Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Barracuda Email Gateway Add-on Field Extraction not Extracting

BoxerguyT89
Loves-to-Learn Lots
‎02-19-2024 01:26 PM

Hello all I hope this is the right forum,

I am having some trouble with the Barracuda Email Security Gateway Add-on and field extraction.

We have a Splunk Cloud subscription and I am using an Ubuntu server with rsyslog and a universal forwarder to send syslog data to our Splunk Cloud instance.

I have the Barracuda Email Security Gateway Add-on installed in our Splunk Cloud.

I have the data from our Barracuda Email Gateway system going into a folder called /var/log/syslog_barracuda.log.

I have my inputs.conf file configured as follows:

[monitor:///var/log/syslog_barracuda.log]
disabled = 0
sourcetype = barracuda

In our Splunk Cloud, I see the events, and they have the "barracuda" sourcetype as expected.

The problem is, no field extraction is applied to these events.

Is there something I am missing? The Add-on only shows to add the lines to the inputs.conf file.

Any help would be appreciated, I am new to Splunk and trying to wrap my head around everything.

Labels (2)
0 Karma
Reply

marnall
Motivator
‎04-06-2024 01:42 PM

It appears you have set this addon up correctly. 

Do you have other sourcetypes like "barracuda_scan", "barracuda_recv", or "barracuda_send"? This addon appears to intake the "barracuda" sourcetype, then use transforms to change the sourcetype to barracuda_<type> and then those other sourcetypes would then have fields extractions.

If you have logs with the sourcetype "barracuda" but match the regex: "\d{10}\s\d{10}\sRECV" (a ten-digit number, then a space, then a ten-digit number, then the word "RECV"), then that would mean something is not working with the transform.

0 Karma
Reply

BoxerguyT89
Loves-to-Learn Lots
‎04-06-2024 01:54 PM

Hey thanks for the reply!

Honestly, I forgot about this post or I would have updated it. It seems like the add-on is for a different version of the Barracuda Email Defense than we have. The Barracuda syslog documentation shows a log format that is different than what our cloud platform is sending, but does match what this add-on is looking for. I believe the add-on may be for a self-hosted or on-prem solution.

I was able to parse our logs by a field extraction spath on the extracted JSON. Unfortunately, nothing in the logs easily indicates email directionality, so that's a pain.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Mile High Learning with Splunk University, Denver, Colorado

If Denver is known for its mile-high elevation, Splunk University is about to raise the bar on technical ...

IT Service Intelligence 5.0 Series: Your Guide to the June Launch

We are excited to announce the June release of Splunk IT Service Intelligence (ITSI) 5.0. This update ...

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...