Getting Data In

Barracuda Email Gateway Add-on Field Extraction not Extracting

BoxerguyT89
Loves-to-Learn Lots

Hello all I hope this is the right forum,

I am having some trouble with the Barracuda Email Security Gateway Add-on and field extraction.

We have a Splunk Cloud subscription and I am using an Ubuntu server with rsyslog and a universal forwarder to send syslog data to our Splunk Cloud instance.

I have the Barracuda Email Security Gateway Add-on installed in our Splunk Cloud.

I have the data from our Barracuda Email Gateway system going into a folder called /var/log/syslog_barracuda.log.

I have my inputs.conf file configured as follows:

[monitor:///var/log/syslog_barracuda.log]
disabled = 0
sourcetype = barracuda

In our Splunk Cloud, I see the events, and they have the "barracuda" sourcetype as expected.

The problem is, no field extraction is applied to these events.

Is there something I am missing? The Add-on only shows to add the lines to the inputs.conf file.

Any help would be appreciated, I am new to Splunk and trying to wrap my head around everything.

Labels (2)
0 Karma

marnall
Builder

It appears you have set this addon up correctly. 

Do you have other sourcetypes like "barracuda_scan", "barracuda_recv", or "barracuda_send"? This addon appears to intake the "barracuda" sourcetype, then use transforms to change the sourcetype to barracuda_<type> and then those other sourcetypes would then have fields extractions.

If you have logs with the sourcetype "barracuda" but match the regex: "\d{10}\s\d{10}\sRECV" (a ten-digit number, then a space, then a ten-digit number, then the word "RECV"), then that would mean something is not working with the transform.

0 Karma

BoxerguyT89
Loves-to-Learn Lots

Hey thanks for the reply!

Honestly, I forgot about this post or I would have updated it. It seems like the add-on is for a different version of the Barracuda Email Defense than we have. The Barracuda syslog documentation shows a log format that is different than what our cloud platform is sending, but does match what this add-on is looking for. I believe the add-on may be for a self-hosted or on-prem solution.

I was able to parse our logs by a field extraction spath on the extracted JSON. Unfortunately, nothing in the logs easily indicates email directionality, so that's a pain.

0 Karma
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...