Barracuda Mail Security Gateway Logs

This support forum board is for support questions relating to Nagios Log Server, our solution for managing and monitoring critical log data.
Locked
jaimie.livingston
Posts: 59
Joined: Wed Nov 23, 2016 10:41 am

Barracuda Mail Security Gateway Logs

Post by jaimie.livingston »

We are evaluating Nagios Log Server to fill some of our log management and compliance requirements.

One of the high-priority requirements for selection is being able to properly ingest Barracuda Mail Security Gateway maillogs.

We have a demo license running in-house, and are able to extract basic syslog details (timestamps, etc) but we cannot figure out how to fully parse the Barracuda maillog messages section that includes the actual details of how an email message was handled with the default Log Server configuration.

What options are available for ingesting Barracuda Mail Gateway maillogs and having the messages section correctly parsed out into discrete fields?

Here is the ref to the Barracuda maillog
https://campus.barracuda.com/product/em ... way-syslog

Thanks,

Jaimie Livingston
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: Barracuda Mail Security Gateway Logs

Post by scottwilkerson »

from this page it looks like you can setup them to be pushed to a syslog server which Nagios Log Server acts as.

https://campus.barracuda.com/product/em ... ty-gateway
To configure the Mail syslog, using the Barracuda Email Security Gateway web interface, navigate to the ADVANCED > Advanced Networking page and enter the IP address and port of the syslog server to which syslog data related to mail flow should be sent. You can also specify the protocol – TCP or UDP – over which syslog data should be transmitted. TCP is recommended.

Syslog data is the same information as that used to build the Message Log in the Barracuda Email Security Gateway and includes data such as the connecting IP Address, envelope 'From' address, envelope 'To' address, and the spam score for the messages transmitted. This syslog data appears on the mail facility at the debug priority level on the specified syslog server. As the Barracuda Email Security Gateway uses the syslog messages internally for its own message logging, it is not possible to change the facility or the priority level. See the Syslog section of the ADVANCED > Troubleshooting page in the Barracuda Email Security Gateway Web interface to open a window and view the Mail syslog output.

If you are running syslog on a UNIX machine, be sure to start the syslog daemon process with the “-r” option so that it can receive messages from sources other than itself. Windows users will have to install a separate program to utilize syslog since the Windows OS doesn’t include syslog capability. Kiwi Syslog is a popular solution, but there are many others are available to choose from, both free and commercial.

Syslog messages are sent via either TCP or UDP to the standard syslog port of 514. If there are any firewalls between the Barracuda Email Security Gateway and the server receiving the syslog messages, make sure that port 514 is open on the firewalls.
If the server doesn't have the ability to change the port from 514 to 5544 you will need to follow the following doc to allow Nagios Log Server to listen on port 514

https://assets.nagios.com/downloads/nag ... Server.pdf
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
jaimie.livingston
Posts: 59
Joined: Wed Nov 23, 2016 10:41 am

Re: Barracuda Mail Security Gateway Logs

Post by jaimie.livingston »

Thank you, but getting the logs from the Barracuda to the Log Server isn't the problem we are trying to overcome.

What is needed is some assistance parsing the received logs into something truly useful.

I do not, unfortunately, have command line access to the raw logs on the barracudas mail gateways at this time.
Below is an example of what the "raw" log viewed within the Log Server GUI...

Three things to note in the raw log below, parsed using the default syslog filters.
1) The "messages" section of the source needs to be split into fields according to the Barracuda reference, but I haven't figured out a clean way of doing this.
2) The _grokparsefailure_sysloginput in the tags section. Not at all sure what to do with or about it...
3) Better parsing for the priority, severity, and facility labels so that they correctly identify this as a maillog record and set the severity appropriately.

I hope this makes sense.

{
"_index": "logstash-2019.09.09",
"_type": "syslog",
"_id": "AW0X_dZZ9INCz9Pe9u2E",
"_score": null,
"_source": {
"message": "<23> outbound/smtp: 127.0.0.1 1568065573-060b0e240a126ac0001-FPYWXk 0 0 SEND ENC 1 AD26D46A0AE 250 2.0.0 OK 1568065574 a14si1820806ybk.153 - gsmtp #to#aspmx.l.google.com[74.125.21.26]:25\n",
"@version": "1",
"@timestamp": "2019-09-09T21:46:14.432Z",
"type": "syslog",
"host": "10.1.12.123",
"tags": [
"_grokparsefailure_sysloginput"
],
"priority": 0,
"severity": 0,
"facility": 0,
"facility_label": "kernel",
"severity_label": "Emergency"
},
"highlight": {
"host.raw": [
"@start-highlight@10.1.12.123@end-highlight@"
],
"host": [
"@start-highlight@10.1.12.123@end-highlight@"
]
},
"sort": [
1568065574432,
1568065574432
]
}
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: Barracuda Mail Security Gateway Logs

Post by scottwilkerson »

jaimie.livingston wrote:2) The _grokparsefailure_sysloginput in the tags section. Not at all sure what to do with or about it...
So the message that the Barracuda server is sending isn't a RFC3164 compliant syslog message and this is the only type the standard syslog input can read. Can this be configured to be sent to a different TCP input port?
jaimie.livingston wrote:3) Better parsing for the priority, severity, and facility labels so that they correctly identify this as a maillog record and set the severity appropriately.
Caused by the above, as it is not RFC3164 compliant, Log Server's syslog input doesn't know how to break it up.

jaimie.livingston wrote:1) The "messages" section of the source needs to be split into fields according to the Barracuda reference, but I haven't figured out a clean way of doing this.
If you can set it up to send to a different tcp port, you can configure a new tcp input, and then parse the message line with a grok filter to break up the contents of the messages into the fields you would like.
https://assets.nagios.com/downloads/nag ... ilters.pdf
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
jaimie.livingston
Posts: 59
Joined: Wed Nov 23, 2016 10:41 am

Re: Barracuda Mail Security Gateway Logs

Post by jaimie.livingston »

Thanks for the suggestion and pointer.
Pushing out the Barracuda logs to a diff input port and using a custom input filter solved this problem.
I'll post an update once I've finished coding up a satisfactory input filter, for others that have this need.
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: Barracuda Mail Security Gateway Logs

Post by scottwilkerson »

jaimie.livingston wrote:Thanks for the suggestion and pointer.
Pushing out the Barracuda logs to a diff input port and using a custom input filter solved this problem.
I'll post an update once I've finished coding up a satisfactory input filter, for others that have this need.
Great!
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
jaimie.livingston
Posts: 59
Joined: Wed Nov 23, 2016 10:41 am

Re: Barracuda Mail Security Gateway Logs

Post by jaimie.livingston »

I've attached a Logstash input and input filter that works for our test environments, using Barracuda ESG v8 firmware.
You may find it useful. You may not. I do not know if there are significant differences between the various version of the Barracuda ESGs or firmware versions, and I cannot make any claims that this filter will work for any specific purpose other than my own.

### This code is provided as an example only. It WILL HAVE TO BE MODIFIED at least a little bit to use in your environment.
### This works for me. It might not work for you. You assume all risk.
### Use at your own risk.
### Use at your own risk.
### I take no responsibility for any harm that occurs from using this code.
### Anyone reading this who cannot figure out how to use this code probably shouldn't.
### See Also: https://campus.barracuda.com/product/em ... way-syslog

Feel free to use and modify it as needed.

Good luck.

Jaimie Livingston
You do not have the required permissions to view the files attached to this post.
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: Barracuda Mail Security Gateway Logs

Post by scottwilkerson »

Thank you for sharing!!
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
Locked