Console
    Start free

    Collect Arista VeloCloud SD-WAN logs

    Supported in:

    This document explains how to ingest Arista VeloCloud SD-WAN (formerly VMware VeloCloud) logs to Google Security Operations using Bindplane.

    Arista VeloCloud SD-WAN is a software-defined wide area networking solution that simplifies branch office networking by virtualizing WAN connections and providing centralized management through the SD-WAN Orchestrator. It delivers application-aware routing, dynamic path selection, and integrated firewall capabilities for distributed enterprise environments.

    Before you begin

    Make sure you have the following prerequisites:

    • A Google SecOps instance
    • A Windows 2016 or later or Linux host with systemd
    • If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements
    • Privileged access to the Arista VeloCloud SD-WAN Orchestrator

    Get Google SecOps ingestion authentication file

    1. Sign in to the Google SecOps console.
    2. Go to SIEM Settings > Collection Agents.
    3. Download the Ingestion Authentication File.
    4. Save the file securely on the system where Bindplane will be installed.

    Get Google SecOps customer ID

    1. Sign in to the Google SecOps console.
    2. Go to SIEM Settings > Profile.
    3. Copy and save the Customer IDfrom the Organization Detailssection.

    Install Bindplane agent

    Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.

    Windows Installation

    1. Open the Command Promptor PowerShellas an administrator.

    2. Run the following command:

        msiexec 
  
 / 
 i 
  
 "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" 
  
 / 
 quiet

    Linux Installation

    1. Open a terminal with root or sudo privileges.

    2. Run the following command:

       sudo  
sh  
-c  
 " 
 $( 
curl  
-fsSlL  
https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh ) 
 " 
  
install_unix.sh

    Additional installation resources

    For additional installation options, see the Bindplane agent installation guide .

    Configure Bindplane agent to ingest Syslog and send to Google SecOps

    1. Access the configuration file:

      • Locate the config.yaml file. Typically, it's in the /opt/observiq-otel-collector/ directory on Linux or in the installation directory on Windows.
      • Open the file using a text editor (for example, nano , vi , or Notepad).

    2. Edit the config.yaml file as follows:

        receivers 
 : 
  
 udplog 
 : 
  
 # Replace the port and IP address as required 
  
 listen_address 
 : 
  
 "0.0.0.0:514" 
 exporters 
 : 
  
 chronicle/chronicle_w_labels 
 : 
  
 compression 
 : 
  
 gzip 
  
 # Adjust the path to the credentials file you downloaded in Step 1 
  
 creds_file_path 
 : 
  
 '/path/to/ingestion-authentication-file.json' 
  
 # Replace with your actual customer ID from Step 2 
  
 customer_id 
 : 
  
< PLACEHOLDER_CUSTOMER_ID 
>  
 endpoint 
 : 
  
 malachiteingestion-pa.googleapis.com 
  
 # Add optional ingestion labels for better organization 
  
 log_type 
 : 
  
 'VELO_FIREWALL' 
  
 raw_log_field 
 : 
  
 body 
  
 ingestion_labels 
 : 
 service 
 : 
  
 pipelines 
 : 
  
 logs/source0__chronicle_w_labels-0 
 : 
  
 receivers 
 : 
  
 - 
  
 udplog 
  
 exporters 
 : 
  
 - 
  
 chronicle/chronicle_w_labels
      • Replace the port and IP address as required in your infrastructure.
      • Replace <PLACEHOLDER_CUSTOMER_ID> with the actual Customer ID.
      • Update /path/to/ingestion-authentication-file.json to the file path where the authentication file was saved in Step 1.

    Restart the Bindplane agent to apply the changes

    1. To restart the Bindplane agent in Linux, run the following command:

       sudo  
systemctl  
restart  
observiq-otel-collector

    2. To restart the Bindplane agent in Windows, you can either use the Servicesconsole or enter the following command:

       net stop observiq-otel-collector && net start observiq-otel-collector

    Configure syslog forwarding on Arista VeloCloud SD-WAN

    1. Sign in to the VeloCloud SD-WAN Orchestratorweb interface.
    2. Go to Configure > Profiles.
    3. Select the profile assigned to the Edge devices that you want to monitor.
    4. Click Configure Segmentfor the appropriate network segment.
    5. Select the Syslogtab.
    6. Click Add Ruleto create a new syslog forwarding rule.
    7. Provide the following configuration details:
      • Syslog Collector IP: Enter the IP address of the Bindplane agent host (for example, 192.168.1.100 ).
      • Port: Enter 514 .
      • Protocol: Select UDP.
      • Facility: Select the appropriate syslog facility (for example, LOCAL0).
      • Severity: Select the minimum severity level to forward (for example, INFOto capture all informational and higher-severity events).
      • Tag: Optionally, enter a tag to identify these logs (for example, velocloud ).
      • Source Interface: Select the management interface or appropriate source interface.
    8. In the Rolessection, select the log categories to forward:
      • FIREWALL- to forward firewall event logs.
      • EDGE- to forward Edge device operational logs.
    9. Click Save Changes.

    10. If you need to override the profile settings for a specific Edge, go to Configure > Edges, select the Edge, and repeat the syslog configuration under the Devicetab.

    UDM mapping table

    Log Field UDM Mapping Logic
    cloud_software_label
    		additional.fields Merged
    in_label
    		additional.fields Merged
    proto_label
    		additional.fields Merged
    segment_label
    		additional.fields Merged
    segment_name_label
    		additional.fields Merged
    inter_hostname
    		intermediary.hostname Directly mapped
    description
    		metadata.description Directly mapped
    timestamp
    		metadata.event_timestamp Parsed as MMM d HH:mm:ss
    principal_present
    		metadata.event_type Mapped: true NETWORK_CONNECTION , true STATUS_UPDATE
    product_event_type
    		metadata.product_event_type Directly mapped
    ip_protocol_out
    		network.ip_protocol Renamed/mapped
    BYTES_RECEIVED
    		network.received_bytes Directly mapped
    BYTES_SENT
    		network.sent_bytes Directly mapped
    DURATION_SECS
    		network.session_duration.seconds Directly mapped
    SRC
    		principal.asset.ip Merged
    SRC
    		principal.ip Merged
    NAT_SRC
    		principal.nat_ip Merged
    NAT_SPT
    		principal.nat_port Directly mapped
    SPT
    		principal.port Directly mapped
    security_result_action
    		security_result.action Merged
    ACTION
    		security_result.action_details Directly mapped
    FW_POLICY_NAME
    		security_result.rule_name Directly mapped
    REASON
    		security_result.summary Directly mapped
    DEST_DOMAIN
    		target.administrative_domain Directly mapped
    DEST_NAME
    		target.asset.hostname Directly mapped
    DST
    		target.asset.ip Merged
    DEST_NAME
    		target.hostname Directly mapped
    DST
    		target.ip Merged
    DPT
    		target.port Directly mapped
    N/A
    		 metadata.event_type Constant: GENERIC_EVENT
    N/A
    		 metadata.product_name Constant: VELO_FIREWALL
    N/A
    		 metadata.vendor_name Constant: VELO_FIREWALL

    Need more help? Get answers from Community members and Google SecOps professionals.

    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: