Baracuda Email Gateway Decoder
bhavesh pandya
Md. Nazmur Sakib
Wash has some existing decoders for Barracuda.
In case these decoders don't give the expected results, it would still be possible to add custom decoders for your log. Check this document to learn more about writing custom decoders
Decoders Syntax
We recommend creating custom rules and decoders based on archives.json because in these logs we can see the field full_log, which is the one being parsed by analysisd. One of the archives.json events should look like this (the field of interest is in bold):
{"timestamp":"2025-07-09T05:40:06.149+0000","rule":{"level":3,"description":"PAM: Login session closed.","id":"5502","firedtimes":3,"mail":true,"groups":["pam","syslog"],"pci_dss":["10.2.5"],"gpg13":["7.8","7.9"],"gdpr":["IV_32.2"],"hipaa":["164.312.b"],"nist_800_53":["AU.14","AC.7"],"tsc":["CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"uwazuh"},"manager":{"name":"uwazuh"},"id":"1752039606.7073326","cluster":{"name":"wazuh","node":"node01"},"full_log":"Jul 09 05:40:05 uwazuh sudo[77929]: pam_unix(sudo:session): session closed for user root","predecoder":{"program_name":"sudo","timestamp":"Jul 09 05:40:05","hostname":"uwazuh"},"decoder":{"parent":"pam","name":"pam"},"data":{"dstuser":"root"},"location":"journald"}
You can enable the archive JSON format log from your manager's ossec.conf
<ossec_config>
<global>
___________________
<logall_json>yes</logall_json>
_______________
After making the changes, make sure to restart the manager.
Now, check the output of this command. Use a keyword related to your log.
cat /var/ossec/logs/archives/archives.json | grep Keyword_relatd to your log
Note: Don't forget to disable the logall parameter once you have finished troubleshooting. Leaving it enabled could lead to high disk space consumption.
Ref: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/global.html#logall-json
Test those logs using log-test to find out if logs are decoded by decodes and rules.
Check this document to get help with the logtest tool.
https://documentation.wazuh.com/current/user-manual/ruleset/testing.html
Server management > Ruleset test
Check the screenshot for reference.
Test the log from the full log field
Ex:
Jul 09 05:40:05 uwazuh sudo[77929]: pam_unix(sudo:session): session closed for user root
If you need further assistance, please share some sample Barracuda Email Gateway logs from the archives.json log in text format related to the logs you want to test.
cat/ var/ossec/logs/archives/archives.json | grep Keyword
Make sure to replace the sensitive information with dummy values.
bhavesh pandya
bhavesh pandya
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/73G5SAZfymA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/f36ecce3-6c47-4f07-a2a9-011b823028fcn%40googlegroups.com.