Console
    Start free

    Collect HP ProCurve logs

    Supported in:

    This document explains how to ingest HP ProCurve logs to Google Security Operations using the Bindplane agent.

    HP ProCurve is a line of network switches that generate syslog messages for authentication events, configuration changes, network activity, and system events. The parser extracts fields from syslog-formatted logs, parses key-value pairs and descriptions, and maps them to the Unified Data Model (UDM).

    Before you begin

    Make sure you have the following prerequisites:

    • A Google SecOps instance
    • Windows Server 2016 or later, or Linux host with systemd
    • Network connectivity between the Bindplane agent and the HP ProCurve switch
    • If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements
    • SSH access to the HP ProCurve switch

    Get Google SecOps ingestion authentication file

    1. Sign in to the Google SecOps console.
    2. Go to SIEM Settings > Collection Agents.
    3. Download the Ingestion Authentication File.

    4. Save the file securely on the system where the Bindplane agent will be installed.

    Get Google SecOps customer ID

    1. Sign in to the Google SecOps console.
    2. Go to SIEM Settings > Profile.

    3. Copy and save the Customer IDfrom the Organization Detailssection.

    Install the Bindplane agent

    Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.

    Windows installation

    1. Open Command Promptor PowerShellas an administrator.

    2. Run the following command:

        msiexec 
  
 / 
 i 
  
 "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" 
  
 / 
 quiet

    3. Wait for the installation to complete.

    4. Verify the installation by running:

       sc query observiq-otel-collector

      The service should show as RUNNING.

    Linux installation

    1. Open a terminal with root or sudo privileges.

    2. Run the following command:

       sudo  
sh  
-c  
 " 
 $( 
curl  
-fsSlL  
https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh ) 
 " 
  
install_unix.sh

    3. Wait for the installation to complete.

    4. Verify the installation by running:

       sudo  
systemctl  
status  
observiq-otel-collector

      The service should show as active (running).

    Additional installation resources

    For additional installation options and troubleshooting, see the Bindplane agent installation guide .

    Configure the Bindplane agent to ingest syslog and send to Google SecOps

    Locate the configuration file

    • Linux:

       sudo  
nano  
/etc/bindplane-agent/config.yaml

    • Windows:

       notepad "C:\Program Files\observIQ OpenTelemetry Collector\config.yaml"

    Edit the configuration file

    • Replace the entire contents of config.yaml with the following configuration:

        receivers 
 : 
  
 udplog 
 : 
  
 listen_address 
 : 
  
 "0.0.0.0:514" 
 exporters 
 : 
  
 chronicle/hp_procurve 
 : 
  
 compression 
 : 
  
 gzip 
  
 creds_file_path 
 : 
  
 '/etc/bindplane-agent/ingestion-auth.json' 
  
 customer_id 
 : 
  
 '<customer_id>' 
  
 endpoint 
 : 
  
 malachiteingestion-pa.googleapis.com 
  
 log_type 
 : 
  
 HP_PROCURVE 
  
 raw_log_field 
 : 
  
 body 
 service 
 : 
  
 pipelines 
 : 
  
 logs/hp_procurve_to_chronicle 
 : 
  
 receivers 
 : 
  
 - 
  
 udplog 
  
 exporters 
 : 
  
 - 
  
 chronicle/hp_procurve

    Configuration parameters

    Replace the following placeholders:

    • Receiver configuration:

      • listen_address : IP address and port to listen on:
        • 0.0.0.0 to listen on all interfaces (recommended)
        • Port 514 is the standard syslog port (requires root on Linux; use 1514 for non-root)

    • Exporter configuration:

      • creds_file_path : Full path to ingestion authentication file:
        • Linux: /etc/bindplane-agent/ingestion-auth.json
        • Windows: C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json
      • customer_id : Customer ID copied from the Google SecOps console
      • endpoint : Regional endpoint URL:
        • US: malachiteingestion-pa.googleapis.com
        • Europe: europe-malachiteingestion-pa.googleapis.com
        • Asia: asia-southeast1-malachiteingestion-pa.googleapis.com
        • See Regional Endpoints for complete list

    Save the configuration file

    • After editing, save the file:
      • Linux: Press Ctrl+O , then Enter , then Ctrl+X
      • Windows: Click File > Save

    Restart the Bindplane agent to apply the changes

    • To restart the Bindplane agent in Linux, run the following command:

       sudo  
systemctl  
restart  
observiq-otel-collector

      1. Verify the service is running:

         sudo  
systemctl  
status  
observiq-otel-collector

      2. Check logs for errors:

         sudo  
journalctl  
-u  
observiq-otel-collector  
-f

    • To restart the Bindplane agent in Windows, choose one of the following options:

      • Command Prompt or PowerShell as administrator:

         net stop observiq-otel-collector && net start observiq-otel-collector

      • Services console:

        1. Press Win+R , type services.msc , and press Enter.
        2. Locate observIQ OpenTelemetry Collector.
        3. Right-click and select Restart.

        4. Verify the service is running:

           sc query observiq-otel-collector

        5. Check logs for errors:

            type 
  
 "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"

    Configure syslog on HP ProCurve switch

    1. Sign in to the HP ProCurve switchwith SSH.

    2. Verify the switch interface by using the following command:

       show ip int br

    3. Enable config mode on the switch using the following command:

       console# conf t

    4. Configure the switch to send logs using the following commands:

       logging host <bindplane-server-ip> transport <udp/tcp> port <port-number>
logging facility syslog
logging trap informational
logging buffer 65536
logging origin-id hostname
logging source-interface <interface>
      • Replace <bindplane-server-ip> with the Bindplane agent IP address.
      • Replace <port-number> with the configured port (default: 514 ).
      • Replace <interface> with the source interface for syslog traffic.

    UDM mapping table

    Log field UDM mapping Logic
    AAAScheme
    		 read_only_udm.security_result.detection_fields.value Value extracted from descrip field if the key is AAAScheme
    AAAType
    		 read_only_udm.security_result.detection_fields.value Value extracted from descrip field if the key is AAAType
    Chassis ID
    		 read_only_udm.security_result.detection_fields.value Value extracted from description field if the key is Chassis ID
    Command is
    		 read_only_udm.security_result.detection_fields.value Text after Command is in the commandInfo field
    CommandSource
    		 read_only_udm.security_result.detection_fields.value Value extracted from descrip field if the key is CommandSource
    Config-Method
    		 read_only_udm.additional.fields.value.string_value If the field exists in the log, it's placed in the additional fields as config_method
    ConfigDestination
    		 read_only_udm.security_result.detection_fields.value Value extracted from descrip field if the key is ConfigDestination
    ConfigSource
    		 read_only_udm.security_result.detection_fields.value Value extracted from descrip field if the key is ConfigSource
    Device-Name
    		 read_only_udm.principal.hostname If the field exists in the log, it's mapped to principal hostname and asset hostname
    Event-ID
    		 read_only_udm.additional.fields.value.string_value If the field exists in the log, it's placed in the additional fields as event_id
    EventIndex
    		 read_only_udm.security_result.detection_fields.value Value extracted from descrip field if the key is EventIndex
    IfIndex
    		 read_only_udm.security_result.detection_fields.value Value extracted from description field if the key is IfIndex
    IP: %{IP:IPAddr}
    		 read_only_udm.target.ip, read_only_udm.target.asset.ip IP address extracted from the desc field and mapped to target IP and target asset IP
    IPAddr
    		 read_only_udm.target.ip, read_only_udm.target.asset.ip If the field exists in the log, it's mapped to target IP and target asset IP
    Notice-Type
    		 read_only_udm.additional.fields.value.string_value If the field exists in the log, it's placed in the additional fields as notice_type
    Port ID
    		 read_only_udm.security_result.detection_fields.value Value extracted from description field if the key is Port ID
    Remote-IP-Address
    		 read_only_udm.additional.fields.value.string_value If the field exists in the log, it's placed in the additional fields as remote_ip_address
    Service
    		 read_only_udm.security_result.detection_fields.value Value extracted from descrip field if the key is Service
    Task
    		 read_only_udm.security_result.detection_fields.value Value extracted from descrip field if the key is Task
    User
    		 read_only_udm.principal.user.userid If the field exists in the log, it's mapped to principal user ID
    User-Name
    		 read_only_udm.principal.user.userid If the field exists in the log, it's mapped to principal user ID
    UserName
    		 read_only_udm.principal.user.userid If the field exists in the log, it's mapped to principal user ID
    UserService
    		 read_only_udm.security_result.detection_fields.value Value extracted from desc field if the key is UserService
    collection_time.seconds
    		 read_only_udm.metadata.event_timestamp.seconds Seconds part of the event timestamp
    data
    		 This field contains the raw log message and is parsed to extract other fields. It's not mapped to the UDM.
    desc
    		 read_only_udm.security_result.description Description extracted from the log message
    descrip
    		 Description extracted from the desc field, further parsed for key-value pairs. It's not mapped to the UDM.
    description
    		 read_only_udm.security_result.description If the field exists in the log, it's mapped to the security result description
    descript
    		 read_only_udm.metadata.description If the field exists in the log, it's mapped to the metadata description
    event_id
    		 read_only_udm.additional.fields.value.string_value If the field exists in the log, it's placed in the additional fields as event_id
    eventId
    		 read_only_udm.metadata.product_event_type Event ID extracted from the log message
    hostname
    		 read_only_udm.principal.hostname, read_only_udm.principal.asset.hostname Hostname extracted from the log message and mapped to principal hostname and asset hostname
    inter_ip
    		 read_only_udm.additional.fields.value.string_value, read_only_udm.intermediary.ip If the field exists in the log and is a valid IP, it's mapped to intermediary IP. Otherwise, it's placed in the additional fields as inter_ip
    notice_type
    		 read_only_udm.additional.fields.value.string_value If the field exists in the log, it's placed in the additional fields as notice_type
    pid
    		 read_only_udm.principal.process.pid If the field exists in the log, it's mapped to principal process PID
    program
    		 Program information extracted from the log message, further parsed to extract module, severity, and action. It's not mapped to the UDM.
    proto
    		 read_only_udm.network.application_protocol, read_only_udm.additional.fields.value.string_value Protocol extracted from the log message. If it matches known protocols, it's mapped to application protocol. Otherwise, it's placed in the additional fields as Application Protocol
    remote_ip_address
    		 read_only_udm.principal.ip, read_only_udm.principal.asset.ip, read_only_udm.additional.fields.value.string_value If the field exists in the log and is a valid IP, it's mapped to principal IP and principal asset IP. Otherwise, it's placed in the additional fields as remote_ip_address
    severity
    		 read_only_udm.security_result.severity, read_only_udm.security_result.severity_details Severity extracted from the program field after splitting by / . It's mapped to UDM severity levels and also stored as raw severity details
    src_ip
    		 read_only_udm.principal.ip, read_only_udm.principal.asset.ip Source IP extracted from the log message and mapped to principal IP and principal asset IP
    status
    		 read_only_udm.additional.fields.value.string_value If the field exists in the log, it's placed in the additional fields as status
    targetHostname
    		 read_only_udm.target.hostname, read_only_udm.target.asset.ip If the field exists in the log, it's mapped to target hostname and target asset IP
    target_ip
    		 read_only_udm.target.ip, read_only_udm.target.asset.ip Target IP extracted from the log message and mapped to target IP and target asset IP
    timestamp
    		 read_only_udm.metadata.event_timestamp.seconds Timestamp extracted from the log message and converted to event timestamp
    timestamp.seconds
    		 read_only_udm.metadata.event_timestamp.seconds Seconds part of the event timestamp
    username
    		 read_only_udm.principal.user.userid If the field exists in the log, it's mapped to principal user ID
    		read_only_udm.metadata.event_type Determined based on a combination of fields and logic:
    - NETWORK_CONNECTION : if has_principal and has_target are true.
    - USER_LOGOUT : if action is WEBOPT_LOGOUT , LOGOUT , or SHELL_LOGOUT .
    - USER_LOGIN : if action is LOGIN or WEBOPT_LOGIN_SUC .
    - STATUS_UPDATE : if action is not empty or src_ip / hostname are not empty.
    - USER_UNCATEGORIZED : if has_user is true.
    - GENERIC_EVENT : if none of the these conditions are met.
    		read_only_udm.metadata.product_name Hardcoded to Procurve
    		read_only_udm.metadata.vendor_name Hardcoded to HP
    		read_only_udm.extensions.auth.type Set to MACHINE if event_type is USER_LOGOUT or USER_LOGIN

    Need more help? Get answers from Community members and Google SecOps professionals.

    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: