Collect Pharos logs
This document explains how to ingest Pharos logs to Google Security Operations using Bindplane.
Pharos is an on-premises print management platform for tracking, controlling, and auditing print activities across enterprise environments. Pharos Blueprint Enterprise stores print job data, user activity, and device events in a SQL Server database.
Before you begin
Make sure you have the following prerequisites:
- A Google SecOps instance
- Windows Server 2016 or later
- Network connectivity between the Bindplane agent and the Pharos Blueprint server
- If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements
- Administrative access to the Pharos Blueprint server
- Access to the Pharos SQL Server database or the Blueprint Administrator reporting console
Get Google SecOps ingestion authentication file
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Collection Agents.
-
Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.
Get Google SecOps customer ID
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Profile.
-
Copy and save the Customer IDfrom the Organization Detailssection.
Install the Bindplane agent
Install the Bindplane agent on your Windows operating system according to the following instructions.
Windows installation
- Open Command Promptor PowerShellas an administrator.
-
Run the following command:
msiexec / i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" / quiet -
Wait for the installation to complete.
-
Verify the installation by running:
sc query observiq-otel-collector
The service should show as RUNNING.
Additional installation resources
For additional installation options and troubleshooting, see Bindplane agent installation guide .
Configure the Bindplane agent to ingest logs and send to Google SecOps
-
Locate the configuration file
notepad "C:\Program Files\observIQ OpenTelemetry Collector\config.yaml"
Edit the configuration file
-
Replace the entire contents of
config.yamlwith the following configuration:receivers : filelog : include : - 'C:\Pharos\Exports\*.csv' start_at : beginning poll_interval : 5s exporters : chronicle/pharos : compression : gzip creds_file_path : 'C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json' customer_id : '<customer_id>' endpoint : malachiteingestion-pa.googleapis.com log_type : PHAROS raw_log_field : body ingestion_labels : env : production service : pipelines : logs/pharos_to_chronicle : receivers : - filelog exporters : - chronicle/pharos
Configuration parameters
Replace the following placeholders:
-
Receiver configuration:
-
include: Paths to Pharos export files:- Windows:
C:\Pharos\Exports\*.csv - Adjust the path based on where you export Pharos print activity reports
- Windows:
-
start_at: Set tobeginningto read existing logs, orendto read only new entries -
poll_interval: How often to check for new log data (default:5s)
-
-
Exporter configuration:
-
pharos: Descriptive name for the exporter -
creds_file_path: Full path to ingestion authentication file:- Windows:
C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json
- Windows:
-
<customer_id>: Customer ID from the previous step -
endpoint: Regional endpoint URL:- US:
malachiteingestion-pa.googleapis.com - Europe:
europe-malachiteingestion-pa.googleapis.com - Asia:
asia-southeast1-malachiteingestion-pa.googleapis.com - See Regional Endpoints for complete list
- US:
-
PHAROS: Log type exactly as it appears in Chronicle -
ingestion_labels: Optional labels in YAML format (for example,env: production)
-
-
Pipeline configuration:
-
pharos_to_chronicle: Descriptive name for the pipeline
-
Save the configuration file
- After editing, save the file:
- Windows: Click File > Save
Restart the Bindplane agent to apply the changes
To restart the Bindplane agent in Windows:
-
Choose one of the following options:
- Command Prompt or PowerShell as administrator:
net stop observiq-otel-collector && net start observiq-otel-collector- Services console:
- Press
Win+R, typeservices.msc, and press Enter. - Locate observIQ OpenTelemetry Collector.
- Right-click and select Restart.
- Press
-
Verify the service is running:
sc query observiq-otel-collector -
Check logs for errors:
type "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"
Export Pharos print activity logs
Pharos Blueprint Enterprise stores print job data in a SQL Server database. You must export the data to CSV files that the Bindplane agent can read.
Export print activity data from the Pharos SQL database
- On the Pharos Blueprint server, connect to the Pharos SQL databaseusing SQL Server Management Studio or a command-line tool.
-
Export print activity records using a SQL query:
sqlcmd -S <sql_server> -d Pharos -Q "SELECT * FROM PrintJobLog WHERE JobDate >= DATEADD(day, -1, GETDATE())" -o "C:\Pharos\Exports\pharos_print_jobs.csv" -s "," -W -
Schedule this command to run at regular intervals (for example, every hour) using Windows Task Scheduler so the Bindplane agent continuously picks up new export files.
Alternative: Export reports from the Blueprint Administrator console
- Open the Pharos Blueprint Administratorconsole.
- Navigate to Insights > Reports.
- Select the desired report type (for example, Print Activity, User Activity, Device Activity).
- Configure the date range and filters.
-
Export the report as a CSV file to the export directory (for example, `C:\Pharos\Exports`).
UDM mapping table
| Log Field | UDM Mapping | Logic |
|---|---|---|
|
msg.Building, msg.DataSource, msg.FactSubType, msg.FactType, msg.JobId, msg.JobName, msg.JobTimeutc, msg.PostalCode, msg.VpnConnected, mtd.customer, mtd.slt.node, mtd.slt.pipeline, mtd.source.database, mtd.timestamp.producer_process
|
additional.fields | Merged with Building_label if msg.Building not empty, datasource_label if msg.DataSource not empty, factsubtype_label if msg.FactSubType not empty, facttype_label if msg.FactType not empty, jobid_label if msg.JobId not empty, jobname_label if msg.JobName not empty, jobtimeutc_label if msg.JobTimeutc not empty, postalcode_label if msg.PostalCode not in ["", "Unknown"], vpnconnected_label if msg.VpnConnected not empty, customer_label if mtd.customer not empty, node_label if mtd.slt.node not empty, pipeline_label if mtd.slt.pipeline not empty, database_label if mtd.source.database not empty, producer_process_label if mtd.timestamp.producer_process not empty |
| |
metadata.event_type | Set to "STATUS_UPDATE" if has_principal is true, else "GENERIC_EVENT" |
|
msg.Application
|
principal.application | Value copied directly if not empty |
|
msg.HostName
|
principal.asset.hostname | Value copied directly if not empty |
|
msg.IPAddress
|
principal.asset.ip | Value copied directly if not in ["", "Unknown"] |
|
msg.City
|
principal.location.city | Value copied directly if not in ["", "Unknown"] |
|
msg.Country
|
principal.location.country_or_region | Value copied directly if not in ["", "Unknown"] |
|
msg.State
|
principal.location.state | Value copied directly if not in ["", "Unknown"] |
|
msg.HostName
|
principal.hostname | Value copied directly if not empty |
|
msg.IPAddress
|
principal.ip | Value copied directly if not in ["", "Unknown"] |
|
msg.UserDisplayName
|
principal.user.user_display_name | Value copied directly if not empty |
|
mtd.source.host
|
src.hostname | Value copied directly if not empty |
|
mtd.source.port
|
src.port | Value copied directly if not in ["", "n/a"] |
|
mtd.source.type
|
src.resource.attribute.labels | Merged with sourcetype_label if not empty |
| |
metadata.product_name | Set to "PHAROS" |
| |
metadata.vendor_name | Set to "PHAROS" |
Need more help? Get answers from Community members and Google SecOps professionals.
