Getting Data In

Barracuda Email Gateway Add-on Field Extraction not Extracting

Loves-to-Learn Lots

Hello all I hope this is the right forum,

I am having some trouble with the Barracuda Email Security Gateway Add-on and field extraction.

We have a Splunk Cloud subscription and I am using an Ubuntu server with rsyslog and a universal forwarder to send syslog data to our Splunk Cloud instance.

I have the Barracuda Email Security Gateway Add-on installed in our Splunk Cloud.

I have the data from our Barracuda Email Gateway system going into a folder called /var/log/syslog_barracuda.log.

I have my inputs.conf file configured as follows:

disabled = 0
sourcetype = barracuda

In our Splunk Cloud, I see the events, and they have the "barracuda" sourcetype as expected.

The problem is, no field extraction is applied to these events.

Is there something I am missing? The Add-on only shows to add the lines to the inputs.conf file.

Any help would be appreciated, I am new to Splunk and trying to wrap my head around everything.

Labels (2)
0 Karma


It appears you have set this addon up correctly. 

Do you have other sourcetypes like "barracuda_scan", "barracuda_recv", or "barracuda_send"? This addon appears to intake the "barracuda" sourcetype, then use transforms to change the sourcetype to barracuda_<type> and then those other sourcetypes would then have fields extractions.

If you have logs with the sourcetype "barracuda" but match the regex: "\d{10}\s\d{10}\sRECV" (a ten-digit number, then a space, then a ten-digit number, then the word "RECV"), then that would mean something is not working with the transform.

0 Karma

Loves-to-Learn Lots

Hey thanks for the reply!

Honestly, I forgot about this post or I would have updated it. It seems like the add-on is for a different version of the Barracuda Email Defense than we have. The Barracuda syslog documentation shows a log format that is different than what our cloud platform is sending, but does match what this add-on is looking for. I believe the add-on may be for a self-hosted or on-prem solution.

I was able to parse our logs by a field extraction spath on the extracted JSON. Unfortunately, nothing in the logs easily indicates email directionality, so that's a pain.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...