Barracuda Log Files

I have a barracuda spam and virus firewall 400. I have reason to believe there has been one of our coworkers viewing other peoples emails using this as a way to SPY on people.. Is there any way to view logs and see what kinds of activities have been done by someone with credentials to look at this info?
Martyt1988Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
I see it from angle of server first as it track login event assuming you have audit trails turned on. From the spam and firewall may be more specific to external threats though can still try to detect data leakage attempts from particular machine and its anomalous activities. But this may not allude to that user doing some insider stuffs on other colleague. Best to have tracking sw on his machine if viable for legal action subsequently.

But probably the key inputs comes from server log as shared in the below CERT document. Extracted some but there is more
www.cert.org/archive/pdf/WIDC.pdf

2. Examine log files
Examine log files for connections from unusual locations or for other unusual activity. You can use the Event Viewer to check for odd logon entries, failures of services, or unexplained system restarts. If your firewall, web server, or router writes logs to a location different than the system being investigated, remember to check these logs as well. Remember, this is not foolproof unless you log to append-only media or a secure logging server; many intruders edit or remove log files in an attempt to hide their activity.

3. Check for odd user accounts and groups
You can use "Local Users and Groups" (lusrmgr.msc) from a domain member or stand alone computer or the "net user", "net group" and "net localgroup" commands at the command line. One other option is to use the "wmic useraccount" command. On a domain controller, "Active Directory Users and Computers" (dsa.msc) may be used to view and verify domain accounts, however "net user" and "net group" will still work.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
maqsoodjeeCommented:
If your talking about Barracuda activity log you can do this by enabling syslog feature .

Tracking Changes to the Configuration and User Login Activities

You can view User Login activities and any configuration changes.
Data related to mail flow.

From the ADVANCED > Troubleshooting page, use the Monitor Web Syslog button view the web syslog output. You can also configure a syslog server as described in Using a Syslog Server to Centrally Monitor System Logs.
0
btanExec ConsultantCommented:
I was also thinking to export its log into csvto perform keyword search for this userid and activities and any associated sign of compromise...e.g. brute force attempts, login timing during lunch time and "off" office hours, visiting certain site not typical or have spyware or of low reputation (flagged from web filter) etc

https://www.barracuda.com/support/knowledgebase/50160000000GTbjAAG

But pushing ahead, SIEMS is another typical tool used in overall organisation SOC where all monitored devices such as FW, NIPS, policy servers, Windows/Linux servers, proxy etc piped their syslog (in general) into it. Correlated rules are fired upon the condition met that trigger scenario of such invasion.

Other cheatsheet for info on sign of compromise

Critical Log Review Checklist for Security Incidents
http://zeltser.com/log-management/security-incident-log-review-checklist.html

Security Incident Survey Cheat Sheet for Server Administrators
http://zeltser.com/network-os-security/security-incident-survey-cheat-sheet.html
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
I've requested that this question be closed as follows:

Accepted answer: 500 points for maqsoodjee's comment #a39479417

for the following reason:

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
btanExec ConsultantCommented:
Apologies but has the award being wrongly accepted?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.