Fish


About


This program parses syslog events from a Barracuda Spam firewall and puts the results into a MySQL database. It requires PHP CLI.

The table structure looks like this:
  • msg_id
  • timestamp
  • host
  • process
  • resolved
  • client
  • start
  • end
  • service
  • encrypted
  • sender
  • recipient
  • action
  • reason
  • reasonx
  • score
  • size
  • subject
  • queue_id

You can grab it here: Fish.zip

Examples

mysql> SELECT COUNT(*) AS count, r_code.meaning FROM event, r_code WHERE FROM_UNIXTIME(timestamp)BETWEEN '2010-04-01 00:00:00' AND '2010-05-01 00:00:00' AND (event.reason = r_code.id) AND action = '2' GROUP BY event.reason ORDER BY count DESC;
+---------+-----------------------------+
| count   | meaning                     |
+---------+-----------------------------+
| 3766392 | Barracuda Blocklist         |
|  247963 | RBL Match                   |
|   69529 | Spam Fingerprint Found      |
|   63371 | Intention Analysis Match    |
|   21916 | Score                       |
|   11731 | No Such User                |
|    7238 | No Such Domain              |
|    7018 | Realtime Intent             |
|    5645 | Need Fully Qualified Sender |
|    5429 | Virus                       |
|    4336 | Multi-Level Intent          |
|    3688 | Timeout Exceeded            |
|      10 | Client IP                   |
|       7 | Message Size Bypass         |
|       3 | Barracuda Whitelist         |
+---------+-----------------------------+


mysql> SELECT COUNT(*) AS count, INET_NTOA(client) FROM event WHERE from_unixtime(timestamp) BETWEEN '2010-05-01 00:00:00' AND '2010-05-02 00:00:00' AND action = '2' GROUP BY client ORDER BY count DESC limit 10;
+-------+-------------------+
| count | INET_NTOA(client) |
+-------+-------------------+
|   276 | 62.111.138.130    |
|   226 | 200.74.249.27     |
|   143 | 112.153.203.62    |
|   142 | 72.55.141.20      |
|   132 | 64.22.65.181      |
|   129 | 64.22.65.182      |
|   126 | 64.22.65.183      |
|   109 | 93.32.186.103     |
|   105 | 202.156.81.220    |
|   103 | 89.171.120.66     |
+-------+-------------------+



Setup

1) Configure your Barracuda to export syslogs.

2) On your collector edit your syslog.conf and add something like this (I have 2 devices):

+192.168.1.10
*.*     /var/log/spam.log
+192.168.1.11
*.*     /var/log/spam.log


3) Create a database called "spam"

~$ mysql -N -B --user=root --password=toor -e "CREATE DATABASE spam;"

4) Create the reason code mappings:

~$ cat r_code.sql | mysql -uroot -ptoor -D spam

5)Create a writer for the spam database:

~$ mysql -N -B --user=root --password=toor -e "GRANT ALL PRIVILEGES ON spam.* TO 'spamwriter'@'localhost' IDENTIFIED BY 'apassword';"

6) Open fish.php and modify the database settings to suit.

7) To start the program just do something like this:

~$ ./fish.php /var/log/spam.log&

and it will happily chug away as long as the file exists.

If you are dealing with a lot of data create something like this:

#!/usr/local/bin/bash
# Delete old spam log and restart syslogd and fish
# Check the commands of course, this is for FreeBSD
log="/var/log/spam.log"

if [ -e "$log" ]; then
    rm -f $log
    sleep 2
fi;

touch $log
/etc/rc.d/syslogd restart
sudo -u alittleuser fish.php $log&

# End


and put this in root's crontab:

0       0       *       *       *       fish.sh


Changelog

2010-06-08: Explode delimiter on subject line was changed from ":" to "SUBJ:". This still may fail but I don't have a better solution just yet.