis.com# Add optional ingestion labels for better organizationingestion_labels:log_type:SYSLOGnamespace:barracuda_wafraw_log_field:bodyservice:pipelines:logs/source0__chronicle_w_labels-0:receivers:-tcplogexporters:-chronicle/chronicle_w_labels
Replace the port and IP address as required in your infrastructure.
Replace <customer_id> with the actual customer ID.
To restart the Bindplane agent in Linux, run the following command:
sudosystemctlrestartbindplane-agent
To restart the Bindplane agent in Windows, you can either use the Services console or enter the following command:
net stop BindPlaneAgent && net start BindPlaneAgent
Configure Barracuda WAF
Sign in to the Barracuda WAF console using administrator credentials.
Click the Advanced tab > Export logs.
In the Export logs section, click Add export log server.
Provide the following values:
Name: enter a name for the Google SecOps forwarder.
Log server type: select Syslog.
IP Address or hostname: enter the Bindplane IP address.
Port: enter the Bindplane port.
Connection type: select TCP connection type (TCP is recommended. However, UDP or SSL protocols can also be used).
Validate server certificate: select No.
Client certificate: select None.
Log timestamp and hostname: select Yes.
Click Add.
UDM Mapping Table
Log Field
UDM Mapping
Logic
action
security_result.action
If action is DENY, set to BLOCK. Otherwise, set to ALLOW (specifically for WF log type). Also used for generic firewall events.
appProtocol
network.application_protocol
If appProtocol matches TLSv, set to HTTPS. Otherwise, use the value of appProtocol.
attackDetails
security_result.description
Extracted from the raw log for WF log type.
attackType
security_result.summary
Part of the security_result.summary, combined with ruleType.
bytesReceived
network.received_bytes
Converted to unsigned integer and mapped for TR log type.
bytesSent
network.sent_bytes
Converted to unsigned integer and mapped for TR log type.
hostName
target.hostname
If hostName is not an IP address, use its value. Otherwise, it's merged into target.ip.
httpMethodloginId
principal.user.userid
Mapped for TR log type when not equal to emptyToken.
logType
metadata.product_event_type
If TR, set metadata.product_event_type to Barracuda Access Log. If WF, set to Barracuda Web Firewall Log.
message
metadata.description
Used when desc is not empty.
referrer
network.http.referral_url
Mapped for TR log type when not equal to emptyToken.
responseCode
network.http.response_code
Converted to integer and mapped for TR log type.
rule
security_result.rule_name
Mapped for WF log type.
ruleType
security_result.summary
Part of the security_result.summary, combined with attackType.
sec_desc
security_result.rule_name
Used for generic firewall events.
server
target.ip
Merged into target.ip.
serv
target.ip
Merged into target.ip.
severity
security_result.severity
For WF log type: Converted to uppercase. If EMERGENCY, ALER, or CRITICAL, set security_result.severity to CRITICAL. If ERROR, set to HIGH. If WARNING, set to MEDIUM. If NOTICE, set to LOW. Otherwise, set to INFORMATIONAL.
src
principal.ip
Also used for generic firewall events and some status updates.
Combined with tz and parsed to create the event timestamp. The seconds and nanos are extracted and populated in the respective fields.
urlurlParams
target.url
Appended to url if not equal to emptyToken for TR log type.
userAgentuserName
target.user.userid, target.user.user_display_name
Used for generic firewall events. If not equal to emptyToken for TR log type, mapped to target.user.user_display_name. Hardcoded to Barracuda. Set to NETWORK_HTTP if both src and target are present. Set to STATUS_UPDATE if only src is present. Set to GENERIC_EVENT as a default or for other scenarios like CEF parsing. Hardcoded to BARRACUDA_WAF.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis guide explains how to collect and forward Barracuda Web Application Firewall (WAF) logs to Google Security Operations (SecOps) using the Bindplane agent, supporting both JSON and Syslog formats.\u003c/p\u003e\n"],["\u003cp\u003eThe process involves downloading an ingestion authentication file and customer ID from the Google SecOps console, installing the Bindplane agent on either a Windows or Linux system, and configuring it to send Syslog data.\u003c/p\u003e\n"],["\u003cp\u003eThe Bindplane agent normalizes extracted fields from the logs and maps them to the Unified Data Model (UDM), including conditional transformations for IP/hostname resolution, directionality, and severity.\u003c/p\u003e\n"],["\u003cp\u003eConfiguration steps include modifying the \u003ccode\u003econfig.yaml\u003c/code\u003e file to define log receivers, exporters, and ingestion parameters, ensuring proper customer ID and authentication file path details are inserted.\u003c/p\u003e\n"],["\u003cp\u003eThe Barracuda WAF console should be configured to forward logs to Bindplane via Syslog over a specified IP address and port using the recommended TCP connection type.\u003c/p\u003e\n"]]],[],null,["# Collect Barracuda WAF logs\n==========================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis document explains how to collect Barracuda Web Application Firewall (WAF) logs using Bindplane. The parser extracts fields from logs in JSON and Syslog formats, normalizes them, and maps them to the Unified Data Model (UDM). It handles various log types (traffic, web firewall) and performs conditional transformations based on field values, including IP address/hostname resolution, directionality mapping, and severity normalization.\n\nBefore you begin\n----------------\n\n- Ensure that you have a Google Security Operations instance.\n- Ensure that you are using Windows 2016 or later, or a Linux host with `systemd`.\n- If running behind a proxy, ensure firewall [ports](/chronicle/docs/ingestion/use-bindplane-agent#verify_the_firewall_configuration) are open.\n- Ensure that you have privileged access to the Barracuda WAF.\n\nGet Google SecOps ingestion authentication file\n-----------------------------------------------\n\n1. Sign in to the Google SecOps console.\n2. Go to **SIEM Settings \\\u003e Collection Agents**.\n3. Download the **Ingestion Authentication File**. Save the file securely on the system where Bindplane will be installed.\n\nGet Google SecOps customer ID\n-----------------------------\n\n1. Sign in to the Google SecOps console.\n2. Go to **SIEM Settings \\\u003e Profile**.\n3. Copy and save the **Customer ID** from the **Organization Details** section.\n\nInstall the Bindplane agent\n---------------------------\n\n### Windows installation\n\n1. Open the **Command Prompt** or **PowerShell** as an administrator.\n2. Run the following command:\n\n msiexec /i \"https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi\" /quiet\n\n### Linux installation\n\n1. Open a terminal with root or sudo privileges.\n2. Run the following command:\n\n sudo sh -c \"$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)\" install_unix.sh\n\n### Additional installation resources\n\n- For additional installation options, consult this [installation guide](/chronicle/docs/ingestion/use-bindplane-agent#install_the_bindplane_agent).\n\nConfigure the Bindplane agent to ingest Syslog and send to Google SecOps\n------------------------------------------------------------------------\n\n1. Access the configuration file:\n\n 1. Locate the `config.yaml` file. Typically, it's in the `/etc/bindplane-agent/` directory on Linux or in the installation directory on Windows.\n 2. Open the file using a text editor (for example, `nano`, `vi`, or Notepad).\n2. Edit the `config.yaml` file as follows:\n\n receivers:\n tcplog:\n # Replace the port and IP address as required\n listen_address: \"0.0.0.0:54525\"\n\n exporters:\n chronicle/chronicle_w_labels:\n compression: gzip\n # Adjust the path to the credentials file you downloaded in Step 1\n creds: '/path/to/ingestion-authentication-file.json'\n # Replace with your actual customer ID from Step 2\n customer_id: \u003ccustomer_id\u003e\n endpoint: malachiteingestion-pa.googleapis.com\n # Add optional ingestion labels for better organization\n ingestion_labels:\n log_type: SYSLOG\n namespace: barracuda_waf\n raw_log_field: body\n\n service:\n pipelines:\n logs/source0__chronicle_w_labels-0:\n receivers:\n - tcplog\n exporters:\n - chronicle/chronicle_w_labels\n\n3. Replace the port and IP address as required in your infrastructure.\n\n4. Replace `\u003ccustomer_id\u003e` with the actual customer ID.\n\n5. Update `/path/to/ingestion-authentication-file.json` to the path where the authentication file was saved in the\n [Get Google SecOps ingestion authentication file](/chronicle/docs/ingestion/default-parsers/barracuda-waf#get-auth-file) section.\n\nRestart the Bindplane agent to apply the changes\n------------------------------------------------\n\n- To restart the Bindplane agent in Linux, run the following command:\n\n sudo systemctl restart bindplane-agent\n\n- To restart the Bindplane agent in Windows, you can either use the **Services** console or enter the following command:\n\n net stop BindPlaneAgent && net start BindPlaneAgent\n\nConfigure Barracuda WAF\n-----------------------\n\n1. Sign in to the **Barracuda WAF** console using administrator credentials.\n2. Click the **Advanced tab \\\u003e Export logs**.\n3. In the **Export logs** section, click **Add export log server**.\n4. Provide the following values:\n - **Name**: enter a name for the Google SecOps forwarder.\n - **Log server type** : select **Syslog**.\n - **IP Address or hostname** : enter the `Bindplane` IP address.\n - **Port** : enter the `Bindplane` port.\n - **Connection type** : select `TCP` connection type (TCP is recommended. However, UDP or SSL protocols can also be used).\n - **Validate server certificate** : select **No**.\n - **Client certificate** : select **None**.\n - **Log timestamp and hostname** : select **Yes**.\n - Click **Add**.\n\nUDM Mapping Table\n-----------------\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
