We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.

Barracuda Email Security Gateway

Syslog and the Barracuda Email Security Gateway

  • Last updated on

Information Provided by the Syslog

The Barracuda Email Security Gateway generates syslog messages as a means of logging both changes to the web interface configuration and what happens to each message as it is processed. The syslog messages are stored in text file format on the Barracuda Email Security Gateway and can be sent to a remote server configurable by the administrator. There are two syslog outputs you can monitor: the Mail syslog and the Web syslog.

The Web syslog contains information about user login activities and any configuration changes made to the Barracuda Email Security Gateway Web interface. User activity data appears on the local facility with login information at the info priority level, and configuration changes appear at the debug priority level on the specified syslog server. See the Syslog section of the ADVANCED > Troubleshooting page for the facility to open a browser window and view the Web syslog output.

The Mail syslog logs what happens to each message as it is processed and is presented in a raw data format that includes reason codes relative to the message process. This guide will help you understand, parse, and utilize the mail syslog messages and reason codes generated by the Barracuda Email Security Gateway.

Parsing the Web Syslog

On the ADVANCED > Troubleshooting page, click Monitor Web Syslog in the Syslog section of the page.  The format of the Barracuda Email Security Gateway syslog output is detailed below.

webLogParsedOutput.jpg

weblog.jpg

Configuring the Barracuda Mail Syslog

To configure the Mail syslog, using the Barracuda Email Security Gateway Web interface, navigate to the ADVANCED > Advanced Networking page and enter the IP address and port of the syslog server to which syslog data related to mail flow should be sent. You can also specify the protocol, TCP or UDP, over which syslog data should be transmitted. TCP is recommended.

Syslog data is the same information as that used to build the Message Log in the Barracuda Email Security Gateway and includes data such as the connecting IP Address, envelope 'From' address, envelope 'To' address, and the spam score for the messages transmitted. This syslog data appears on the mail facility at the debug priority level on the specified syslog server. As the Barracuda Email Security Gateway uses the syslog messages internally for its own message logging, it is not possible to change the facility or the priority level. See the Syslog section of the ADVANCED > Troubleshooting page in the Barracuda Email Security Gateway Web interface to open a window and view the Mail syslog output.

If you are running syslog on a UNIX machine, be sure to start the syslog daemon process with the “-r” option so that it can receive messages from sources other than itself. Windows users will have to install a separate program to utilize syslog since the Windows OS doesn’t include syslog capability. Kiwi Syslog is a popular solution, but there are many others are available to choose from, both free and commercial.

Syslog messages are sent via either TCP or UDP to the standard syslog port of 514. If there are any firewalls between the Barracuda Email Security Gateway and the server receiving the syslog messages, make sure that port 514 is open on the firewalls. 

Parsing the Mail Syslog

The format of the Barracuda Email Security Gateway syslog output is detailed below. For a programmer's guide to parsing the syslog, see How to Parse the Barracuda Email Security Gateway Syslog.

SpamSyslogFormat2014.png

Barracuda Syslog Format

The Barracuda Email Security Gateway sends syslog messages in the following format. Whenever an action is taken on a message, it is logged with the syslog. A message sent to multiple recipients will be logged separately for each recipient. Please be aware that the various syslog implementations may not display the messages in this exact format. However, the sections should still be present in the syslog lines as shown in the table below. The following represents the main part of the syslog line:

 

Each section of the syslog line is defined in the table below.

Syslog SectionDescription
TimestampThe time that the syslog message was logged. For reporting purposes, this section of the syslog line can be ignored. It is useful when analyzing the logs by hand, but is not needed for compiling reports. NOTE: In version 5.1.3.007, the Year was appended to the end of the Timestamp field.
Host

Indicates the host that generated the syslog message. Useful if you have multiple Barracuda appliances and need to know which host sent the message.

Barracuda Process

Indicates the process that the email message was in when the syslog message was generated. Possibilities are: inbound/pass1 … inbound/pass2 … scan … outbound/smtp. NOTE: In version 6.0.2.002, the 5 digit Process ID ([27564] in the example above) was removed.

Barracuda Message ID

The most important piece of the syslog entry. This ID is used to uniquely identify a message. The ID may occur in one of two formats (a different format is used for the inbound process and for the scan process). For example, this ID 1126226282-27564-2-0 is used for RECV transactions and it means the following:

1126226282 = UNIX timestamp

27564-2= Internal Process ID

0 = Message number in SMTP session – this number indicates how many messages have been sent in that single SMTP session

Start

The start time of the message in UNIX timestamp format, indicating when the sender began giving us the “From” information for the message.

End

The end time of the message in UNIX timestamp format, indicating when the sending server terminated sending of the message.

Service

The service that produced the message. The following services are available:

  • RECV – This service indicates a message was handled by the MTA and processing stopped.
  • SCAN – This service indicates the message was scanned and processing may have stopped or it may have been sent to the outbound processing for delivery.
  • SEND – This service indicates status of outbound delivery. It is the only message that may appear multiple times for a given message ID since delivery may initially have been deferred before succeeding later on.
Info

This section contains the actual information about what happened to a given message.  It is dependent on the service that sent the information, and the following formats are used:

  • RECV –  Sender  Recipient   Action   Reason   ReasonExtra
  • SCAN –  Encrypted   Sender   Recipient   Score   Action   Reason   ReasonExtra SZ  "SUBJ:"Subject
    Note that if TLS is used, then 'ENC' will be displayed before the SZ: entry; if TLS is not USED, there will be a '' before the SZ: entry.
  • SEND –  Encrypted   Action   QueueID   Response

The possible fields have the following meanings:

  • Sender – The address of the sender, if available, and '' if the SENDER is blank.
  • Recipient – The address of the recipient if available and, ‘-‘ if not available.
  • Action – The action code indicating what action was taken for the message. For the “SEND” service these action codes have different meanings.
  • Reason – The reason code indicating the reason for the taken action.
  • ReasonExtra – Extra information about a given reason (e.g. the RBL or the body filter that matched in the message).
  • Encrypted – Indicates whether or not the message was received or sent encrypted.
  • Score – The score given to the message if the scoring mechanism was run.
  • Subject – The subject of the message if it was available.
  • QueueID – The queue ID of the message on the Barracuda as delivery is being attempted.
  • Response – The response given back by the mail server if available.
Barracuda Action Codes

RECV and SCAN Services

IDMeaning
0 Allowed Message
1Aborted Message
2Blocked Message
3Quarantined Message
4Tagged Message
5Deferred Message
6Per-User Quarantined Message
7Whitelisted Message
8Encrypted Message
9Redirected Message
10Attachments Stubbed*

* Applies to version 6.0 and higher

SEND Service

IDMeaning
1 Delivered Message
2 Rejected Message
3 Deferred Message
4Expired Message
Barracuda Reason Codes

RECV and SCAN Services

IDMeaning
1Virus
2Banned Attachment
3RBL Match
4Rate Control
5Too Many Message In Session
6Timeout Exceeded
7No Such Domain
8No Such User
9Subject Filter Match
11Client IP
12Recipient Address
13No Valid Recipients
14Domain Not Found
15Sender Address
17Need Fully Qualified Recipient
18Need Fully Qualified Sender
19Unsupported Command
20MAIL FROM Syntax Error
21Bad Address Syntax
22RCPT TO Syntax Error
23Send EHLO/HELO First
24Need MAIL Command
25Nested MAIL Command
27EHLO/HELO Syntax Error
30Mail Protocol Violation
31Score
34Header Filter Match
35Sender Block/Accept
36Recipient Block/Accept
37Body Filter Match
38Message Size Bypass
39Intention Analysis Match
40SPF/Caller-ID
41Client Host Rejected
44Authentication Not Enabled
45Allowed Message Size Exceeded
46Too Many Recipients
47Need RCPT Command
48DATA Syntax Error
49Internal Error
50Too Many Hops
51Mail Protocol Error
55Invalid Parameter Syntax
56STARTTLS Syntax Error
57TLS Already Active
58Too Many Errors
59Need STARTTLS First
60Spam Fingerprint Found
61Barracuda Reputation Whitelist
62Barracuda Reputation Blocklist
63DomainKeys
64Recipient Verification Unavailable
65Realtime Intent
66Client Reverse DNS
67Email Registry
68Invalid Bounce
69Intent - Adult
70Intent - Political
71Multi-Level Intent
72Attachment Limit Exceeded
73System Busy
74BRTS Intent
75Per Domain Recipient
76Per Domain Sender
77Per Domain Client IP
78Sender Spoofed
79Attachment Content
80Outlook Add-in
82Barracuda IP/Domain Reputation
83Authentication Failure
85Attachment Size
86Virus detected by Extended Malware Protection **
87Extended Malware Protection engine is busy **
88A message was categorized for Email Category**
89Macro Blocked*

* Applies to version 8.0.1 and higher

** Applies to version 6.1 and higher

***With version 7.1.1, no longer used

****Applies to version 7.1.1.002 and higher

 

Last updated on