Creating a syslog parser for Email

Hugo_vd_Kooij · ‎2019-01-15

I am trying to build a parser for the Barracuda Email Security Gateway.

The first order of business is to know what I should use as Product Name. In the R80.20 log I can select as filter blade:"Anti-Spam and Email Security" but I am not sure what the equivalent is for the Eventia Log Parsing Editor.

Then I am trying to figure out which fields I can use.

Hugo_vd_Kooij · ‎2019-01-15

My first attempt is online on syslog2checkpoint/BSF at master · hvdkooij/syslog2checkpoint · GitHub

It at least has only hits and partial hits on the sample syslog set I have collected from my test Barracuda.

The partial hits look like something I can't fix with the Eventia Log Parsing Editor. So I may have to dive in and fix it manually.

The tricky thing is that I have a starting match that results in 3 main patterns and 1 of them has 2 rather different subsections. And I couldn't find a way to get that fixed with said tool.

Hugo_vd_Kooij · ‎2019-01-16

Actually the code is now documented in the appendix of the Logging and Monitoring manual

Appendix: Manual Syslog Parsing

All we need now is a good definition of all the fields we are allowed to use.

The LEA field guide from 2014 is ... not entirely up-to-date.

Hugo_vd_Kooij · ‎2019-01-16

One challenge is to understand which action values I can use for:

Hugo_vd_Kooij · ‎2019-01-17

The first draft version is working (well sort of ...) but I would like to refine and enhance it once I have more insight in the exact field names I can use in Check Point.

So my lab SmartCenter now is more or less becoming my SIEM.

Hugo_vd_Kooij · ‎2019-01-17

As I am not shy of doing some reverse engineering .....

I started to put a field list on syslog2checkpoint/readme.md at master · hvdkooij/syslog2checkpoint · GitHub

Anyone willing to contribute let me know through github.