Splunk for Barracuda Web Filter

Description

Barracuda Web Filter App for Splunk

This application was designed to give users usable data surrounding the requests being sent to their Barracuda Web Filter. The application was designed using data from a Barracuda Web Filter 310, even though the access logs should be universal across the Barracuda Web Filter family of appliances I cannot guarentee it will work with other versions.

Pre-deployment Assumptions:

1. You have enabled syslog logging on your Web Filter appliance.
2. The logs are being absorbed by Splunk and given a sourcetype name "barracuda"
3. You are using LDAP authentication. If you are not you may need to tweak the stanza named barracuda_without_ldap in transforms.conf

Reports in this Application:

• Top Users by Spyware Type
• Top Domains by Spyware Type
• Top Spyware Types
• Top Source IPs by Spyware Type
• Weekly Bandwidth Usage
• Top Ten Bandwidth Consumers by User ID
• Bandwidth Consumed by Hour of Day
• Bandwidth Consumed by Day of Week
• Domains by Bandwidth Consumed
• Users by Bandwidth Consumed
• Content Type by Bandwidth Consumed
• Source IP by Bandwidth Consumed
• Dest IP by Bandwidth Consumed

Blocked/Allowed Traffic Reports:

• Domains by # of Requests
• Domains by Category
• Top Domains Accessed by User
• Most Accessed Content Type by Domain
• Most Accessed Category by Domain
• Users by # of Requests
• Categories by # of Requests
• Top Category per User
• Top Content Types
• Source IPs by # of Requests
• Dest IPs by # of Requests
• Requests by Hour of Day
• Requests by Day of Week

You can also use the "Log Search" tab to manually search the logs using the defined categories.

TODO:

1. Configure a setup screen to change sourcetype name and/or specify an index
2. Add summary indexes for some of the reports