Console
    Start free

    Collect Kemp Load Balancer logs

    Supported in:

    This document explains how to ingest Progress Kemp LoadMaster logs to Google Security Operations using the Bindplane agent.

    Progress Kemp LoadMaster (formerly Kemp Load Balancer) is an application delivery controller (ADC) that provides load balancing, SSL offloading, and traffic management for enterprise applications. It distributes incoming traffic across multiple servers to ensure high availability, optimize performance, and enhance the security of web-based applications and services.

    Before you begin

    Make sure you have the following prerequisites:

    • A Google SecOps instance
    • A Windows 2016 or later or Linux host with systemd
    • If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements
    • Privileged access to the Progress Kemp LoadMaster web user interface (WUI)

    Get Google SecOps Ingestion Authentication File

    1. Sign in to the Google SecOps console.
    2. Go to SIEM Settings > Collection Agents.
    3. Download the Ingestion Authentication File.
    4. Save the file securely on the system where Bindplane will be installed.

    Get Google SecOps customer ID

    1. Sign in to the Google SecOps console.
    2. Go to SIEM Settings > Profile.
    3. Copy and save the customer IDfrom the Organization Detailssection.

    Install Bindplane Agent

    Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.

    Windows Installation

    1. Open the Command Promptor PowerShellas an administrator.

    2. Run the following command:

         
 msiexec 
  
 / 
 i 
  
 "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" 
  
 / 
 quiet

    Linux Installation

    1. Open a terminal with root or sudo privileges.

    2. Run the following command:

         
sudo  
sh  
-c  
 " 
 $( 
curl  
-fsSlL  
https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh ) 
 " 
  
install_unix.sh

    Additional Installation Resources

    For additional installation options, consult this installation guide .

    Configure the Bindplane Agent to ingest Syslog and send to Google SecOps

    1. Access the Configuration File:

      • Locate the config.yaml file. Typically, it's in the /etc/bindplane-agent/ directory on Linux or in the installation directory on Windows.
      • Open the file using a text editor (for example, nano , vi , or Notepad).

    2. Edit the config.yaml file as follows:

         
 receivers 
 : 
  
 udplog 
 : 
  
 # Replace the port and IP address as required 
  
 listen_address 
 : 
  
 "0.0.0.0:514" 
  
 exporters 
 : 
  
 chronicle/chronicle_w_labels 
 : 
  
 compression 
 : 
  
 gzip 
  
 # Adjust the path to the credentials file you downloaded in Step 1 
  
 creds_file_path 
 : 
  
 '/path/to/ingestion-authentication-file.json' 
  
 # Replace with your actual customer ID from Step 2 
  
 customer_id 
 : 
  
 YOUR_CUSTOMER_ID_HERE 
  
 endpoint 
 : 
  
 malachiteingestion-pa.googleapis.com 
  
 # Add optional ingestion labels for better organization 
  
 log_type 
 : 
  
 'KEMP_LOADBALANCER' 
  
 raw_log_field 
 : 
  
 body 
  
 ingestion_labels 
 : 
  
 service 
 : 
  
 pipelines 
 : 
  
 logs/source0__chronicle_w_labels-0 
 : 
  
 receivers 
 : 
  
 - 
  
 udplog 
  
 exporters 
 : 
  
 - 
  
 chronicle/chronicle_w_labels

    3. Replace the port and IP address as required in your infrastructure.

    4. Replace YOUR_CUSTOMER_ID_HERE with the actual Customer ID.

    5. Update /path/to/ingestion-authentication-file.json to the file path where the authentication file was saved in Step 1.

    6. Update the endpoint value to match your tenant's region.

    Restart Bindplane Agent to apply the changes

    1. To restart the Bindplane agent in Linux, run the following command:

         
sudo  
systemctl  
restart  
observiq-otel-collector

    2. To restart the Bindplane agent in Windows, you can either use the Servicesconsole or enter the following command:

       net stop observiq-otel-collector && net start observiq-otel-collector

    Configure Progress Kemp LoadMaster syslog forwarding

    1. Sign in to the Progress Kemp LoadMasterweb user interface (WUI).
    2. Go to System Configuration > Logging Options > Syslog Options.
    3. In the Remote Syslog Hostfield, enter the IP address of the Bindplane agent host (for example, 192.168.1.100 ).
    4. In the Remote Syslog Portfield, enter 514 (or the port configured in Bindplane).
    5. Set the Info Syslog Messagesoption to Yesto enable informational log messages.
    6. Set the Warning Syslog Messagesoption to Yesto enable warning messages.
    7. Set the Error Syslog Messagesoption to Yesto enable error messages.
    8. Set the Critical Syslog Messagesoption to Yesto enable critical messages.
    9. Set the Emergency Syslog Messagesoption to Yesto enable emergency messages.
    10. Click Set Syslog Parametersto save the configuration.
    11. To enable WAF syslog logging, go to System Configuration > Logging Options > WAF Syslog Options.
    12. Set the Remote Syslogoption to Yes.

    13. Click Set WAF Syslog Parametersto save.

    UDM mapping table

    Log Field UDM Mapping Logic
    hlen_label
    		additional.fields Merged
    meta_sequenceId_label
    		additional.fields Merged
    nhdrs_label
    		additional.fields Merged
    intermediary
    		intermediary Merged
    inter_hostname
    		intermediary.hostname Directly mapped
    description
    		metadata.description Directly mapped
    event_type
    		metadata.event_type Renamed/mapped
    log_event
    		metadata.product_event_type Directly mapped
    sequenceId
    		metadata.product_log_id Directly mapped
    ftpmethod
    		network.ftp.command Directly mapped
    http_method
    		network.http.method Directly mapped
    http_response_code
    		network.http.response_code Directly mapped
    process_name
    		principal.application Directly mapped
    src_ip
    		principal.ip Merged
    srcip
    		principal.ip Merged
    src_port
    		principal.port Directly mapped
    srcport
    		principal.port Directly mapped
    sec_result
    		security_result Merged
    sshd
    		target.application Directly mapped
    filename
    		target.file.full_path Directly mapped
    file_size
    		target.file.size Renamed/mapped
    dest_ip
    		target.ip Merged
    dstip
    		target.ip Merged
    vs
    		target.ip Merged
    dest_port
    		target.port Directly mapped
    dstport
    		target.port Directly mapped
    vs_port
    		target.port Directly mapped
    pid
    		target.process.pid Directly mapped
    http_path
    		target.url Directly mapped
    resource
    		target.url Directly mapped
    user
    		target.user.userid Directly mapped
    N/A
    		 additional.fields Constant: meta_sequenceId_label
    N/A
    		 extensions.auth.type Constant: AUTHTYPE_UNSPECIFIED
    N/A
    		 intermediary Constant: intermediary
    N/A
    		 metadata.event_type Constant: GENERIC_EVENT
    N/A
    		 metadata.product_name Constant: KEMP_LOADBALANCER
    N/A
    		 metadata.vendor_name Constant: KEMP
    N/A
    		 network.application_protocol Constant: HTTP
    N/A
    		 principal.ip Constant: src_ip
    N/A
    		 security_result Constant: sec_result
    N/A
    		 target.ip Constant: dest_ip

    For more information about the parser field mapping, see the KEMP_LOADBALANCER parser reference .

    Need more help? Get answers from Community members and Google SecOps professionals.

    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: