Collect Netscout Arbor Sightline logs
This document explains how to ingest Netscout Arbor Sightline logs into Google Security Operations using Bindplane agent.
Netscout Arbor Sightline (formerly Peakflow SP) is a DDoS detection and network visibility platform that provides robust capabilities from network-wide capacity planning to identifying and managing the mitigation of DDoS and other threats to the network. Sightline collects and analyzes flow data, BGP routing information, and SNMP data to detect anomalies, generate alerts, and coordinate mitigation responses.
Before you begin
Make sure you have the following prerequisites:
- A Google SecOps instance
- Windows Server 2016 or later, or Linux host with
systemd - Network connectivity between the Bindplane agent and Netscout Arbor Sightline appliance
- If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements
- Administrative access to the Netscout Arbor Sightline web interface
- Administrative access to the Netscout Arbor Sightline command-line interface (CLI) for system alert configuration
Get Google SecOps ingestion authentication file
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Collection Agents.
-
Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.
Get Google SecOps customer ID
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Profile.
-
Copy and save the Customer IDfrom the Organization Detailssection.
Install the Bindplane agent
Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.
Windows installation
- Open Command Promptor PowerShellas an administrator.
-
Run the following command:
msiexec / i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" / quiet -
Wait for the installation to complete.
-
Verify the installation by running:
sc query observiq-otel-collectorThe service should show as RUNNING.
Linux installation
- Open a terminal with root or sudo privileges.
-
Run the following command:
sudo sh -c " $( curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh ) " install_unix.sh -
Wait for the installation to complete.
-
Verify the installation by running:
sudo systemctl status observiq-otel-collectorThe service should show as active (running).
Additional installation resources
For additional installation options and troubleshooting, see Bindplane agent installation guide .
Configure Bindplane agent to ingest syslog and send to Google SecOps
Locate the configuration file
-
Linux:
sudo nano /etc/bindplane-agent/config.yaml -
Windows:
notepad "C:\Program Files\observIQ OpenTelemetry Collector\config.yaml"
Edit the configuration file
-
Replace the entire contents of
config.yamlwith the following configuration:receivers : udplog : listen_address : "0.0.0.0:514" exporters : chronicle/arbor_sightline : compression : gzip creds_file_path : '<CREDS_FILE_PATH>' customer_id : '<CUSTOMER_ID>' endpoint : malachiteingestion-pa.googleapis.com log_type : ARBOR_SIGHTLINE raw_log_field : body ingestion_labels : env : production service : pipelines : logs/arbor_to_chronicle : receivers : - udplog exporters : - chronicle/arbor_sightline -
Replace the following placeholders:
-
Receiver configuration:
- The receiver is configured to listen on UDP port 514 on all interfaces (
0.0.0.0:514) - If you need to use a different port (for example,
1514for non-root Linux installations), modify thelisten_addressvalue - If you prefer TCP syslog, replace
udplogwithtcplogin both the receivers section and the pipeline
- The receiver is configured to listen on UDP port 514 on all interfaces (
-
Exporter configuration:
-
<CREDS_FILE_PATH>: Full path to ingestion authentication file:- Linux:
/etc/bindplane-agent/ingestion-auth.json - Windows:
C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json
- Linux:
-
<CUSTOMER_ID>: Customer ID from the previous step -
endpoint: Regional endpoint URL (default shown is US region):- US:
malachiteingestion-pa.googleapis.com - Europe:
europe-malachiteingestion-pa.googleapis.com - Asia:
asia-southeast1-malachiteingestion-pa.googleapis.com - See Regional Endpoints for complete list
- US:
-
log_type: Set toARBOR_SIGHTLINE(exact match required) -
ingestion_labels: Optional labels in YAML format (modify as needed for your environment)
-
-
Example configuration
-
receivers : udplog : listen_address : "0.0.0.0:514" exporters : chronicle/arbor_sightline : compression : gzip creds_file_path : '/etc/bindplane-agent/ingestion-auth.json' customer_id : 'a1b2c3d4-e5f6-g7h8-i9j0-k1l2m3n4o5p6' endpoint : malachiteingestion-pa.googleapis.com log_type : ARBOR_SIGHTLINE raw_log_field : body ingestion_labels : env : production source : sightline service : pipelines : logs/arbor_to_chronicle : receivers : - udplog exporters : - chronicle/arbor_sightline
Save the configuration file
After editing, save the file:
- Linux: Press
Ctrl+O, thenEnter, thenCtrl+X - Windows: Click File > Save
Restart the Bindplane agent to apply the changes
-
To restart the Bindplane agent in Linux:
-
Run the following command:
sudo systemctl restart observiq-otel-collector -
Verify the service is running:
sudo systemctl status observiq-otel-collector -
Check logs for errors:
sudo journalctl -u observiq-otel-collector -f
-
-
To restart the Bindplane agent in Windows:
-
Choose one of the following options:
-
Command Prompt or PowerShell as administrator:
net stop observiq-otel-collector && net start observiq-otel-collector -
Services console:
- Press
Win+R, typeservices.msc, and press Enter. - Locate observIQ OpenTelemetry Collector.
- Right-click and select Restart.
- Press
-
-
Verify the service is running:
sc query observiq-otel-collector -
Check logs for errors:
type "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"
-
Configure Netscout Arbor Sightline syslog forwarding
To send logs to Google SecOps, you must configure Netscout Arbor Sightline to forward syslog events to the Bindplane agent. This involves creating a notification group, configuring global notification settings, and setting up alert notification rules.
Create a notification group
- Sign in to the Netscout Arbor Sightlineweb interface as an administrator.
- Go to Administration > Notification > Groups.
- Click Add Notification Group.
- Provide the following configuration details:
- Destinations: Enter the IP address of the Bindplane agent host (for example,
192.168.1.100). - Port: Enter
514(or the port configured in the Bindplane agent, such as1514). - Facility: Select a syslog facility (for example,
local0oruser). - Severity: Select
info. The informational severity collects all event messages at the informational event level and higher severity.
- Destinations: Enter the IP address of the Bindplane agent host (for example,
- Click Save.
-
Click Configuration Committo apply the configuration changes.
Configure global notification settings
Global notifications in Netscout Arbor Sightline provide system notifications that are not associated with specific alert rules.
- In the Netscout Arbor Sightline web interface, go to Administration > Notification > Global Settings.
- In the Default Notification Groupfield, select the notification group you created for Google SecOps.
- Click Save.
- Click Configuration Committo apply the configuration changes.
Enable system alert notifications
System alerts require additional configuration via the command-line interface (CLI).
- Sign in to the Netscout Arbor Sightlinecommand-line interface as an administrator.
-
List the current system alert configuration:
services sp alerts system_errors show -
To list available system alert field names that can be configured, run:
services sp alerts system_errors ? -
Enable notifications for system alerts. For each alert type you want to enable, run:
services sp alerts system_errors <alert_name> notifications enableReplace
<alert_name>with the specific system alert field name (for example,disk_full,flow_collector_down,license_expiring). -
Commit the configuration changes:
config write
Configure alert notification rules
Alert notification rules determine which alerts trigger syslog notifications to Google SecOps.
- In the Netscout Arbor Sightline web interface, go to Administration > Notification > Rules.
- Choose one of the following options:
- Click an existing rule to edit it.
- Click Add Ruleto create a new notification rule.
- Configure the following values:
- Name: Enter a descriptive name for the rule (for example,
Chronicle-DDoS-Alerts). - Resource: Enter a CIDR address or select a managed object from the list of Sightline resources. To apply the rule to all resources, leave this field empty or select All.
- Importance: Select the minimum importance level for alerts (for example,
Low,Medium,High, orCritical). Alerts at or above this level will trigger notifications. - Notification Group: Select the notification group you created for Google SecOps.
- Name: Enter a descriptive name for the rule (for example,
- Repeat these steps to configure additional rules as needed for different resources or importance levels.
- Click Save.
-
Click Configuration Committo apply the configuration changes.
Test syslog connectivity
After configuring the notification group and rules, verify that syslog messages are being sent to the Bindplane agent.
-
In the Netscout Arbor Sightline CLI, test the syslog connection:
services sp notification test syslog group <notification_group_name>Replace
<notification_group_name>with the name of the notification group you created. -
The command should return:
Server returned: Success -
Check the Bindplane agent logs to verify that test messages are being received:
Linux:
sudo journalctl -u observiq-otel-collector -fWindows:
type "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log" -
In the Google SecOps console, go to Searchand verify that Netscout Arbor Sightline logs are appearing with the ingestion label
ARBOR_SIGHTLINE.
Event types forwarded to Google SecOps
-
Netscout Arbor Sightline forwards the following event categories via syslog:
- Denial of Service (DoS) events: DDoS attack detection alerts, including volumetric attacks, protocol attacks, and application-layer attacks
- Authentication events: User login successes and failures, authentication attempts
- Exploit events: Detected exploit attempts and suspicious traffic patterns
- Suspicious activity events: Anomalous traffic behavior and potential security threats
- System events: Appliance health, service status, configuration changes, and operational alerts
- Mitigation events: Mitigation start, stop, and status updates for DDoS attacks
UDM mapping table
| Log Field | UDM Mapping | Logic |
|---|---|---|
|
msg1
|
additional.fields | Merged with labels from each field if not empty, using specific keys like "message_description" for msg1, "config_version" for config_version, etc. |
|
config_version
|
additional.fields | |
|
prin_user
|
additional.fields | |
|
old_bgp_attributes
|
additional.fields | |
|
new_bgp_attributes
|
additional.fields | |
|
reason
|
additional.fields | |
|
sample_rate
|
additional.fields | |
|
proto
|
additional.fields | |
|
flows
|
additional.fields | |
|
identifier
|
additional.fields | |
|
expected_bps
|
additional.fields | |
|
actual_bps
|
additional.fields | |
|
server
|
additional.fields | |
|
status
|
additional.fields | |
|
percent
|
additional.fields | |
|
rate
|
additional.fields | |
|
rateunit
|
additional.fields | |
|
flags
|
additional.fields | |
|
router
|
additional.fields | |
|
interface
|
additional.fields | |
|
ip_ver
|
additional.fields | |
|
protocol_id
|
additional.fields | |
|
router_name
|
additional.fields | |
|
interface_id
|
additional.fields | |
|
interface_name
|
additional.fields | |
|
priority
|
additional.fields | |
|
log_level
|
additional.fields | |
|
pool
|
additional.fields | |
|
thread_id
|
additional.fields | |
|
timeout
|
additional.fields | |
|
attempts
|
additional.fields | |
|
vulns
|
extensions.vulns.vulnerabilities | Merged if vulns not empty |
|
desc
|
metadata.description | Set to "%{desc}: %{desc2}" if both desc and desc2 not empty, else desc; overwritten by message_desc if not empty |
|
desc2
|
metadata.description | |
|
message_desc
|
metadata.description | |
|
event_time
|
metadata.event_timestamp | Converted using date filter with format MMM dd HH:mm:ss or MMM d HH:mm:ss, timezone Europe/London |
|
desc2
|
metadata.event_type | Set to "SCAN_PROCESS" if desc2 matches "(DNS Amplification |
|
message
|
metadata.event_type | |
|
src_ip
|
metadata.event_type | |
|
has_target_ip
|
metadata.event_type | |
|
has_network_protocol
|
metadata.event_type | |
|
host_name
|
metadata.event_type | |
|
message
|
metadata.product_event_type | Set to "Host Detection" if message matches "Host Detection"; "TMS Mitigation started" if message matches " started"; "TMS Mitigation stopped" if message matches " stopped" |
|
metadata.product_name
|
metadata.product_name | Set to "ARBOR_SIGHTLINE" |
|
metadata.vendor_name
|
metadata.vendor_name | Set to "NETSCOUT" |
|
direction
|
network.direction | Set to "INBOUND" if direction "incoming" |
|
proto
|
network.ip_protocol | Set to "TCP" if proto "6"; else set to uppercase network_protocol if matches "(?i)(TCP |
|
network_protocol
|
network.ip_protocol | |
|
bytes
|
network.sent_bytes | Value copied directly, converted to uinteger |
|
packets
|
network.sent_packets | Value copied directly, converted to integer |
|
duration
|
network.session_duration.seconds | Value copied directly if not empty and not "0", converted to integer |
|
host_name
|
principal.hostname | Value copied directly |
|
src_ip
|
principal.ip | Merged from src_ip and nameserver_ip |
|
nameserver_ip
|
principal.ip | |
|
namespace
|
principal.namespace | Value copied directly |
|
filename
|
principal.process.file.full_path | Value copied directly |
|
alert_id
|
principal.process.pid | Value copied directly |
|
prin_url
|
principal.url | Value copied directly |
|
prin_user
|
principal.user.userid | Value copied directly |
|
impact
|
security_result.detection_fields | Merged with keys "Impact" from impact, "Importance" from importance, "Signature" from signature, "Leader" from leader, "parent_managed_object" from parent_managed_object, "Alert ID" from alert_id |
|
importance
|
security_result.detection_fields | |
|
signature
|
security_result.detection_fields | |
|
leader
|
security_result.detection_fields | |
|
parent_managed_object
|
security_result.detection_fields | |
|
alert_id
|
security_result.detection_fields | |
|
severity
|
security_result.severity | Set to "INFORMATIONAL" if severity in ["10","9"]; "LOW" if in ["8","7"]; "MEDIUM" if "6"; "HIGH" if in ["5","4"]; "CRITICAL" if in ["3","2","1"] |
|
desc2
|
security_result.threat_status | Set to "ACTIVE" if desc matches "Host Detection alert" and message "start" and not "stop"; "CLEARED" if desc matches "Host Detection alert" and message "stop" |
|
message
|
security_result.threat_status | |
|
intem_host
|
target.group.product_object_id | Value copied directly |
|
dst_ip
|
target.ip | Value copied directly |
|
dst_port
|
target.port | Value copied directly, converted to integer |
|
file_path
|
target.process.file.full_path | Value copied directly |
|
stop_time
|
vulns.vulnerabilities.scan_end_time | Converted using date filter with format yyyy-MM-dd HH:mm:ss |
|
start_time
|
vulns.vulnerabilities.scan_start_time | Converted using date filter with format yyyy-MM-dd HH:mm:ss or yyyy-MM-dd |
Need more help? Get answers from Community members and Google SecOps professionals.
