Bug in barracuda_waf parser

[ehlo550]

What is the sc4s version ?
3.37.0

Describe the bug
As mentioned in the slack community.
When trying to onboard syslogs from Cisco CIMC the logs are identified as barracuda_waf due to the program being AUDIT.

Sample Log from Cisco CIMC:

<37>Sep 16 10:51:14 hostname001 AUDIT[2386]: Login failed (ip:192.168.12.230, service:webgui) due to invalid password

Splunk Case: 3852195

[sbylica-splunk]

Can we get the pcap file / user configuration?

On a quick glance it doesn't look like a proper CIMC log, you can check the proper structure here:
https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/c/sw/monitoring/guide/b_Monitoring_Cisco_IMC_Using_Syslog/b_Monitoring_Cisco_IMC_Using_Syslog_chapter_01.pdf

[ehlo550]

Hi @sbylica-splunk ,

I have uploaded the capture.
I also noticed that the current CIMC parser expects a different kind of logs.

I can show you what I am doing ( we can do a zoom/webex for example).

My guess would be that it emits different types of logs and maybe things also changed over time but I am not a server guy.

The doc even states that there are three types of syslog:
There are three kinds of syslog entries:
• Faults
• Events
• Audit logs

--> I can try to produce a fault that might emit a %CIMC message <--

Thats what I configured in the GUI

The product in this case is a UCSC-C220-M5SN but we also have others.

As the issue happens with a blank config, I don't think that it is necessary.
I just had some envs and and index routing in metadata configured.

Regards
Stefan

[sbylica-splunk]

Hi @ehlo550 sorry for a late reply, I was pulled into another case.
Yeah if you can produce a fault which would create a valid %CIMC log it would help me.
Also do you have access to local logs by chance? We could try to compare them with the ones send to sc4s.

Regards, Szymon

[ehlo550]

hi @sbylica-splunk ,

I was unable to produce a %CIMC log.
I removed one power supply and it produced a fault.

I have full access to a host and we can definitely do a meeting.

Please reach out to me via the case.
Regards
Stefan

[sbylica-splunk]

Hi @ehlo550 I can join a meeting this Thursday or some other day next week, 9:00AM - 5:00PM Central European Time.
Do you have any preferred timeslot?

[ehlo550]

Hi,
I would have time for example between:
07 Oct: 1300 - 1600
08 Oct: 0900 - 1600
Regards
Stefan

[sbylica-splunk]

@ehlo550

Lets say 08 Oct at 13:00 CET, is this ok for you?

Regards, Szymon

[sbylica-splunk]

We've had a debugging session yesterday, and here are our findings:

1. Looks like the source of the issue is somewhere on the server/cisco side of things. The logs are not correctly parsed by a cisco_cimc parser because they lack proper structure for this kind of log. Customer will open an issue with cisco on their side.

2. The easiest workaround would be to adjust barracuda_waf parser (since some of the logs incorrectly get accepted by this one) to not catch the logs with 'AUDIT' in them, and also use unique port for the problematic logs (https://splunk.github.io/splunk-connect-for-syslog/main/sources/#filtering-by-an-extra-product-description) to set their fields to match cisco cimc.

3. Adjusted app-almost-syslog-barracuda_waf parser could look something like this:

(...)
 regexp-parser(
   prefix(".tmp.")
   patterns('^(?<pri>\<\d+\>)(?: *)(?<timestamp>\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}\.\d{3} (\+|-)\d{4})\s{1,2}(?<host>[^ ]+) (?<log_type>(SYS|WF|TR|NF)) (?<message>.*)')
);
(...)

Simply removed the 'AUDIT' part of regex. More long term solution would require adding conditions for the latter part of a log message, unfortunately according to the docs (https://campus.barracuda.com/product/webapplicationfirewall/doc/92767349/exporting-log-formats/) everything after log_type is inconsistent and we cannot assume that these parts will always exist.
If the customer isn't actually using any barracuda logs I think that adding another word after log_type (that could be a log level or ip or something else) would also work as a filter. So (?<log_info>\S+) between log_type and message itself.

Regards, Szymon

[ehlo550]

ad 1) I have finally opened a case.

ad 2& 3) I see myself doing this and then getting a new customer that has a barracuda_waf
A more long term solution would be appreciated. Why not VPS for barracuda_waf ?

[sbylica-splunk]

What kind of VPS would work here?
Regarding 1 - let me know if they respond, this is something that could be relevant to us too

Regards, Szymon

[ehlo550]

My thought was that the barracuda parser is wrong and instead of the words like "AUDIT" it might be necessary to fallback to a VPS there. I mean there are many sources where we need to create a VPS, right?