Use https://seceonhelp.freshdesk.com/support/login to access updated Knowledge Base Articles, Submit Technical Support Tickets and Review Status of submitted support tickets.

Configuring Syslog on Barracuda Email Security Gateway

Owned by Customer Success & Engineering (Unlicensed)
Last updated: Feb 27, 2023
3 min read

Overview

We will provide you with the steps to integrate your Barracuda Email Security Gateway with Seceon SIEM so that you can have comprehensive visibility and proactive threat detection in your environment. There will be a log transfer between your firewall and APE (Analytics and Policy Engine) via CCE (Collection and Control Engine). This document will guide you through the steps for Syslog Integration, which enables you to export your message log data to a Syslog server or a security information and event management (SIEM) system. With Syslog Integration, you can use it for tracking, analysis, and troubleshooting.

Prerequisites

The prerequisites for this integration are that Seceon CCE should be installed and the Syslog UDP Port 514 should be allowed in the firewall.

Configuring Barracuda to forward logs to CCE

Configure Barracuda Email Security Gateway device to send the syslogs to Firewall analyzer

  • Select Advanced > Advanced Networking.

  • In the Syslog Configuration section, specify the IP address of the Firewall analyzer in the Mail Syslog and Web Interface Syslog fields.

  • Enter port 514 and select UDP protocol.

  • Click Save.

 

  • Open any firewall ports needed for communication with your Syslog server/SIEM system.
    Refer to Barracuda Email Security Service IP Ranges for information on IP ranges.

  • Click Test to ensure that the Barracuda Email Security Service can connect with your Syslog server/SIEM system.

  • If the test works, your message log data begins transferring to your Syslog server/SIEM system.

  • If the test fails, check the IP Address/Hostname and Port information and reenter it if needed. Then perform the test again.

To delete the Syslog server, click Delete.

Verification

There are two ways to check at the Seceon CCE Device & Seceon UI Portal.

  • Open your CCE Server with the putty session with Seceon as a user and run the command sudo tcpdump -i any port 514 and host CCE_IP

Using UI

STEP 1:Log in to UI >> System

STEP 2: >> Logs and flows collection status

STEP 3: >>To verify the source device IP from the UI:

  • Log in to the user interface

  • Navigate to the "System" section

  • Look for the "Source Device IP"

  • Check the IP address that is displayed

  • Compare the IP address displayed against the expected source device IP

This will allow you to ensure that the system is properly identifying the source device IP and that it matches the expected IP address..

 

Seceon Inc. All rights reserved. https://www.seceon.com