Barracuda CloudGen Firewall parser is broken (updated query included)

[thom2804]

Recently I have implemented the Barracuda CloudGen Firewall solution in 2 environments which both got a new Barracuda F18B installed.
These firewalls have both been set up to forward their logs to a separate Linux machine, which then forwards the logs over syslog to Sentinel.
The logs are visible in Sentinel, however they are not structured properly and the Dataconnector for Barracuda doesnt pick this datastream up.
Barracuda logs in Sentinel through syslog:

As visible in the screenshot above in my case there is no processname bound to the log messages (probably since its being forwarded) and the structure of the data is not the same as how the current parser expects it. I have tried to attempt to edit the parser to filter on the box_Firewall_Activity keywords instead of the processname, however this still does not parse as expected.
Current parser query:

CGFWFirewallActivitySyslog
| where ProcessName == "box_Firewall_Activity"
| extend
    Type = extract("type=([\\w\\s]+)", 1, SyslogMessage)
    ,
    L4Protocol = extract("proto=([\\w\\s]+)", 1, SyslogMessage)
    ,
    SourceInterface = extract("srcIF=([\\w\\s]+)", 1, SyslogMessage)
    ,
    SourceIP = extract("srcIP=([\\d\\.]+)", 1, SyslogMessage)
    ,
    SourcePort = extract("srcPort=([\\d\\s]+)", 1, SyslogMessage)
    ,
    SourceMAC = extract("srcMAC=([\\w\\d:]+)", 1, SyslogMessage)
    ,
    DestinationIP = extract("dstIP=([\\d\\.]+)", 1, SyslogMessage)
    ,
    DestinationPort = extract("dstPort=([\\w\\s]+)", 1, SyslogMessage)
    ,
    DestinationService = extract("dstService=([\\w\\s]+)", 1, SyslogMessage)
    ,
    DestinationInterface = extract("dstIF=([\\w\\s]+)", 1, SyslogMessage)
    ,
    FirewallRule = extract("rule=([\\w\\s\\-]+)", 1, SyslogMessage)
    ,
    Info = extract("info=([\\w\\s]+)", 1, SyslogMessage)
    ,
    SourceNAT = extract("srcNAT=([\\d\\.]+)", 1, SyslogMessage)
    ,
    DestinationNAT = extract("dstNAT=([\\d\\.]+)", 1, SyslogMessage)
    ,
    Duration = extract("duration=([\\d]+)", 1, SyslogMessage)
    ,
    Count = extract("count=([\\d]+)", 1, SyslogMessage)
    ,
    ReceivedBytes = extract("receivedBytes=([\\d]+)", 1, SyslogMessage)
    ,
    SentBytes = extract("sentBytes=([\\d]+)", 1, SyslogMessage)
    ,
    ReceivedPackets = extract("receivedPackets=([\\d]+)", 1, SyslogMessage)
    ,
    SentPackets = extract("sentPackets=([\\d]+)", 1, SyslogMessage)
    ,
    User = extract("user=([\\w\\s]+)", 1, SyslogMessage)
    ,
    L7Protocol = extract("protocol=([\\w\\s]+)", 1, SyslogMessage)
    ,
    Application = extract("application=([\\w\\s]+)", 1, SyslogMessage)
    ,
    Target = extract("target=([\\w\\s]+)", 1, SyslogMessage)
    ,
    Content = extract("content=([\\w\\s]+)", 1, SyslogMessage)
    ,
    URLCategory = extract("urlcat=([\\w\\s]+)", 1, SyslogMessage)

Therefore I created a new query which is able to parse my logs as expected:

Syslog
| where SyslogMessage contains "box_Firewall_Activity"
| extend 
    Action = extract("Block|Allow", 0, SyslogMessage),
    Direction = tostring(split(SyslogMessage, "|")[0]),
    L4Protocol = tostring(split(SyslogMessage, "|")[1]),
    PolicyID = tostring(split(SyslogMessage, "|")[2]),
    SourceIP = tostring(split(SyslogMessage, "|")[3]),
    SourcePort = tostring(split(SyslogMessage, "|")[4]),
    SourceMAC = tostring(split(SyslogMessage, "|")[5]),
    DestinationIP = tostring(split(SyslogMessage, "|")[6]),
    DestinationPort = tostring(split(SyslogMessage, "|")[7]),
    SourceInterface = tostring(split(SyslogMessage, "|")[8]),
    DestinationInterface = tostring(split(SyslogMessage, "|")[9]),
    FirewallRule = tostring(split(SyslogMessage, "|")[10]),
    TrafficID = tostring(split(SyslogMessage, "|")[11]),
    StatusFlags = tostring(split(SyslogMessage, "|")[12]),
    Count = tostring(split(SyslogMessage, "|")[13]),
    ReceivedBytes = tostring(split(SyslogMessage, "|")[14]),
    SentBytes = tostring(split(SyslogMessage, "|")[15]),
    ReceivedPackets = tostring(split(SyslogMessage, "|")[16]),
    SentPackets = tostring(split(SyslogMessage, "|")[17])
| project Action, Direction, L4Protocol, PolicyID, SourceIP, SourcePort, SourceMAC, DestinationIP, DestinationPort, SourceInterface, DestinationInterface, FirewallRule, TrafficID, StatusFlags, Count, ReceivedBytes, SentBytes, ReceivedPackets, SentPackets

I have attempted to save this query in one of the environments to the function code for the current parser, this doesnt seem to get picked up though however by the data connector (as its still showing as disconnected), I think there needs to be an update performed from the content hub to adjust this change.
Thanks in advance!

[v-sudkharat]

Hi @thom2804, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates. Thanks!

[v-sudkharat]

@thom2804, Could you please share the sample logs with us on below mail ID, so we can check the supported parsing format for it - v-sudkharat@microsoft.com
Thanks!

[v-sudkharat]

@thom2804 And could you please let us know which solution and parser version you are using.

[v-sudkharat]

@thom2804, waiting for your response on above comment. Thanks!

[v-sudkharat]

Hi @thom2804, since we have not received a response in the last 5 days, we are closing your issue as per our standard operating procedures. If you still need support for this issue, feel free to re-open at any time. Thank you for your co-operation.