Barracuda Log Files

Posted on 2013-09-09
Medium Priority
Last Modified: 2014-05-05
I have a barracuda spam and virus firewall 400. I have reason to believe there has been one of our coworkers viewing other peoples emails using this as a way to SPY on people.. Is there any way to view logs and see what kinds of activities have been done by someone with credentials to look at this info?
Question by:Martyt1988
  • 3
LVL 66

Accepted Solution

btan earned 2000 total points
ID: 39478673
I see it from angle of server first as it track login event assuming you have audit trails turned on. From the spam and firewall may be more specific to external threats though can still try to detect data leakage attempts from particular machine and its anomalous activities. But this may not allude to that user doing some insider stuffs on other colleague. Best to have tracking sw on his machine if viable for legal action subsequently.

But probably the key inputs comes from server log as shared in the below CERT document. Extracted some but there is more

2. Examine log files
Examine log files for connections from unusual locations or for other unusual activity. You can use the Event Viewer to check for odd logon entries, failures of services, or unexplained system restarts. If your firewall, web server, or router writes logs to a location different than the system being investigated, remember to check these logs as well. Remember, this is not foolproof unless you log to append-only media or a secure logging server; many intruders edit or remove log files in an attempt to hide their activity.

3. Check for odd user accounts and groups
You can use "Local Users and Groups" (lusrmgr.msc) from a domain member or stand alone computer or the "net user", "net group" and "net localgroup" commands at the command line. One other option is to use the "wmic useraccount" command. On a domain controller, "Active Directory Users and Computers" (dsa.msc) may be used to view and verify domain accounts, however "net user" and "net group" will still work.

Expert Comment

ID: 39479417
If your talking about Barracuda activity log you can do this by enabling syslog feature .

Tracking Changes to the Configuration and User Login Activities

You can view User Login activities and any configuration changes.
Data related to mail flow.

From the ADVANCED > Troubleshooting page, use the Monitor Web Syslog button view the web syslog output. You can also configure a syslog server as described in Using a Syslog Server to Centrally Monitor System Logs.
LVL 66

Expert Comment

ID: 39479926
I was also thinking to export its log into csvto perform keyword search for this userid and activities and any associated sign of compromise...e.g. brute force attempts, login timing during lunch time and "off" office hours, visiting certain site not typical or have spyware or of low reputation (flagged from web filter) etc


But pushing ahead, SIEMS is another typical tool used in overall organisation SOC where all monitored devices such as FW, NIPS, policy servers, Windows/Linux servers, proxy etc piped their syslog (in general) into it. Correlated rules are fired upon the condition met that trigger scenario of such invasion.

Other cheatsheet for info on sign of compromise

Critical Log Review Checklist for Security Incidents

Security Incident Survey Cheat Sheet for Server Administrators
LVL 72

Expert Comment

ID: 40041985
I've requested that this question be closed as follows:

Accepted answer: 500 points for maqsoodjee's comment #a39479417

for the following reason:

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
LVL 66

Expert Comment

ID: 40042020
Apologies but has the award being wrongly accepted?

Featured Post

WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Watch the video of Kernel Migrator for SharePoint, which demonstrate the process easily of migration from SharePoint to SharePoint, OneDrive for Business & Google Drive servers, Public Folder to SharePoint, File Server to SharePoint. The tool has va…

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question