Barracuda ESG Mail Spammer Syslog parsing issue

[esbat-max]

Hello,

I am using security onion v 2.30.70 in standalone mode, I integrated the barracuda mail spammer to receive the syslog messages.
The integration is successful, however, the syslog messages are received but parsed in correctly. (please check attached).

My question is:
1- how to parse the data ?
2- How to ingest the data into elasticsearch ?

Note, The syslog messages are received directly from barracuda to security onion. No beats in between.

Thanks,
E

[dougburks]

Typically, these kinds of integrations are easier if you can leverage an existing Filebeat module, but I'm not sure if the Barracuda module would work for you:
https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-barracuda.html
https://docs.securityonion.net/en/2.3/filebeat.html

If necessary, you could always write your own custom ingest parser:
https://docs.securityonion.net/en/2.3/elasticsearch.html#parsing

[esbat-max]

Hello Dough,

I agree about using filebeat to ship the data. But what if you have multiple syslog sources ? you cannot assign a workstation for syslog source. I know that filebeat can support multiple data input, but it cannot create multiple index to assign each syslog source to an index.

In such a case, I need a logstash to do such a complicating job, where collecting multiple syslog sources and distribute them into a specified elastic index.

Is it possible to install logstash into a windows workstation and the data directly to elastic ?

[dougburks]

As mentioned above, seems like you should be able to write your own custom ingest parser:
https://docs.securityonion.net/en/2.3/elasticsearch.html#parsing

[esbat-max]

Hello,
I did the following steps in order to parse the logs of barracuda spam firewall:

1. I have created a file called barracuda.syslog inside the following directory
   [admin@so-touch-std ~]$ sudo ls -l /opt/so/saltstack/local/salt/elasticsearch/files/ingest
   total 4
   -rw-r--r--. 1 socore socore 2136 Jan 27 10:14 barracuda.syslog

2. Then, I went into kibana -> ingest pipelines and used the content of the filebeat7.16.2-barracuda-spamfirewall-pipeline (builtin).
   [admin@so-touch-std ~]$ sudo ls -l /opt/so/saltstack/local/salt/elasticsearch/files/ingest
   total 4
   -rw-r--r--. 1 socore socore 2136 Jan 27 10:14 barracuda.syslog
   [admin@so-touch-std ~]$

[admin@so-touch-std ~]$ sudo cat /opt/so/saltstack/local/salt/elasticsearch/files/ingest/barracuda.syslog
cription": "Pipeline for Barracuda Spam Firewall",
"processors": [
{
"set": {
"field": "event.ingested",
"value": "{{_ingest.timestamp}}"
}
},
{
"user_agent": {
"field": "user_agent.original",
"ignore_missing": true
}
},
{
"geoip": {
"ignore_missing": true,
"field": "source.ip",
"target_field": "source.geo"
}
},
{
"geoip": {
"field": "destination.ip",
"target_field": "destination.geo",
"ignore_missing": true
}
},
{
"geoip": {
"properties": [
"asn",
"organization_name"
],
"ignore_missing": true,
"database_file": "GeoLite2-ASN.mmdb",
"field": "source.ip",
"target_field": "source.as"
}
},
{
"geoip": {
"database_file": "GeoLite2-ASN.mmdb",
"field": "destination.ip",
"target_field": "destination.as",
"properties": [
"asn",
"organization_name"
],
"ignore_missing": true
}
},
{
"rename": {
"field": "source.as.asn",
"target_field": "source.as.number",
"ignore_missing": true
}
},
{
"rename": {
"field": "source.as.organization_name",
"target_field": "source.as.organization.name",
"ignore_missing": true
}
},
{
"rename": {
"target_field": "destination.as.number",
"ignore_missing": true,
"field": "destination.as.asn"
}
},
{
"rename": {
"field": "destination.as.organization_name",
"target_field": "destination.as.organization.name",
"ignore_missing": true
}
},
{
"append": {
"if": "ctx.host?.name != null && ctx.host?.name != ''",
"field": "related.hosts",
"value": "{{host.name}}",
"allow_duplicates": false
}
}
],
"on_failure": [
{
"append": {
"field": "error.message",
"value": "{{ _ingest.on_failure_message }}"
}
}
]
}

3. I copied and paste the json code the mentioned file inside the barracuda.syslog file.
4. Saved the file and restarted elasticsearch.

Still the syslog message is not parsed and there is some delay between actual time and ingest time of the log.

Any advise ?
Thanks,
E

[esbat-max]

Also, The restart of the elasticsearch appeared to have 1 error