This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Hugo_vd_Kooij
MVP Gold
MVP Gold
‎2019-01-15 06:28 AM

Creating a syslog parser for Email

I am trying to build a parser for the Barracuda Email Security Gateway.

The first order of business is to know what I should use as Product Name. In the R80.20 log I can select as filter blade:"Anti-Spam and Email Security" but I am not sure what the equivalent is for the Eventia Log Parsing Editor.

Then I am trying to figure out which fields I can use.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
Labels
5 Replies
Hugo_vd_Kooij
MVP Gold
MVP Gold
‎2019-01-15 07:47 AM

My first attempt is online on syslog2checkpoint/BSF at master · hvdkooij/syslog2checkpoint · GitHub 

It at least has only hits and partial hits on the sample syslog set I have collected from my test Barracuda.

The partial hits look like something I can't fix with the Eventia Log Parsing Editor. So I may have to dive in and fix it manually.

The tricky thing is that I have a starting match that results in 3 main patterns and 1 of them has 2 rather different subsections. And I couldn't find a way to get that fixed with said tool.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
Hugo_vd_Kooij
MVP Gold
MVP Gold
‎2019-01-16 06:17 AM

Actually the code is now documented in the appendix of the Logging and Monitoring manual

Appendix: Manual Syslog Parsing 

All we need now is a good definition of all the fields we are allowed to use.

The LEA field guide from 2014 is ... not entirely up-to-date.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
Hugo_vd_Kooij
MVP Gold
MVP Gold
‎2019-01-16 06:45 AM
In response to Hugo_vd_Kooij

One challenge is to understand which action values I can use for:

Actions

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
Hugo_vd_Kooij
MVP Gold
MVP Gold
‎2019-01-17 03:45 AM

The first draft version is working (well sort of ...) but I would like to refine and enhance it once I have more insight in the exact field names I can use in Check Point.

So my lab SmartCenter now is more or less becoming my SIEM.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
Hugo_vd_Kooij
MVP Gold
MVP Gold
‎2019-01-17 04:48 AM

As I am not shy of doing some reverse engineering .....

I started to put a field list on syslog2checkpoint/readme.md at master · hvdkooij/syslog2checkpoint · GitHub 

Anyone willing to contribute let me know through github.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events