Console
    Start free

    Collect Dell EMC Isilon NAS logs

    Supported in:

    This document explains how to ingest Dell EMC Isilon NAS logs to Google Security Operations using the Bindplane agent.

    Dell EMC Isilon (now Dell PowerScale) is a scale-out NAS platform that generates syslog messages for file access auditing, protocol events, and system operations. The parser extracts fields and maps them to the Unified Data Model (UDM).

    Before you begin

    Make sure you have the following prerequisites:

    • A Google SecOps instance
    • Windows Server 2016 or later, or Linux host with systemd
    • Network connectivity between the Bindplane agent and the Dell EMC Isilon system
    • If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements
    • Privileged access to Dell EMC Isilon (CLI)

    Get Google SecOps ingestion authentication file

    1. Sign in to the Google SecOps console.
    2. Go to SIEM Settings > Collection Agents.
    3. Download the Ingestion Authentication File.

    4. Save the file securely on the system where the Bindplane agent will be installed.

    Get Google SecOps customer ID

    1. Sign in to the Google SecOps console.
    2. Go to SIEM Settings > Profile.

    3. Copy and save the Customer IDfrom the Organization Detailssection.

    Install the Bindplane agent

    Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.

    Windows installation

    1. Open Command Promptor PowerShellas an administrator.

    2. Run the following command:

        msiexec 
  
 / 
 i 
  
 "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" 
  
 / 
 quiet

    3. Wait for the installation to complete.

    4. Verify the installation by running:

       sc query observiq-otel-collector

      The service should show as RUNNING.

    Linux installation

    1. Open a terminal with root or sudo privileges.

    2. Run the following command:

       sudo  
sh  
-c  
 " 
 $( 
curl  
-fsSlL  
https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh ) 
 " 
  
install_unix.sh

    3. Wait for the installation to complete.

    4. Verify the installation by running:

       sudo  
systemctl  
status  
observiq-otel-collector

      The service should show as active (running).

    Additional installation resources

    For additional installation options and troubleshooting, see the Bindplane agent installation guide .

    Configure the Bindplane agent to ingest syslog and send to Google SecOps

    Locate the configuration file

    • Linux:

       sudo  
nano  
/etc/bindplane-agent/config.yaml

    • Windows:

       notepad "C:\Program Files\observIQ OpenTelemetry Collector\config.yaml"

    Edit the configuration file

    • Replace the entire contents of config.yaml with the following configuration:

        receivers 
 : 
  
 udplog 
 : 
  
 listen_address 
 : 
  
 "0.0.0.0:514" 
 exporters 
 : 
  
 chronicle/dell_emc_nas 
 : 
  
 compression 
 : 
  
 gzip 
  
 creds_file_path 
 : 
  
 '/etc/bindplane-agent/ingestion-auth.json' 
  
 customer_id 
 : 
  
 '<customer_id>' 
  
 endpoint 
 : 
  
 malachiteingestion-pa.googleapis.com 
  
 log_type 
 : 
  
 DELL_EMC_NAS 
  
 raw_log_field 
 : 
  
 body 
 service 
 : 
  
 pipelines 
 : 
  
 logs/dell_emc_nas_to_chronicle 
 : 
  
 receivers 
 : 
  
 - 
  
 udplog 
  
 exporters 
 : 
  
 - 
  
 chronicle/dell_emc_nas

    Configuration parameters

    Replace the following placeholders:

    • Receiver configuration:

      • listen_address : IP address and port to listen on:
        • 0.0.0.0 to listen on all interfaces (recommended)
        • Port 514 is the standard syslog port (requires root on Linux; use 1514 for non-root)

    • Exporter configuration:

      • creds_file_path : Full path to ingestion authentication file:
        • Linux: /etc/bindplane-agent/ingestion-auth.json
        • Windows: C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json
      • customer_id : Customer ID copied from the Google SecOps console
      • endpoint : Regional endpoint URL:
        • US: malachiteingestion-pa.googleapis.com
        • Europe: europe-malachiteingestion-pa.googleapis.com
        • Asia: asia-southeast1-malachiteingestion-pa.googleapis.com
        • See Regional Endpoints for complete list

    Save the configuration file

    • After editing, save the file:
      • Linux: Press Ctrl+O , then Enter , then Ctrl+X
      • Windows: Click File > Save

    Restart the Bindplane agent to apply the changes

    • To restart the Bindplane agent in Linux, run the following command:

       sudo  
systemctl  
restart  
observiq-otel-collector

      1. Verify the service is running:

         sudo  
systemctl  
status  
observiq-otel-collector

      2. Check logs for errors:

         sudo  
journalctl  
-u  
observiq-otel-collector  
-f

    • To restart the Bindplane agent in Windows, choose one of the following options:

      • Command Prompt or PowerShell as administrator:

         net stop observiq-otel-collector && net start observiq-otel-collector

      • Services console:

        1. Press Win+R , type services.msc , and press Enter.
        2. Locate observIQ OpenTelemetry Collector.
        3. Right-click and select Restart.

        4. Verify the service is running:

           sc query observiq-otel-collector

        5. Check logs for errors:

            type 
  
 "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"

    Configure syslog for OneFS version 7.x

    1. Sign in to the Dell Isilonusing CLI.

    2. Enable auditing using the following commands (replace zone_name with actual zone name):

       isi  
audit  
settings  
modify  
--protocol-auditing-enabled  
yes  
--audited-zones  
<zone_names>
isi  
zone  
zones  
modify  
<zone_name>  
--audit-success  
create,delete,read,rename,set_security,write
isi  
zone  
zones  
modify  
<zone_name>  
--audit-failure  
create,delete,read,rename,set_security,write
isi  
zone  
zones  
modify  
<zone_name>  
--syslog-audit-events  
create,delete,read,rename,set_security,write

    3. Enable syslog forwarding using the following command:

       isi  
zone  
zones  
modify  
<zone_name>  
--syslog-forwarding-enabled = 
yes

    4. Connect to an Isilon node using an SSH client.

    5. Open the syslog.conf file using vi , which is located in the /etc/mcp/templates directory:

       vi  
syslog.conf

    6. Locate the !audit_protocol line and add the following line (replace <bindplane-ip> with the actual Bindplane agent IP address):

       *.* @<bindplane-ip>

    7. Save the syslog.conf file:

       :wq

    Configure syslog for OneFS versions 8.0 and 8.1

    1. Sign in to the Dell Isilonusing CLI.

    2. Enable auditing using the following commands (replace zone_name with actual zone name):

       isi  
audit  
settings  
global  
modify  
--protocol-auditing-enabled  
yes  
--audited-zones  
<zone_names>
isi  
audit  
settings  
modify  
--zone  
<zone_name>  
--audit-success  
create,delete,read,rename,set_security,write
isi  
audit  
settings  
modify  
--zone  
<zone_name>  
--audit-failure  
create,delete,read,rename,set_security,write
isi  
audit  
settings  
modify  
--zone  
<zone_name>  
--syslog-audit-events  
create,delete,read,rename,set_security,write

    3. Enable syslog forwarding using the following command:

       isi  
audit  
settings  
modify  
--syslog-forwarding-enabled = 
yes  
--zone = 
<zone_name>

    4. Connect to an Isilon node using an SSH client.

    5. Open the syslog.conf file using vi , which is located in the /etc/mcp/templates directory:

       vi  
syslog.conf

    6. Locate the !audit_protocol line and add the following line (replace <bindplane-ip> with the actual Bindplane agent IP address):

       *.* @<bindplane-ip>

    7. Save the syslog.conf file:

       :wq

    Configure syslog for OneFS versions 8.2 to 9.4

    1. Enable auditing using the following commands (replace <bindplane-ip> with Bindplane agent IP address and zone_name with actual zone name):

       isi  
audit  
settings  
global  
modify  
--protocol-auditing-enabled  
yes  
--audited-zones  
<zone_name>  
--protocol-syslog-servers  
<bindplane-ip>
isi  
audit  
settings  
modify  
--zone  
<zone_name>  
--audit-success  
create,delete,read,rename,set_security,write
isi  
audit  
settings  
modify  
--zone  
<zone_name>  
--audit-failure  
create,delete,read,rename,set_security,write
isi  
audit  
settings  
modify  
--zone  
<zone_name>  
--syslog-audit-events  
create,delete,read,rename,set_security,write

    2. Enable syslog forwarding using the following command:

       isi  
audit  
settings  
modify  
--syslog-forwarding-enabled  
yes  
--zone  
<zone_name>

    UDM mapping table

    Log Field UDM Mapping Logic
    COMMAND
    		 target.process.command_line The raw log field COMMAND is mapped to this UDM field.
    PWD
    		 target.file.full_path The raw log field PWD is mapped to this UDM field when message doesn't contain command not allowed .
    USER
    		 principal.user.userid The raw log field USER is mapped to this UDM field.
    action_done
    		 Temporary variable used for parsing logic.
    application
    		 target.application The raw log field application is mapped to this UDM field.
    data
    		 This field is not mapped to the UDM.
    description
    		 metadata.description The raw log field description is mapped to this UDM field. Additionally, command not allowed is mapped to this field when message contains command not allowed .
    file_name
    		 target.file.full_path The raw log field file_name is mapped to this UDM field after removing any `
    intermediary_ip
    		 intermediary.ip The raw log field intermediary_ip is mapped to this UDM field.
    kv_data
    		 Temporary variable used for parsing logic.
    method
    		 Temporary variable used for parsing logic.
    pid
    		 target.process.pid The raw log field pid is mapped to this UDM field when it's not empty or - .
    resource_type
    		 target.resource.type The raw log field resource_type is mapped to this UDM field.
    src_host
    		 principal.hostname The raw log field src_host is mapped to this UDM field.
    src_ip
    		 principal.ip The raw log field src_ip is mapped to this UDM field. It can also be extracted from the description field using a Grok pattern.
    status
    		 Temporary variable used for parsing logic.
    ts
    		 metadata.event_timestamp.seconds The raw log field ts is parsed and its seconds value is mapped to this UDM field.
    user
    		 principal.user.userid The raw log field user is mapped to this UDM field if USER is empty.
    wsid
    		 principal.user.windows_sid The raw log field wsid is mapped to this UDM field after removing any characters after `
    N/A
    		 metadata.event_type This UDM field is derived from the parser logic based on the values of action_done , method , and PWD . It can be one of the following: PROCESS_UNCATEGORIZED , PROCESS_OPEN , FILE_CREATION , FILE_OPEN , FILE_DELETION , FILE_MODIFICATION , FILE_UNCATEGORIZED , or STATUS_SHUTDOWN (default).
    N/A
    		 security_result.action This UDM field is derived from the parser logic based on the value of status . It can be either ALLOW or BLOCK .
    N/A
    		 security_result.summary This UDM field is derived from the parser logic and populated with the value of action_done .
    N/A
    		 security_result.description This UDM field is derived from the parser logic by concatenating the values of method and status with a - separator.
    N/A
    		 metadata.vendor_name This UDM field is hardcoded to DELL .
    N/A
    		 metadata.product_name This UDM field is hardcoded to DELL_EMC_NAS .
    N/A
    		 metadata.log_type This UDM field is hardcoded to DELL_EMC_NAS .

    Need more help? Get answers from Community members and Google SecOps professionals.

    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: