Getting Data In

Barracuda Email Gateway Add-on Field Extraction not Extracting

BoxerguyT89
Loves-to-Learn Lots

Hello all I hope this is the right forum,

I am having some trouble with the Barracuda Email Security Gateway Add-on and field extraction.

We have a Splunk Cloud subscription and I am using an Ubuntu server with rsyslog and a universal forwarder to send syslog data to our Splunk Cloud instance.

I have the Barracuda Email Security Gateway Add-on installed in our Splunk Cloud.

I have the data from our Barracuda Email Gateway system going into a folder called /var/log/syslog_barracuda.log.

I have my inputs.conf file configured as follows:

[monitor:///var/log/syslog_barracuda.log]
disabled = 0
sourcetype = barracuda

In our Splunk Cloud, I see the events, and they have the "barracuda" sourcetype as expected.

The problem is, no field extraction is applied to these events.

Is there something I am missing? The Add-on only shows to add the lines to the inputs.conf file.

Any help would be appreciated, I am new to Splunk and trying to wrap my head around everything.

Labels (2)
0 Karma

marnall
Motivator

It appears you have set this addon up correctly. 

Do you have other sourcetypes like "barracuda_scan", "barracuda_recv", or "barracuda_send"? This addon appears to intake the "barracuda" sourcetype, then use transforms to change the sourcetype to barracuda_<type> and then those other sourcetypes would then have fields extractions.

If you have logs with the sourcetype "barracuda" but match the regex: "\d{10}\s\d{10}\sRECV" (a ten-digit number, then a space, then a ten-digit number, then the word "RECV"), then that would mean something is not working with the transform.

0 Karma

BoxerguyT89
Loves-to-Learn Lots

Hey thanks for the reply!

Honestly, I forgot about this post or I would have updated it. It seems like the add-on is for a different version of the Barracuda Email Defense than we have. The Barracuda syslog documentation shows a log format that is different than what our cloud platform is sending, but does match what this add-on is looking for. I believe the add-on may be for a self-hosted or on-prem solution.

I was able to parse our logs by a field extraction spath on the extracted JSON. Unfortunately, nothing in the logs easily indicates email directionality, so that's a pain.

0 Karma
Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...