I recently had a project, where I had to make a snapshot Report in MCAS, by importing the Barracuda F-Series Web Streaming Syslog.
The problem, which I met was that the formatting, expected from MCAS was incorrect. By importing the default unformatted Log:
We see the following Error on the Processing Tab:
So what went wrong ? Well, if we download the sample Logs from Microsoft, we will see that the expected format is as follows:
NG_Firewall[]: 1634860800 1 10.0.6.143 50.31.164.169 text/html 10.0.6.143 insights.newrelic.com 543 BYF ALLOWED CLEAN 2 1 0 0 0 (-) 0 Computing/Technology 0 – 0 insights.newrelic.com Computing/Technology [Ro******@*****so.com] insights.newrelic.com – – 0
NG_Firewall[]: 1634860800 1 10.0.5.66 50.31.164.169 text/html 10.0.5.66 insights.newrelic.com 272 BYF ALLOWED CLEAN 2 1 0 0 0 (-) 0 Computing/Technology 0 – 0 insights.newrelic.com Computing/Technology [Jo***@*****so.com] insights.newrelic.com – – 0
But if we open the Barracuda Logs, we see that the Logs lines begin with the following format:
2021-11-12T00:00:00.000000+00:00 0.0.0.0 NextGen_Firewall[]:
Solution
We need to remove the Date and Time, as well as the initial IP Address, we also need to Rename NextGen_Firewall to NG_Firewall
I did this with a small PowerShell script:
$content=Get-Content -Path "<Path to unformatted File>.log"
$outputfile="<Path for new, formatted file>.log"
foreach($line in $content)
{
if($line.StartsWith("2021")) #or whatever year the logs are from
{
$linecontent=$line -split "\["
$line = $line.Replace($linecontent[0], 'NG_Firewall')
$line | Out-File $outputfile -Append
}
}This script will format the files to an accepted format from MCAS
Afterwards you can import them and analyze the results:
Needless to say, since this is just a test, my logs are not producing any searchable results, but the important this is that the format is recognized as valid 🙂
