Category Archives: Network Security

Splunk Field Extractions for Symantec Messaging Gateway A.K.A Brightmail Syslogs

The Symantec Messaging Gateway formally known as Brightmail is a spam filtering appliance, you can read more about it from Symantec here. The appliance appears to run on Linux and it has both a web-interface and a command line interface accessible via SSH. It also has the ability to log system and application level logs via syslog.

The system level logs include processes such as sshd, crond and sudo; the application application level mail logs consist of two processes: ecelerity and bmserver. In this post I focus on the application level logs, those beginning with the <142> prefix. Symantec has some not so helpful documentation on this appliance’s log formats here: https://support.symantec.com/en_US/article.HOWTO15282.html

From what I see in Splunk the logs are in the format: <identifier>date time server-name process[process-number]: process-id|message-id|event|variable-log-format. There appears to be 18 different application level log events all with a different format. Those events are: IRCPTACTION, ACCEPT, VERDICT, TRACKERID, UNTESTED, FIRED, SENDER, LOGICAL_IP, EHLO, MSG_SIZE, MSGID, SOURCE, SUBJECT, ORCPTS, DELIVER, ATTACH, UNSCANNABLE and VIRUS. These different formats make it impossible to use Splunk’s built in field extraction interface. An alternative solution is to write a custom regex extraction.

Lacking complete documentation I had to reverse engineer a regex extraction from the logs being sent to my Splunk server. With this in mind be warned that my final regex extraction may contain errors. Also be aware that the fields in the extraction are names that I assigned and are not the official field names as I could not find complete documentation on this system’s log format.

I used Regex101.com to help me craft and test my regular expression extraction. You can view my saved regex and test string with anonymized syslog entries at: https://regex101.com/r/kR0iS8/1. If you visit this link, and are familiar with regular expressions, you will notice that I used multiple positive look-behinds. This is the best solution I could come up with to deal with the variable log formats produced by the SMG. My skill with regular expressions is intermediate at best, so there may very well be better solutions out there. If someone with more knowledge of regular expressions reads this article and cares to correct me, feel free to leave a comment.

Below is the final regular expression that I came up with. This seems to work for the majority of the logs that Splunk processes from Symantec Messaging Gateway, but may need further tweaking.

^<142>(?P<date>\w+\s+\d+)\s+(?P<time>[^ ]+)\s+(?P<server>\w+)\s+(?P<process_name>[a-z]+)\[(?P<process_number>\d+)[^ \n]* (?P<process_id>[^\|]+)\|(?P<message_id>[^\|]+)\|(?P<action>IRCPTACTION|VERDICT|UNTESTED|FIRED|SENDER|LOGICAL_IP|EHLO|MSG_SIZE|MSGID|SOURCE|SUBJECT|ORCPTS|TRACKERID|ATTACH|UNSCANNABLE|VIRUS|DELIVER|ACCEPT)(?:(?:(?<=ACCEPT|DELIVER|LOGICAL_IP)\|(?P<src>[^:\s]+)(?::(?P<port>[0-9]+))?(?:\|(?P<to>[^\s]+))?)|(?:(?<=FIRED|IRCPTACTION|ORCPTS|TRACKERID|UNTESTED|VERDICT)\|(?P<recipient>[^\s\|]+)(?:\|)?(?P<result>[a-z][^\|\s]+)?(?:\|(?P<result_2>[a-z][^\|]+))?(?:\|(?P<result_3>.+))?)|(?:(?<=SENDER)\|(?P<from>[^\s]+))|(?:(?<=MSG_SIZE)\|(?P<msg_size>\w+))|(?:(?<=SUBJECT)\|(?P<subject>.*))|(?:(?<=ATTACH)\|(?P<attachment>.+))|(?:(?<=UNSCANNABLE)\|(?P<reason>.+))|(?:(?<=VIRUS)\|(?P<virus_name>.+))|(?:(?<=EHLO)\|(?P<fqdn>.+)))?

If readers have any questions of comments about this extraction, feel free to leave a comment and I will try to respond in a timely manner.

Configuring Cisco ACS to use Aruba RADIUS Attributes

If your situation is like mine, and your institution is using Aruba wireless hardware and Cisco ACS you will not find many resources on making the two work together. We recently implemented eduroam and wanted to make access rules in ACS dependent on which SSID a user was connecting to. With the default ACS 5.3 installation RADIUS attributes from Aruba cannot be used to create access rules.

Not knowing how to proceed, I Googled around a bit and could not find a solid answer. So I began exploring the ACS user interface, and wrote up this tutorial to share what I found. For this tutorial I am using ACS 5.3; I’m not sure how the interface differs with other versions.

First you will need to get the Aruba RADIUS dictionary file for Cisco ACS. Aruba has a page containing several dictionary files for different RADIUS servers, they are available here: http://support.arubanetworks.com/TOOLSRESOURCES/tabid/76/DMXModule/514/Default.aspx?EntryId=115

From the link above download the Dictionary for Cisco ACS. Once you have downloaded the dictionary file open it in a text editor. Next open up the web user interface for ACS and login. Once logged in navigate to System Administration > Configuration > Dictionaries > Protocols > RADIUS > RADIUS VSA screen.

We will now manually create a dictionary for the Aruba attributes, to start click the Create button at the bottom of the page. Here you the only important value is the Vendor ID. The value from the dictionary file is listed under IETF Code for Aruba the vendor ID is 14823. The other fields you may enter whatever values you would like.

Create Dictionary Screen Shot

After hitting the Submit button you will be returned to the Vendor Specific Dictionary page. Next click the checkbox for the Aruba definition we just created and click the Show Vendor attributes button at the bottom of the page. We will now have to add the attributes from the downloaded dictionary file. It is not necessary to add all the attributes, you can just add the attributes you are interested in using.

To add an attribute click the Create button at the bottom of the page. For the Attribute field I am using the VSA field name from the dictionary file. In this example I will enter information for Aruba-Essid-Name. You may enter whatever description you would like, for the Vendor Attribute ID field enter the VSA number for the field you are adding. Match the direction and Attribute type from the dictionary file.

RADIUS Dictionary Attributes Screen Shot

If you want this attribute logged select the check box Include attribute in log and you will probably want to add a policy condition, so you can create rules biased off of this information. You can do that by selecting Add Policy Condition and typing in a name in the Policy Condition Display Name field.

Hit submit and you are done. If you checked the Include attribute in log checkbox you can then open the Monitoring & Report Viewer and verify that ACS is receiving the information correctly.

Report Viewer Screen Shot

That concludes this tutorial. If you have questions please leave a comment and I’ll try to get back to you in a timely fashion.