Collect Barracuda Email Security Gateway logs

This document explains how to collect Barracuda Email Security Gateway logs by using Bindplane. The parser extracts fields from the logs using Grok patterns and JSON parsing. Then, it maps the extracted fields to the Unified Data Model (UDM) schema, categorizes the email activity (for example, spam or phishing), and determines the security action taken (for example, allow, block, or quarantine).

Before you begin

• Ensure that you have a Google Security Operations instance.
• Ensure that you are using Windows 2016 or later, or a Linux host with systemd.
• If running behind a proxy, ensure firewall ports are open.
• Ensure that you have privileged access to the Symantec DLP.

Get Google SecOps ingestion authentication file

1. Sign in to the Google SecOps console.
2. Go to SIEM Settings > Collection Agents.
3. Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.

Get Google SecOps customer ID

1. Sign in to the Google SecOps console.
2. Go to SIEM Settings > Profile.
3. Copy and save the Customer ID from the Organization Details section.

Install the Bindplane agent

Windows installation

1. Open the Command Prompt or PowerShell as an administrator.

2. Run the following command:

   msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet
   

Linux installation

1. Open a terminal with root or sudo privileges.

2. Run the following command:

   sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh
   

Additional installation resources

• For additional installation options, consult this installation guide.

Configure the Bindplane agent to ingest Syslog and send to Google SecOps

1. Access the configuration file:

   1. Locate the config.yaml file. Typically, it's in the /etc/bindplane-agent/ directory on Linux or in the installation directory on Windows.
   2. Open the file using a text editor (for example, nano, vi, or Notepad).

2. Edit the config.yaml file as follows:

   receivers:
       udplog:
           # Replace the port and IP address as required
           listen_address: "0.0.0.0:54525"
   
   exporters:
       chronicle/chronicle_w_labels:
           compression: gzip
           # Adjust the path to the credentials file you downloaded in Step 1
           creds: '/path/to/ingestion-authentication-file.json'
           # Replace with your actual customer ID from Step 2
           customer_id: <customer_id>
           endpoint: malachiteingestion-pa.googleapis.com
           # Add optional ingestion labels for better organization
           ingestion_labels:
               log_type: SYSLOG
               namespace: barracuda_email
               raw_log_field: body
   
   service:
       pipelines:
           logs/source0__chronicle_w_labels-0:
               receivers:
                   - udplog
               exporters:
                   - chronicle/chronicle_w_labels
   

3. Replace the port and IP address as required in your infrastructure.

4. Replace <customer_id> with the actual customer ID.

5. Update /path/to/ingestion-authentication-file.json to the path where the authentication file was saved in the Get Google SecOps ingestion authentication file section.

Restart the Bindplane agent to apply the changes

• To restart the Bindplane agent in Linux, run the following command:

  sudo systemctl restart bindplane-agent
  

• To restart the Bindplane agent in Windows, you can either use the Services console or enter the following command:

  net stop BindPlaneAgent && net start BindPlaneAgent
  

Configure Barracuda Email Security Gateway

1. Sign in to the Barracuda ESG Interface.
2. Select Advanced > Advanced networking > Syslog Configuration.
3. Provide the following details:
   • Enable Syslog logging by checking the Enable Syslog checkbox.
   • Syslog Server: enter the Bindplane IP address.
   • Port: specify the Syslog port (default is 514, but ensure this matches the configuration in Google Security Operations).
   • Syslog Facility choose Local0.
   • Severity Level: select Error and Warning for higher priority email security logs.
4. Click Save Changes to apply the configuration.

UDM Mapping Table

Log field	UDM mapping	Logic
account_id		Not Mapped
attachments		Not Mapped
dst_domain	target.hostname	Value of dst_domain field
dst_domain	target.asset.hostname	Value of dst_domain field
env_from		Not Mapped
geoip	target.location.country_or_region	Value of geoip field
hdr_from	network.email.from	Value of hdr_from field if it is an email address
hdr_to	network.email.to	Value of hdr_to field if it is an email address, otherwise parsed from JSON array in hdr_to field
host	principal.hostname	Value of host field
host	principal.asset.hostname	Value of host field
message_id	network.email.mail_id	Value of message_id field
product_log_id	metadata.product_log_id	Value of product_log_id field
queue_id	security_result.detection_fields.value	Value of queue_id field
recipient_email	network.email.to	Value of recipient_email field if it is not empty or -
recipients		Not Mapped
recipients.action	security_result.action	Mapped to ALLOW if value is allowed, otherwise mapped to BLOCK
recipients.action	security_result.action_details	Value of recipients.action field
recipients.delivery_detail	security_result.detection_fields.value	Value of recipients.delivery_detail field
recipients.delivered	security_result.detection_fields.value	Value of recipients.delivered field
recipients.email	network.email.to	Value of recipients.email field if it is an email address
recipients.reason	security_result.detection_fields.value	Value of recipients.reason field
recipients.reason_extra	security_result.detection_fields.value	Value of recipients.reason_extra field
recipients.taxonomy	security_result.detection_fields.value	Value of recipients.taxonomy field
service	security_result.summary	Value of service field
size	network.received_bytes	Value of size field converted to an unsigned integer
src_ip	principal.ip	Value of src_ip field if it is not empty or 0.0.0.0
src_ip	principal.asset.ip	Value of src_ip field if it is not empty or 0.0.0.0
src_ip	security_result.about.ip	Value of src_ip field if it is not empty or 0.0.0.0
subject	network.email.subject	Value of subject field
target_ip	target.ip	Value of target_ip field
target_ip	target.asset.ip	Value of target_ip field
timestamp	metadata.event_timestamp	Parsed timestamp from the log entry
	metadata.event_type	Hardcoded to EMAIL_TRANSACTION
	metadata.log_type	Hardcoded to BARRACUDA_EMAIL
	metadata.vendor_name	Hardcoded to Barracuda
	network.application_protocol	Set to SMTP if process field contains smtp
	network.direction	Set to INBOUND if process field contains inbound, set to OUTBOUND if process field contains outbound
	security_result.action	Set based on a combination of action, action_code, service, and delivered fields
	security_result.category	Set based on a combination of action, reason, and other fields
	security_result.confidence	Hardcoded to UNKNOWN_CONFIDENCE
	security_result.priority	Hardcoded to UNKNOWN_PRIORITY
	security_result.severity	Hardcoded to UNKNOWN_SEVERITY if category is UNKNOWN_CATEGORY

Changes

2024-05-28

Enhancement:

• Mapped attachments to additional.fields.

2024-01-08

Enhancement:

• Mapped recipients.action to security_result.action_details.
• Mapped recipients.email to network.email.to.
• Mapped recipients.delivery_detail, recipients.reason, recipients.taxonomy, recipients.reason_extra and recipient.delivered to security_result.detection_fields.
• Mapped dst_domain to target.hostname.
• Mapped geoip to target.location.country_or_region.

2023-01-19

Bug fix:

• Modified grok pattern to extract subject and mapped to network.subject.

2022-12-16

Enhancement:

• Added grok pattern for new logs.
• Mapped host to principal.hostname.
• Mapped product_log_id to metadata.product_log_id.
• Mapped network.application_protoco to SMTP where process includes smtp.
• Mapped sender_email to network.email.from.
• Mapped recipient_email to network.email.to.
• Mapped network.direction to INBOUND where process includes inbound.
• Mapped network.direction to OUTBOUND where process includes outbound.
• Mapped target_ip to target.ip.
• Mapped queue_id to security_result.detection_fields.
• Mapped security_result.action to ALLOW where action_code are 0 or 7 and service are RECV or SCAN.
• Mapped security_result.action to BLOCK where action_code is 2 and service are RECV or SCAN.
• Mapped security_result.action to QUARANTINE where action_code is 3 and service are RECV or SCAN.

2022-05-19

Enhancement:

• Modified data extraction for email and hdr_from to improve parsing.

Need more help? Get answers from Community members and Google SecOps professionals.