receivers:udplog:# Replace the port and IP address as requiredlisten_address:"0.0.0.0:54525"exporters:chronicle/chronicle_w_labels:compression:gzip# Adjust the path to the credentials file you downloaded in Step 1creds:'/path/to/ingestion-authentication-file.json'# Replace with your actual customer ID from Step 2customer_id:<customer_id>
endpoint:malachiteingestion-pa.googleapis.com# Add optional ingestion labels for better organizationingestion_labels:log_type:SYSLOGnamespace:barracuda_emailraw_log_field:bodyservice:pipelines:logs/source0__chronicle_w_labels-0:receivers:-udplogexporters:-chronicle/chronicle_w_labels
[[["わかりやすい","easyToUnderstand","thumb-up"],["問題の解決に役立った","solvedMyProblem","thumb-up"],["その他","otherUp","thumb-up"]],[["わかりにくい","hardToUnderstand","thumb-down"],["情報またはサンプルコードが不正確","incorrectInformationOrSampleCode","thumb-down"],["必要な情報 / サンプルがない","missingTheInformationSamplesINeed","thumb-down"],["翻訳に関する問題","translationIssue","thumb-down"],["その他","otherDown","thumb-down"]],["最終更新日 2025-08-21 UTC。"],[[["\u003cp\u003eThis guide outlines how to collect and process Barracuda Email Security Gateway logs using Bindplane to send them to Google Security Operations (SecOps), utilizing Grok patterns and JSON parsing to extract relevant data.\u003c/p\u003e\n"],["\u003cp\u003eBefore configuring the log collection, users must have a Google SecOps instance, an ingestion authentication file, and a customer ID from the SecOps console, along with ensuring they have a Windows 2016 or later, or a Linux host with \u003ccode\u003esystemd\u003c/code\u003e and privileged access to the Barracuda ESG.\u003c/p\u003e\n"],["\u003cp\u003eThe Bindplane agent is configured by editing the \u003ccode\u003econfig.yaml\u003c/code\u003e file to specify the Syslog receiver (including port and IP address), the SecOps exporter (with credentials, customer ID, and endpoint), and setting up the correct pipelines.\u003c/p\u003e\n"],["\u003cp\u003eTo enable Syslog logging on the Barracuda Email Security Gateway, users must access the interface, enable Syslog, specify the Bindplane agent's IP address and port, choose a Syslog facility, and set the severity level.\u003c/p\u003e\n"],["\u003cp\u003eThe system maps various Barracuda log fields to the Unified Data Model (UDM) schema, including mapping actions like "allow", "block", and "quarantine" to UDM security actions, as well as setting up categories, priorities, and severities based on the log data.\u003c/p\u003e\n"]]],[],null,["# Collect Barracuda Email Security Gateway logs\n=============================================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis document explains how to collect Barracuda Email Security Gateway logs by using Bindplane. The parser extracts fields from the logs using Grok patterns and JSON parsing. Then, it maps the extracted fields to the Unified Data Model (UDM) schema, categorizes the email activity (for example, spam or phishing), and determines the security action taken (for example, allow, block, or quarantine).\n\nBefore you begin\n----------------\n\n- Ensure that you have a Google Security Operations instance.\n- Ensure that you are using Windows 2016 or later, or a Linux host with `systemd`.\n- If running behind a proxy, ensure firewall [ports](/chronicle/docs/ingestion/use-bindplane-agent#verify_the_firewall_configuration) are open.\n- Ensure that you have privileged access to the Symantec DLP.\n\nGet Google SecOps ingestion authentication file\n-----------------------------------------------\n\n1. Sign in to the Google SecOps console.\n2. Go to **SIEM Settings \\\u003e Collection Agents**.\n3. Download the **Ingestion Authentication File**. Save the file securely on the system where Bindplane will be installed.\n\nGet Google SecOps customer ID\n-----------------------------\n\n1. Sign in to the Google SecOps console.\n2. Go to **SIEM Settings \\\u003e Profile**.\n3. Copy and save the **Customer ID** from the **Organization Details** section.\n\nInstall the Bindplane agent\n---------------------------\n\n### Windows installation\n\n1. Open the **Command Prompt** or **PowerShell** as an administrator.\n2. Run the following command:\n\n msiexec /i \"https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi\" /quiet\n\n### Linux installation\n\n1. Open a terminal with root or sudo privileges.\n2. Run the following command:\n\n sudo sh -c \"$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)\" install_unix.sh\n\n### Additional installation resources\n\n- For additional installation options, consult this [installation guide](/chronicle/docs/ingestion/use-bindplane-agent#install_the_bindplane_agent).\n\nConfigure the Bindplane agent to ingest Syslog and send to Google SecOps\n------------------------------------------------------------------------\n\n1. Access the configuration file:\n\n 1. Locate the `config.yaml` file. Typically, it's in the `/etc/bindplane-agent/` directory on Linux or in the installation directory on Windows.\n 2. Open the file using a text editor (for example, `nano`, `vi`, or Notepad).\n2. Edit the `config.yaml` file as follows:\n\n receivers:\n udplog:\n # Replace the port and IP address as required\n listen_address: \"0.0.0.0:54525\"\n\n exporters:\n chronicle/chronicle_w_labels:\n compression: gzip\n # Adjust the path to the credentials file you downloaded in Step 1\n creds: '/path/to/ingestion-authentication-file.json'\n # Replace with your actual customer ID from Step 2\n customer_id: \u003ccustomer_id\u003e\n endpoint: malachiteingestion-pa.googleapis.com\n # Add optional ingestion labels for better organization\n ingestion_labels:\n log_type: SYSLOG\n namespace: barracuda_email\n raw_log_field: body\n\n service:\n pipelines:\n logs/source0__chronicle_w_labels-0:\n receivers:\n - udplog\n exporters:\n - chronicle/chronicle_w_labels\n\n3. Replace the port and IP address as required in your infrastructure.\n\n4. Replace `\u003ccustomer_id\u003e` with the actual customer ID.\n\n5. Update `/path/to/ingestion-authentication-file.json` to the path where the authentication file was saved in the\n [Get Google SecOps ingestion authentication file](/chronicle/docs/ingestion/default-parsers/barracuda-email#get-auth-file) section.\n\nRestart the Bindplane agent to apply the changes\n------------------------------------------------\n\n- To restart the Bindplane agent in Linux, run the following command:\n\n sudo systemctl restart bindplane-agent\n\n- To restart the Bindplane agent in Windows, you can either use the **Services** console or enter the following command:\n\n net stop BindPlaneAgent && net start BindPlaneAgent\n\nConfigure Barracuda Email Security Gateway\n------------------------------------------\n\n1. Sign in to the **Barracuda ESG Interface**.\n2. Select **Advanced \\\u003e Advanced networking \\\u003e Syslog Configuration**.\n3. Provide the following details:\n - Enable Syslog logging by checking the **Enable Syslog** checkbox.\n - **Syslog Server** : enter the `Bindplane` IP address.\n - **Port**: specify the Syslog port (default is 514, but ensure this matches the configuration in Google Security Operations).\n - **Syslog Facility** choose **Local0**.\n - **Severity Level** : select **Error and Warning** for higher priority email security logs.\n4. Click **Save Changes** to apply the configuration.\n\n| **Note:** Ensure that all relevant logs (for example, spam detections, email quarantines, traffic patterns) are being sent to Syslog for comprehensive monitoring.\n\nUDM Mapping Table\n-----------------\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
