|
| 1 | +# Agent Integration: barracuda_secure_edge |
| 2 | + |
| 3 | +## Overview |
| 4 | + |
| 5 | +Barracuda Secure Edge is a unified Secure Access Service Edge (SASE) platform that includes Next-Generation Firewall (NGFW), zero trust, and secure Software-Defined Wide Area Network (SD-WAN) capabilities. This integration allows you to collect and analyze logs from your [barracuda_secure_edge][4] deployment to monitor security events, network traffic, and system activity. |
| 6 | + |
| 7 | +## Setup |
| 8 | +1. Collecting logs is disabled by default in the Datadog Agent. Enable it in the `datadog.yaml` with: |
| 9 | + |
| 10 | + ```yaml |
| 11 | + logs_enabled: true |
| 12 | + ``` |
| 13 | +2. Add this configuration block to your `secure_edge.d/conf.yaml` file to start collecting your SecureEdge logs: |
| 14 | + |
| 15 | + ```yaml |
| 16 | + logs: |
| 17 | + - type: file |
| 18 | + path: /var/log/log_type.log |
| 19 | + source: barracuda_secure_edge |
| 20 | + service: <SERVICE_NAME> |
| 21 | + tags: |
| 22 | + - log_component:tag_component_name |
| 23 | + - type: file |
| 24 | + path: /var/logs/other_log_type.log |
| 25 | + source: barracuda_secure_edge |
| 26 | + service: <SERVICE_NAME> |
| 27 | + tags: |
| 28 | + - log_component:other_tag_component_name |
| 29 | + ``` |
| 30 | + |
| 31 | + Change the `path` and `service` parameter values for your environment. Define multiple file sources in the configuration file as shown above. For each of the file sources, pre-defined tag needs to be added to those logs as follows: |
| 32 | + |
| 33 | + ``` |
| 34 | + - box_Auth_access -> log_component:auth |
| 35 | + - box_Event_eventS, box_Event_operative -> log_component:system |
| 36 | + - box_Config_admin, box_Config_changes, box_Config_sync, box_Control_admin, box_Control_AuthService -> log_component:admin |
| 37 | + - box_Firewall, box_Firewall_Activity -> log_component:firewall |
| 38 | + - box_Network_dhcp -> log_component:dhcp |
| 39 | + - box_Network_activation -> log_component:network |
| 40 | + - box_System_mgmaccess -> log_component:access |
| 41 | + - box_SSH_sshd, box_SSH_config -> log_component:ssh |
| 42 | + - srv_CSC_VPN, srv_CSC_VPN_sslvpn -> log_component:vpn |
| 43 | + ``` |
| 44 | +
|
| 45 | +3. [Restart the Agent][3]. |
| 46 | +
|
| 47 | +### Installation |
| 48 | +
|
| 49 | +The barracuda_secure_edge check is included in the [Datadog Agent][2] package. |
| 50 | +
|
| 51 | +### Prerequisites |
| 52 | +
|
| 53 | +1. Administrative access to Barracuda Secure Edge installed on your server. |
| 54 | +2. The Datadog Agent installed and running (on a server or container that can receive syslog messages). |
| 55 | +3. Network Access between the firewall and the Datadog Agent (usually port 514, but may be a custom value). |
| 56 | +4. Syslog support enabled in the Datadog Agent (with a TCP or UDP listener configured). |
| 57 | +
|
| 58 | +### Validation |
| 59 | +
|
| 60 | +1. Confirm the Datadog Agent is listening on the correct port (`514` in the following examples): |
| 61 | + |
| 62 | + `sudo netstat -tunlp | grep 514` |
| 63 | + |
| 64 | + If using TCP and UDP listeners, use the following command: |
| 65 | + |
| 66 | + `sudo lsof -i :514` |
| 67 | + |
| 68 | +2. Confirm logs are reaching the Agent from the correct log source: |
| 69 | + |
| 70 | + `tail -f /var/phion/logs/*.log` |
| 71 | + |
| 72 | + **Note**: If the file doesn't exist, verify that syslog logs are being written by your configuration. |
| 73 | + |
| 74 | +3. Use the tcpdump command to confirm network traffic on the Datadog Agent host: |
| 75 | + |
| 76 | + `sudo tcpdump -i any port 514` |
| 77 | + |
| 78 | +After running this command, you should see traffic from the Secure Edge IP address. If you don't see any such traffic, check the firewall rules between Secure Edge and the Datadog Agent. Confirm the correct protocol (UDP or TCP) is being used on both sides. |
| 79 | +4. Check the Datadog [Live Tail][5] for logs from the source and service you defined in the `conf.yaml` file. |
| 80 | +5. After following these steps, you can create a test log on the firewall by triggering an event. |
| 81 | +6. Check for tags or facets to use for better filtering based on the required data. |
| 82 | + |
| 83 | +## Data Collected |
| 84 | + |
| 85 | +### Metrics |
| 86 | + |
| 87 | +The Barracuda_Secure_Edge integration does not include any metrics. |
| 88 | + |
| 89 | +### Logs |
| 90 | +The Barracuda Secure Edge integration collects logs containing the following types of information: |
| 91 | +- **Security Events**: Firewall actions (allow/deny), rule matches, and security policy violations |
| 92 | +- **Network Traffic**: Source and destination IPs/ports, protocols, and network interfaces |
| 93 | +- **Authentication**: User login attempts, successes, and failures |
| 94 | +- **VPN Activity**: VPN connection events and status |
| 95 | +- **System Events**: Device status, configuration changes, and system health |
| 96 | + |
| 97 | +### Events |
| 98 | +The Barracuda Secure Edge integration does not include any events. |
| 99 | + |
| 100 | + |
| 101 | +## Troubleshooting |
| 102 | + |
| 103 | +Need help? Contact [Datadog support][1]. |
| 104 | + |
| 105 | +[1]: https://docs.datadoghq.com/help/ |
| 106 | +[2]: /account/settings/agent/latest |
| 107 | +[3]: https://docs.datadoghq.com/agent/guide/agent-commands/#start-stop-and-restart-the-agent |
| 108 | +[4]: https://www.barracuda.com/products/network-protection/secureedge |
| 109 | +[5]: /logs/livetail |
0 commit comments