Getting Data In

Barracuda Email Gateway Add-on Field Extraction not Extracting

BoxerguyT89
Loves-to-Learn Lots

Hello all I hope this is the right forum,

I am having some trouble with the Barracuda Email Security Gateway Add-on and field extraction.

We have a Splunk Cloud subscription and I am using an Ubuntu server with rsyslog and a universal forwarder to send syslog data to our Splunk Cloud instance.

I have the Barracuda Email Security Gateway Add-on installed in our Splunk Cloud.

I have the data from our Barracuda Email Gateway system going into a folder called /var/log/syslog_barracuda.log.

I have my inputs.conf file configured as follows:

[monitor:///var/log/syslog_barracuda.log]
disabled = 0
sourcetype = barracuda

In our Splunk Cloud, I see the events, and they have the "barracuda" sourcetype as expected.

The problem is, no field extraction is applied to these events.

Is there something I am missing? The Add-on only shows to add the lines to the inputs.conf file.

Any help would be appreciated, I am new to Splunk and trying to wrap my head around everything.

Labels (2)
0 Karma

marnall
Motivator

It appears you have set this addon up correctly. 

Do you have other sourcetypes like "barracuda_scan", "barracuda_recv", or "barracuda_send"? This addon appears to intake the "barracuda" sourcetype, then use transforms to change the sourcetype to barracuda_<type> and then those other sourcetypes would then have fields extractions.

If you have logs with the sourcetype "barracuda" but match the regex: "\d{10}\s\d{10}\sRECV" (a ten-digit number, then a space, then a ten-digit number, then the word "RECV"), then that would mean something is not working with the transform.

0 Karma

BoxerguyT89
Loves-to-Learn Lots

Hey thanks for the reply!

Honestly, I forgot about this post or I would have updated it. It seems like the add-on is for a different version of the Barracuda Email Defense than we have. The Barracuda syslog documentation shows a log format that is different than what our cloud platform is sending, but does match what this add-on is looking for. I believe the add-on may be for a self-hosted or on-prem solution.

I was able to parse our logs by a field extraction spath on the extracted JSON. Unfortunately, nothing in the logs easily indicates email directionality, so that's a pain.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...