Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Hugo_vd_Kooij
Advisor

Creating a syslog parser for Email

I am trying to build a parser for the Barracuda Email Security Gateway.

The first order of business is to know what I should use as Product Name. In the R80.20 log I can select as filter blade:"Anti-Spam and Email Security" but I am not sure what the equivalent is for the Eventia Log Parsing Editor.

Then I am trying to figure out which fields I can use.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
5 Replies
Hugo_vd_Kooij
Advisor

My first attempt is online on syslog2checkpoint/BSF at master · hvdkooij/syslog2checkpoint · GitHub 

It at least has only hits and partial hits on the sample syslog set I have collected from my test Barracuda.

The partial hits look like something I can't fix with the Eventia Log Parsing Editor. So I may have to dive in and fix it manually.

The tricky thing is that I have a starting match that results in 3 main patterns and 1 of them has 2 rather different subsections. And I couldn't find a way to get that fixed with said tool.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
Hugo_vd_Kooij
Advisor

Actually the code is now documented in the appendix of the Logging and Monitoring manual

Appendix: Manual Syslog Parsing 

All we need now is a good definition of all the fields we are allowed to use.

The LEA field guide from 2014 is ... not entirely up-to-date.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
Hugo_vd_Kooij
Advisor

One challenge is to understand which action values I can use for:

Actions

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
Hugo_vd_Kooij
Advisor

The first draft version is working (well sort of ...) but I would like to refine and enhance it once I have more insight in the exact field names I can use in Check Point.

So my lab SmartCenter now is more or less becoming my SIEM.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
Hugo_vd_Kooij
Advisor

As I am not shy of doing some reverse engineering .....

I started to put a field list on syslog2checkpoint/readme.md at master · hvdkooij/syslog2checkpoint · GitHub 

Anyone willing to contribute let me know through github.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events