/
Syslog Integration

Syslog Integration

Syslog Integration supports syslog version 3 and is available with Email Protection Advanced Plan.

Syslog Integration enables you to export your message log data to a syslog server or a security information and events management (SIEM) system. With Syslog Integration, you can store your information beyond 30 days and use it for tracking, analysis, and troubleshooting.

To configure Syslog Integration:

  1. Log into Email Gateway Defense and navigate to the Account Management tab.

  2. Open any firewall ports needed for communication with your syslog server/SIEM system.
    Refer to Email Gateway Defense IP Ranges Used for Configuration for information on IP ranges.

  3. Enter the IP Address/Hostname and Port for your syslog server/SIEM system. The default port is 6514.

  4. Click Test to ensure that Email Gateway Defense can connect with your syslog server/SIEM system.

    • If the test works, your message log data begins transferring to your syslog server/SIEM system.

    • If the test fails, check the IP Address/Hostname and Port information and reenter it if needed. Then perform the test again.

To delete the syslog server, click Delete.

Notes:

  • Most syslog server/SIEM systems can be configured to check client certificates. Barracuda Networks syslog clients currently use a self-signed client certificate. Thus, if the syslog server/SIEM system validates client certificates, syslog messages can be rejected. To avoid this error, turn off syslog client certificate validation for Email Gateway Defense or add the certificate to a trusted certificate configuration. Note that a syslog server that accepts a CA-signed client certificate is not required; a syslog server that accepts self-signed client certificates can also be used.

  • You can only connect one syslog server/SIEM system at a time. You can delete an existing entry and replace it, but you cannot have multiple entries.

  • This feature is available only for Transmission Control Protocol (TCP) with Transport Layer Security (TLS).

  • If your syslog server/SIEM system stops responding, data will not spool until the communication is re-established.

  • After you enable or disable syslog integration, it can take up to 10 minutes for message transmission to either start or stop.

  • Data is transferred at the account level, not at the domain level.

Data Sent

Sample of JSON sent to syslog.

email[1]: { "message_id": "1756193235-1012198-13072-403-1", "src_ip": "20.44.62.239", "hdr_from": "sender@sender.com", "account_id": "ESS9999999", "domain_id": "11111111", "ptr_record": "", "attachments": null, "recipients": [ { "action": "quarantined", "reason": "content_subject", "reason_extra": "test", "delivered": "not_delivered", "delivery_detail": "", "email": "admin@test.egdqa.net", "taxonomy": "policy" } ], "hdr_to": "admin@test.egdqa.net", "recipient_count": 1, "dst_domain": "test.egdqa.net", "size": 419, "subject": "test", "env_from": "sender@sender.com", "timestamp": "2025-08-26T07:27:16+0000", "geoip": "IND", "tls": false, "hdr_auth_results": "" }

Sample audit entry. See below Audit Data Fields Sent to Syslog for more information.

audit[1]: { "timestamp": "2025-08-25T17:52:28-04:00", "account_id": "ESS9999999", "action": "CHANGE", "action_type": "account_settings", "scope": "Account", "domain": "NA", "ip": "11.11.11.11", "affected": "brbl", "actor":"admin@test.egdqa.net", "actor_type":"Account user (portal account)" "description": "Barracuda Reputation Block List changed" }
Data Format

Data is sent to the syslog in JSON format. You can parse the data any way you choose to meet the needs of your organization. For information on the Message Log field names, refer to the help file on the Message Log page.

Audit Data Fields Sent to Syslog

Each entry contains structured fields that describe the action, type of action, scope, and actor performed. The table below lists the fields and their possible values.

Field Name

Description

Possible Values

Field Name

Description

Possible Values

action

Action performed.

  • CHANGE

  • CREATE

  • DELETE

  • DELETE_ALL

  • DISABLE

  • ENABLE

  • LOGIN

  • LOGIN_FAILURE

  • LOGOUT

  • LOG_ACTION

  • LOG_EXPORT

  • MIGRATE_CPL

  • MOVE

  • NOTIFY

  • QUERY

  • QUERY LOG

  • RESET

  • RESTORE

  • SUSPEND

action_type

Specific type of action.

  • account_settings

  • atd

  • block

  • delete

  • deliver

  • domain

  • domain_from

  • domain_manage

  • domain_settings

  • emailreg

  • mark_ham

  • mark_spam

  • message

  • not_spam

  • outbound-delete

  • outbound-deliver

  • outbound-reject

  • outbound_ip

  • outbound_ip_list

  • recategorize

  • redeliver

  • reject

  • spam

  • super_user

  • temporary_passcode

  • user

  • user_password

  • user_settings

  • view

  • whitelist

scope

Scope of the action.

  • Nil (login, logout)

  • Account

  • Domain

  • User

actor

Identifies the source of the action.

  • Email address

  • Barracuda Networks

actor_type

Type of actor performing the action.

  • Account user (portal account)

  • Domain manager

  • Help Desk user

  • Authenticated user (domain email user)

  • Support

Contact Us
Barracuda Campus
Barracuda Support