Avatar of Martyt1988
Martyt1988Flag for United States of America asked on

Barracuda Log Files

I have a barracuda spam and virus firewall 400. I have reason to believe there has been one of our coworkers viewing other peoples emails using this as a way to SPY on people.. Is there any way to view logs and see what kinds of activities have been done by someone with credentials to look at this info?
Software FirewallsHardware FirewallsAntiSpam

Avatar of undefined
Last Comment
btan

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
btan

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
maqsoodjee

If your talking about Barracuda activity log you can do this by enabling syslog feature .

Tracking Changes to the Configuration and User Login Activities

You can view User Login activities and any configuration changes.
Data related to mail flow.

From the ADVANCED > Troubleshooting page, use the Monitor Web Syslog button view the web syslog output. You can also configure a syslog server as described in Using a Syslog Server to Centrally Monitor System Logs.
btan

I was also thinking to export its log into csvto perform keyword search for this userid and activities and any associated sign of compromise...e.g. brute force attempts, login timing during lunch time and "off" office hours, visiting certain site not typical or have spyware or of low reputation (flagged from web filter) etc

https://www.barracuda.com/support/knowledgebase/50160000000GTbjAAG

But pushing ahead, SIEMS is another typical tool used in overall organisation SOC where all monitored devices such as FW, NIPS, policy servers, Windows/Linux servers, proxy etc piped their syslog (in general) into it. Correlated rules are fired upon the condition met that trigger scenario of such invasion.

Other cheatsheet for info on sign of compromise

Critical Log Review Checklist for Security Incidents
http://zeltser.com/log-management/security-incident-log-review-checklist.html

Security Incident Survey Cheat Sheet for Server Administrators
http://zeltser.com/network-os-security/security-incident-survey-cheat-sheet.html
Qlemo

I've requested that this question be closed as follows:

Accepted answer: 500 points for maqsoodjee's comment #a39479417

for the following reason:

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
btan

Apologies but has the award being wrongly accepted?