This application was designed to give users usable data surrounding the requests being sent to their Barracuda Web Filter. The application was designed using data from a Barracuda Web Filter 310, even though the access logs should be universal across the Barracuda Web Filter family of appliances I cannot guarantee it will work with other versions. This app is freely available on Splunkbase here:
http://splunk-base.splunk.com/apps/31192/splunk-for-barracuda-web-filter
Pre-deployment Assumptions:
1. You have enabled syslog logging on your Web Filter appliance.
2. The logs are being absorbed by Splunk and given a sourcetype name “barracuda”
3. You are using LDAP authentication. If you are not you may need to tweak the stanza named barracuda_without_ldap in transforms.conf
Reports in this Application:
- Top Users by Spyware Type
- Top Domains by Spyware Type
- Top Spyware Types
- Top Source IPs by Spyware Type
- Weekly Bandwidth Usage
- Top Ten Bandwidth Consumers by User ID
- Bandwidth Consumed by Hour of Day
- Bandwidth Consumed by Day of Week
- Domains by Bandwidth Consumed
- Users by Bandwidth Consumed
- Content Type by Bandwidth Consumed
- Source IP by Bandwidth Consumed
- Dest IP by Bandwidth Consumed
- Blocked/Allowed
Traffic Reports:
- Domains by # of Requests
- Domains by Category
- Top Domains Accessed by User
- Most Accessed Content Type by Domain
- Most Accessed Category by Domain
- Users by # of Requests
- Categories by # of Requests
- Top Category per User
- Top Content Types
- Source IPs by # of Requests
- Dest IPs by # of Requests
- Requests by Hour of Day
- Requests by Day of Week
You can also use the “Log Search” tab to manually search the logs using the defined categories.
TODO:
1. Configure a setup screen to change sourcetype name and/or specify an index
2. Add summary indexes for some of the reports