WIXLIB

Integrate Barracuda Email SecurityGatewayEventTracker v9.x and abovePublication Date: December 5, 2019

Integrate Barracuda Email Security GatewayAbstractThis guide provides instructions to retrieve Barracuda email security gateway event logs and integrate it withEventTracker. Once EventTracker is configured to collect and parse these logs, dashboard and reports can beconfigured to monitor Barracuda email security gateway.AudienceThe configurations detailed in this guide are consistent with EventTracker version v9.x or above and BarracudaEmail Security Gateway VX600 or above.The information contained in this document represents the current view of Netsurion on the issuesdiscussed as of the date of publication. Because Netsurion must respond to changing marketconditions, it should not be interpreted to be a commitment on the part of Netsurion, and Netsurioncannot guarantee the accuracy of any information presented after the date of publication.This document is for informational purposes only. Netsurion MAKES NO WARRANTIES, EXPRESS ORIMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.Complying with all applicable copyright laws is the responsibility of the user. Without limiting therights under copyright, this paper may be freely distributed without permission from Netsurion, ifits content is unaltered, nothing is added to the content and credit to Netsurion is provided.Netsurion may have patents, patent applications, trademarks, copyrights, or other intellectualproperty rights covering subject matter in this document. Except as expressly provided in anywritten license agreement from Netsurion, the furnishing of this document does not give you anylicense to these patents, trademarks, copyrights, or other intellectual property.The example companies, organizations, products, people and events depicted herein are fictitious.No association with any real company, organization, product, person or event is intended or shouldbe inferred. 2019 Netsurion. All rights reserved. The names of actual companies and products mentionedherein may be the trademarks of their respective owners.1

Integrate Barracuda Email Security GatewayTable of Contents1.Overview. 32.Prerequisites . 33.Configuring Barracuda Email Security Gateway to EventTracker . 33.1 Barracuda Action Codes: . 43.24.5.6.Barracuda Reason Codes . 4EventTracker Knowledge Pack . 54.1 Flex Reports . 54.2Alerts . 94.3Saved Search . 94.4Dashboards . 9Importing Barracuda Email Security Gateway knowledge pack into EventTracker . 125.1 Alerts . 135.2Token Template . 155.3Knowledge Object. 165.4Flex Reports . 185.5Dashboard. 19Verifying Barracuda Email Security Gateway knowledge pack in EventTracker . 216.1 Token Template . 216.2Knowledge Object. 226.3Flex Reports . 226.4Dashboard. 232

Integrate Barracuda Email Security Gateway1. OverviewThe Barracuda Email Security Gateway is an integrated hardware and software solution designed to protect your emailserver from spam, virus, spoofing, phishing and spyware attacks. Outbound filtering and encryption options also preventData Leakage Prevention (DLP). The optional cloud protection layer (CPL) shields email servers from inbound malwareand DoS attacks while filtering out normal spam before it ever touches the network’s perimeter.2. Prerequisites EventTracker v9.x should be installed.Barracuda Email security gateway VX600 or above should be installed and configured.An exception should be added into the windows firewall on the EventTracker machine for Syslog port 514.3. Configuring Barracuda Email Security Gateway toEventTracker1. Log in to the Barracuda Web Filter web interface.2. Select Advanced Advanced Networking.3. In the Syslog Configuration section, specify the IP address of the EventTracker in the Mail Syslog and Web InterfaceSyslog fields.4. Enter port 514 and select UDP protocol.Figure 15. Click Add and save. The Syslog configuration is complete.3

Integrate Barracuda Email Security Gateway3.1 Barracuda Action CodesRECV And SCAN ServicesIDMeaning0Allowed Message1Aborted Message2Blocked Message3Quarantined Message4Tagged Message5Deferred Message6Per-User Quarantined Message7Whitelisted Message8Encrypted Message9Redirected Message10Attachments Stubbed*SEND ServicesIDMeaning1Delivered Message2Rejected Message3Deferred Message4Expired Message3.2 Barracuda Reason CodesRECV and SCAN ServicesIDMeaning1Virus2Banned Attachment3RBL Match4Rate Control5Too Many Message in Session6Timeout Exceeded7No Such Domain8No Such User9Subject Filter Match11Client IP12Recipient Address13No Valid Recipients14Domain Not Found15Sender Address17Need Fully Qualified Recipient18Need Fully Qualified Sender19Unsupported Command20MAIL FROM Syntax Error21Bad Address Syntax22RCPT TO Syntax Error23Send EHLO/HELO First24Need MAIL 7374MeaningToo Many HopsMail Protocol ErrorInvalid Parameter SyntaxSTARTTLS Syntax ErrorTLS Already ActiveToo Many ErrorsNeed STARTTLS FirstSpam Fingerprint FoundBarracuda Reputation WhitelistBarracuda Reputation BlocklistDomainKeysRecipient Verification UnavailableRealtime IntentClient Reverse DNSEmail RegistryInvalid BounceIntent - AdultIntent - PoliticalMulti-Level IntentAttachment Limit ExceededSystem BusyBRTS Intent

Integrate Barracuda Email Security Gateway25273031343536373839Nested MAIL CommandEHLO/HELO Syntax ErrorMail Protocol ViolationScoreHeader Filter MatchSender Block/AcceptRecipient Block/AcceptBody Filter MatchMessage Size BypassIntention Analysis Match7576777879808283858640SPF/Caller-ID8741Client Host Rejected884445464748Authentication Not EnabledAllowed Message Size ExceededToo Many RecipientsNeed RCPT CommandDATA Syntax Error8949Internal ErrorPer-Domain RecipientPer-Domain SenderPer-Domain Client IPSender SpoofedAttachment ContentOutlook Add-inBarracuda IP/Domain ReputationAuthentication FailureAttachment SizeVirus detected by Extended MalwareProtection **Extended Malware Protection engine isbusy **A message was categorized for EmailCategory**Macro Blocked** Applies to version 8.0.1 and higher** Applies to version 6.1 and higher***With version 7.1.1, no longer used****Applies to version 7.1.1.002 andhigher4. EventTracker Knowledge PackOnce logs are received by EventTracker manager, Knowledge Packs can be configured into EventTracker.The following Knowledge Packs are available in EventTracker to support Barracuda Email security gateway.4.1 Flex Reports Barracuda ESG – Virus detection in emails: Using this Report we can find the information related to virus in emailattachment with the action taken on the virus, sender, and receiver of the email.5

Integrate Barracuda Email Security GatewaySample ReportFigure 2Log sampleFigure 3 Barracuda ESG- Action taken on malicious emails: This report provides information related to the action takenby the Barracuda Email Security Gateway on Virus found in the email attachment, spam emails or AuthenticationFailure. This report also provides detailed information about email sender address, recipient address, hostnameand source IP address.6

Integrate Barracuda Email Security GatewaySample ReportFigure 4Log sampleFigure 5 Barracuda ESG - Email Traffic details: This report provides detailed information on inbound, outbound, email scanand email statistics, including hostname, sender email address, recipient email, hostname, source IP address, theaction was taken on malicious activity and subject of the email. Using this report, we can filter out Audit sensitivedata to see who did what, when, where, and how, to satisfy audits for multiple industry regulatory requirements.7

Integrate Barracuda Email Security GatewaySample ReportFigure 6Log sample8

Integrate Barracuda Email Security GatewayFigure 74.2 Alerts Barracuda ESG: Virus detected in the email: This alert is generated when any virus detected in the emailattachment.4.3 Saved Search Barracuda ESG – Spam emails detection: This saved search provides information about the spam emails intraffic, including the sender and recipient address and action taken on the email. Barracuda ESG – Virus detection in the email: This saved search provides the information about anyvirus detected in the email attachment, also provide the details of sender and recipient address4.4 Dashboards Barracuda ESG – Action taken on inbound emails:Figure 89

Integrate Barracuda Email Security Gateway Barracuda ESG – Action taken on outbound emails:Figure 9 Barracuda ESG – Emails blocked by geo-location:Figure 1010

Integrate Barracuda Email Security Gateway Barracuda ESG – Emails statistics:Figure 11 Barracuda ESG – Emails virus detection by sender address:Figure 1211

Integrate Barracuda Email Security Gateway Barracuda ESG – Spam emails detail:Figure 135. Importing Barracuda Email Security Gatewayknowledge pack into EventTrackerNOTE: Import knowledge pack items in the following sequence: Alerts Categories Token Templets. Knowledge Object. Flex Reports. Dashboard.1. Launch the EventTracker Control Panel.2. Double click Export-Import Utility.12

Integrate Barracuda Email Security GatewayFigure 143. Click the Import tab.5.1 Alerts1. Click on Alert option, and then click thebrowse button.Figure 152.13Locate Alerts Barracuda ESG.isalt file, and then click the open button.

Integrate Barracuda Email Security Gateway3. To import alerts, click the Import button.4. EventTracker displays a success message.Figure 165. Click the OK button, and then click the Close button.Category1. Click the Category option, and then click the browse button.Figure 172. Locate Category Barracuda ESG.iscat file, and then click the Open button.3. To import categories, click the Import button. EventTracker displays a success message.14

Integrate Barracuda Email Security GatewayFigure 184. Click OK, and then click the Close button.5.2 Token Template1. Login to the EventTracker Console.2. Click on Admin Parsing Rules.Figure 193. Click on Template and click import configuration Symbol.Figure 204. Locate the “.ettd” file and click on import.15

Integrate Barracuda Email Security GatewayFigure 215. Templates are imported now successfully.Figure 225.3 Knowledge Object1. Click Knowledge objects under the Admin option in the EventTracker manager page.16

Integrate Barracuda Email Security GatewayFigure 232. Next, click on the “import object” icon:Figure 243. A pop-up box will appear, click “Browse” in that and navigate to the file path with extension “.etko” button”Figure 254. A list of available knowledge objects will appear. Select the relevant files and click on “Import” button:17

Integrate Barracuda Email Security GatewayFigure 265. Knowledge objects are now imported successfully.5.4 Flex Reports1. In the EventTracker control panel, select “Export/ Import utility” and select the “Import tab”. Then, clickReports option, and choose “New (*.etcrx)”:Figure 2718

Integrate Barracuda Email Security Gateway2. Once you have selected “New (*.etcrx)”, a new pop-up window will appear. Click the “Select File” buttonand navigate to the file path with a file having the extension “.etcrx”. Select all the relevant files and thenclick the Importbutton.Figure 283. EventTracker displays a success message:Figure 295.5 Dashboard1. Login to EventTracker.2. Navigate to Dashboard My Dashboard.3. In “My Dashboard”, click Import Button:19

Integrate Barracuda Email Security GatewayFigure 30Figure 314. Select the Browse button and navigate to the file path where the dashboard file is saved and click onthe “Upload” button.5. Once completed, choose “Select All” and click on “Import” Button.Figure 3220