Barracuda WAF parsing incorrect sourcetype

[linkwellken]

There is no parser for non-cloud barracuda WAF events in sc4s. The logs appear to be coming in correctly, but assigned the wrong sourcetype of nix:syslog.

Sample event from raw log: <134>2022-05-10 14:16:46.869 -0600 waf-den TR 164.159.171.13 443 10.98.44.50 55203 "-" "-" GET TLSv1.2 fws.gov HTTP/1.1 200 1410 725 SERVER DEFAULT UNPROTECTED VALID /themes/custom/fws_gov/favicon.ico 10.98.44.50 55203 51 <134>2022-05-10 14:16:46.981 -0600 waf-den TR 164.159.171.13 443 152.121.53.181 37057 "-" "-" GET TLSv1.2 www.fws.gov HTTP/1.1 200 42967 715 SERVER DEFAULT PROTECTED VALID /sites/default/files/css/css_lZsseX0vXkIoIXZzRygRmsiC8NbeoAIHJSD_WIvc13M.css 152.121.53.181 37057 59

Event in Splunk: 2022-05-10 14:26:35.934 -0600 waf-den TR xx.xx.xx.xx 443 164.159.171.60 40808 "-" "-" GET TLSv1.2 www.fws.gov HTTP/1.1 200 20390 754 SERVER DEFAULT PROTECTED VALID /sites/default/files/styles/small_square/public/banner_images/2021-11/Red-wolf-head-and-shoulders-Credit-B%20Bartel.jpg 164.159.171.60 40808 50

Attached is the pcap and the splunk output for the barracuda events coming from sc4s: BarracudaWAF.zip

[rjha-splunk]

The provided log is for access logs and we dont have filter developed for it , it will need to be developed.

[rjha-splunk]

We started working on it, @linkwellken the format of the log provided , do we have anything custom on it , or it is OOB log format ?

[linkwellken]

@rjha-splunk There shouldn't be anything custom and should be OOB log format. Thank you!