Barracuda Spam & Virus Firewall
You can integrate Barracuda Spam & Virus Firewall with JSA.
The Barracuda Spam & Virus Firewall DSM for JSA accepts both mail syslog events and web syslog events from Barracuda Spam & Virus Firewall appliances.
Mail syslog events contain the event and action that is taken when the firewall processes email. Web syslog events record information on user activity, and configuration changes that occur on your Barracuda Spam & Virus Firewall appliance.
Before You Begin
Syslog messages are sent to JSA from Barracuda Spam & Virus Firewall by using UDP port 514. You must verify that any firewalls between JSA and your Barracuda Spam & Virus Firewall appliance allow UDP traffic on port 514.
Configuring Syslog Event Forwarding
You can configure syslog forwarding for Barracuda Spam & Virus Firewall.
-
Log in to the Barracuda Spam & Virus Firewall web interface.
-
Click the Advanced tab.
-
From the Advanced menu, select Advanced Networking.
-
In the Mail Syslog field, type the IP address of your JSA console or Event Collector.
-
Click Add.
-
In the Web Interface Syslog field, type the IP address of your JSA console or Event Collector.
-
Click Add.
Syslog Log Source Parameters for Barracuda Spam Firewall
If JSA does not automatically detect the log source, add a Barracuda Spam Firewall log source on the JSA Console by using the syslog protocol.
When using the syslog protocol, there are specific parameters that you must use.
The following table describes the parameters that require specific values to collect syslog events from Barracuda Spam & Virus Firewall:
Parameter |
Value |
---|---|
Log Source Name |
Type a name for the log source. |
Log Source Description |
Type a description for the log source. |
Log Source type |
Barracuda Spam & Virus Firewall |
Protocol Configuration |
Syslog |
Protocol Configuration |
Type the IP address or host name for the log source. |
Barracuda Spam and Virus Firewall Sample Event Messages
Use these sample event messages to verify a successful integration with JSA.
Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.
Barracuda Spam & Virus Firewall Sample Message when you use the Syslog Protocol
Sample 1: This sample event shows that a message is blocked because the user doesn’t exist.
Apr 11 11:24:37 2012 barracuda.firewall.test inbound/pass1[25713]: user[192.168.0.1] 1334157877-03f828647122cb90001-hUkLV9 1334157877 1334157877 RECV admin1@qradar.example.com x7ZYJv5uCwenuD/3xNuYx0cYIAkqevlHLIZSj4XeuVOySIBOB8EwFiQ9lpD3MAgI 2 8 No such user (x7ZYJv5uCwenuD/ 3xNuYx0cYIAkqevlHLIZSj4XeuVOySIBOB8EwFiQ9lpD3MAgI)
JSA field name |
Highlighted values in the event payload |
---|---|
Event ID |
Blocked Message is extracted from the Event ID field in JSA |
Event Category |
No such user |
Source IP |
192.168.0.1 |
Username |
x7ZYJv5uCwenuD/3xNuYx0cYIAkqevlHLIZSj4XeuVOySIBOB8EwFiQ9lpD3MAgI |
Device time |
Apr 11 11:24:37 2012 |
Sample 2: This sample event shows that a message is blocked because of political intentions.
<23>scan[9097]: user[192.168.0.1] 1366829265-05f5cb11fe1b9a50001-wlKzrS 1366829265 1366829266 SCAN ENC admin2@qradar.example.com qIWHXoYEpfP+Ut0/6KYPSBB/+f368IWMkt7vCt/ wP0iySIBOB8EwFiQ9lpD3MAgI - 2 70 example.org SZ:3117 Subj: Random Email Subject Line
JSA field name |
Highlighted values in the event payload |
---|---|
Event ID |
Blocked Message is extracted from the Event ID field in JSA |
Event Category |
Intent - political is extracted from the Event Category field in JSA |
Source IP |
192.168.0.1 |
Username |
qIWHXoYEpfP+Ut0/6KYPSBB/+f368IWMkt7vCt/wP0iySIBOB8EwFiQ9lpD3MAgI |