Eli Fulkerson .com HomeProjectsSyslog-scripts-for-barracuda-spam-firewall
 

Syslog parsing scripts for the Barracuda Spam Firewall

Description:

The Barracuda Spam Firewall has the capability to log to an external syslog server. These are scripts to parse the resulting logfile (/var/log/mail in my implementation) and to glean usable data from them. In particular, I was interested in pulling error and virus information out and presenting them neatly.

Platform:

  • Any platform that supports bash. (Probably sh as well, but was tested on a system where sh --> bash.) Relies on awk and various other standard gnu utils, but nothing out of the ordinary.

  • barracuda_error.sh

    Parses /var/log/mail and generates a list of Barracuda errors for the current day.

    #!/bin/sh
    
    # This is a script to parse syslog messages from a Barracuda Spam Firewall and
    # extract only the error messages.
    
    # It makes several assumptions (not the least of which that your barracuda logs to /var/log/maillog),
    # and might need to be tweaked (or not work at all) if your syslog format differs from the one
    # I was using in any way.
    
    # This script lives at http://www.elifulkerson.com
    
    now=`date |awk '{printf "%s %2s", $2, $3}'`
    date
    echo 
    
    echo Daily Barracuda Errorlog
    echo ------------------------
    cat /var/log/maillog |grep "$now" |grep barracuda |grep error | awk '{print substr($0,index($0,$7),132)}' |sort |uniq -c |sort -rn
    
    echo
    echo This report is based on the syslog output of the Barricuda Spam Firewall.
    

    Download (plain text)


    barracuda_virus.sh

    Parses /var/log/mail and generates a list of virus activity seen by the Barracuda for the current day.

    #!/bin/sh
    
    # This is a script to parse syslog messages from a Barracuda Spam Firewall and
    # extract information about blocked Virus activity.
    
    # It makes several assumptions (not the least of which that your barracuda logs to /var/log/maillog),
    # and might need to be tweaked (or not work at all) if your syslog format differs from the one
    # I was using in any way.
    
    # This script lives at http://www.elifulkerson.com
    
    now=`date |awk '{printf "%s %2s", $2, $3}'
    date
    echo 
    echo Most Popular Detected Virus Origins
    echo -----------------------------------
    for msgid in `cat /var/log/maillog |grep "$now" |grep virus_block |awk '{print $6}'|awk '{FS=":"; print $1}'`; do
    	cat /var/log/maillog |grep $msgid |grep connect |awk '{print $7}'
    done |sort |uniq -c |sort -rn
    
    echo
    echo
    
    echo Most Popular Detected Virus Payloads
    echo ------------------------------------
    for msgid in `cat /var/log/maillog |grep "$now" |grep virus_block |awk '{print $6}'|awk '{FS=":"; print $1}'`; do
    	cat /var/log/maillog |grep $msgid |grep virus_block |awk '{print $7}'
    done |sort |uniq -c |sort -rn
    
    echo
    echo This report is based on the syslog output of the Barricuda Spam Firewall, and only notes viruses attempting to pass through it.
    

    Download (plain text)