Re: Basic Log filtering in LEM?

The syslog from Barracuda calls it: “denied”

So the blocked URL does not work. I did change it to look for denied, and got it to work; however, I don’t know if the ‘denied’ is a universal term they use for everything that is blocked, like blocked streaming media, or etc…

The big thing now has to do with users. It does not recognize userID’s… They are in brackets, which should be really easy to parse… I want to use the built-in LEM widgets, like Top 10 users by # of events, but the users are not recognized.

I believe Barracuda has changed their format, and the LEM connector needs to be updated, or I have not configured the connector correctly or…?

Here is a raw syslog example directly from Barracuda:

Jun 24 06:49:49 2015 CityHemi http_scan[30540]: 1435153789 1 10.151.17.95 72.21.91.8 - 10.151.17.95 http://wac.450f.edgecastcdn.net/80450F/1027kord.com/wp-content/plugins/social-sharing/resources/css/social-overlay.css?ver=b5a0247934ad9016271fad89d59cac2e806b19b0 431 BYF ALLOWED CLEAN  2 1 0 5 4 1 computing-technology 0 - 0 wac.450f.edgecastcdn.net computing-technology   http://1027kord.com/see-where-the-latest-and-greatest-round-a-bo 1027kord.com streaming-media 0

Jun 24 06:53:02 2015 CityHemi http_scan[30540]: 1435153982 1 10.154.20.11 63.135.49.141 image/jpeg 10.154.20.11 http://cokcam1.thinkfirefly.com/camera0.jpg 144476 BYF ALLOWED CLEAN  2 1 0 5 3 1 - 0 - 0 cokcam1.thinkfirefly.com -   http://cokcam1.thinkfirefly.com/ - - 0

Jun 24 06:53:02 2015 CityHemi http_scan[30551]: 1435153982 1 10.156.14.18 72.52.171.112 text/html 10.156.14.18 http://www.libib.com/library/functions/social-feed-all-update.php 547 BYF ALLOWED CLEAN  2 1 0 5 3 1 business 0 - 0 www.libib.com business   http://www.libib.com/library/home www.libib.com business 0

Jun 24 06:53:05 2015 CityHemi http_scan[30540]: 1435153985 1 10.154.19.15 66.119.205.8 text/html 10.154.19.15 http://gadgets.live.com/configW7.xml 532 BYF ALLOWED CLEAN  2 1 0 5 4 1 media-downloads 0 - 0 gadgets.live.com media-downloads    http://gadgets.live.com/configW7.xml - - 0

Jun 24 06:53:05 2015 CityHemi http_scan[30551]: 1435153985 1 10.157.19.58 66.119.205.7 text/html 10.157.19.58 http://gadgets.live.com/configW7.xml 532 BYF ALLOWED CLEAN  2 1 0 5 3 1 media-downloads 0 - 0 gadgets.live.com media-downloads    http://gadgets.live.com/configW7.xml - - 0

Jun 24 06:53:05 2015 CityHemi http_scan[30551]: 1435153985 1 10.157.21.161 66.119.205.7 text/html 10.157.21.161 http://gadgets.live.com/configW7.xml 532 BYF ALLOWED CLEAN  2 1 0 5 4 1 media-downloads 0 - 0 gadgets.live.com media-

downloads    http://gadgets.live.com/configW7.xml - - 0

Jun 24 06:53:05 2015 CityHemi http_scan[30551]: 1435153985 1 10.151.19.40 66.119.205.13 application/x-apple-plist 10.151.19.40 http://init-p01st.push.apple.com/bag 6813 BYF ALLOWED CLEAN  2 1 0 5 4 1 computing-technology 0 - 0 init-p01st.push.apple.com computing-technology    http://init-p01st.push.apple.com/bag - - 0