Collect Sophos DHCP logs
Supported in:
This document explains how to ingest Sophos Dynamic Host Configuration Protocol (DHCP) logs to Google Security Operations using Bindplane. The parser first normalizes Sophos DHCP syslog messages into a key-value structure and then maps the extracted fields to the Unified Data Model (UDM) schema. It handles different DHCP message types (DHCPREQUEST, DHCPACK, DHCPOFFER, DHCPNAK) and extracts relevant information like IP addresses, MAC addresses, and DHCP options.
Before you begin
Make sure you have the following prerequisites:
- A Google SecOps instance.
- A Windows 2016 or later, or Linux host with
systemd. - If running behind a proxy, make sure firewall ports are open per the Bindplane agent requirements.
- Privileged access to the Sophos UTM management console or Sophos Firewall (SFOS) Web Admin console.
Get Google SecOps ingestion authentication file
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Collection Agents.
- Download the Ingestion Authentication File.
- Save the file securely on the system where Bindplane will be installed.
Get Google SecOps customer ID
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Profile.
- Copy and save the customer IDfrom the Organization Detailssection.
Install the Bindplane agent
Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.
Windows installation
- Open the Command Promptor PowerShellas an administrator.
-
Run the following command:
msiexec / i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" / quiet
Linux installation
- Open a terminal with root or sudo privileges.
-
Run the following command:
sudo sh -c " $( curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh ) " install_unix.sh
Additional installation resources
For additional installation options, consult the installation guide .
Configure the Bindplane agent to ingest Syslog and send to Google SecOps
- Access the configuration file:
- Locate the
config.yamlfile. Typically, it's in the/etc/bindplane-agent/directory on Linux or in the installation directory on Windows. - Open the file using a text editor (for example,
nano,vi, or Notepad).
- Locate the
-
Edit the
config.yamlfile as follows:receivers : udplog : # Replace the port and IP address as required listen_address : "0.0.0.0:514" exporters : chronicle/chronicle_w_labels : compression : gzip # Adjust the path to the credentials file you downloaded in Step 1 creds_file_path : '/path/to/ingestion-authentication-file.json' # Replace with your actual customer ID from Step 2 customer_id : < CUSTOMER_ID > endpoint : malachiteingestion-pa.googleapis.com # Add optional ingestion labels for better organization log_type : 'SOPHOS_DHCP' raw_log_field : body ingestion_labels : service : pipelines : logs/source0__chronicle_w_labels-0 : receivers : - udplog exporters : - chronicle/chronicle_w_labels- Replace the port and IP address as required in your infrastructure.
- Replace
<CUSTOMER_ID>with the actual Customer ID. - Update
/path/to/ingestion-authentication-file.jsonto the path where the authentication file was saved in the Get Google SecOps ingestion authentication file section.
Restart the Bindplane agent to apply the changes
-
To restart the BindPlane agent in Linux, run the following command:
sudo systemctl restart observiq-otel-collector -
To restart the BindPlane agent in Windows, you can either use the Servicesconsole or enter the following command:
sc stop observiq-otel-collector && sc start observiq-otel-collector
Option 2: Configure Syslog forwarding on Sophos Firewall
- Sign in to the Sophos Firewall Web Admin Console.
- Go to Configure > System services > Log settings.
- Click Addto configure a syslog server.
- Provide the following configuration details:
- Name: Enter a unique name for the Google SecOps collector (for example,
Google SecOps BindPlane DHCP). - IP address/Domain: Enter the BindPlane IP address.
- Port: Enter the BindPlane port number (for example,
514). - Facility: Select DAEMON.
- Severity level: Select Information.
- Format: Select Device standard format.
- Name: Enter a unique name for the Google SecOps collector (for example,
- Click Save.
- Return to the Log Settingspage and select the specific log types to forward to the syslog server.
- Select the appropriate log categories that include DHCP events. DHCP logs are generated by the dhcpd service and are part of network or system logs that will be forwarded when the corresponding log categories are enabled.
- Click Applyto save the configuration.
Option 1: Configure Syslog forwarding on Sophos UTM
- Sign in to the Sophos UTM Management Console.
- Go to Logging & Reporting > Log Settings > Remote Syslog Server.
- Click the toggle buttonto enable Remote syslog. The Remote Syslog Settings area becomes editable.
- In the Syslog serversfield, click + Add syslog server.
- In the Add syslog serverdialog, provide the following configuration details:
- Name: Enter a descriptive name (for example,
Google SecOps BindPlane DHCP). - Server: Click the +(plus) icon next to the Server field. Create or select a Hostfrom Network Definitions with the BindPlane Agent IP address and click Save.
- Port: Click the +(plus) icon next to the Portfield. Create or select a Service Definitionwith the appropriate protocol and port (for example, UDP/514) and click Save.
- Name: Enter a descriptive name (for example,
- Click Savein the Add Syslog Serverdialog.
- Click Applyin the Remote Syslog Settingssection.
- Optional: Adjust the Remote Syslog Buffersetting (default is 1000lines) and click Apply.
- In the Remote Syslog Log Selectionsection, select DHCP Serverand the required log categories.
- Click Applyto save the log selection settings.
UDM mapping table
| Log field | UDM mapping | Logic |
|---|---|---|
|
action
|
event.idm.read_only_udm.security_result.action_details | |
|
attr_address
|
event.idm.read_only_udm.target.ip | |
|
attr_addresses
|
event.idm.read_only_udm.target.ip | |
|
call
|
event.idm.read_only_udm.security_result.summary | |
|
client
|
event.idm.read_only_udm.principal.hostname | |
|
client
|
event1.idm.read_only_udm.principal.hostname | |
|
data
|
||
|
dstip
|
event.idm.read_only_udm.target.ip | |
|
dstmac
|
event.idm.read_only_udm.target.mac | |
|
dstport
|
event.idm.read_only_udm.target.port | |
|
fwrule
|
event.idm.read_only_udm.security_result.rule_id | |
|
id
|
event.idm.read_only_udm.metadata.product_event_type | Concatenated with ulogd -
|
|
id
|
event1.idm.read_only_udm.metadata.product_event_type | Concatenated with ID -
|
|
info
|
event.idm.read_only_udm.security_result.description | |
|
initf
|
event.idm.read_only_udm.security_result.about.labels.value | Key is hardcoded to In Interface
|
|
msg
|
event.idm.read_only_udm.metadata.description | When process_type is not confd
or ulogd
|
|
name
|
event.idm.read_only_udm.security_result.description | |
|
objname
|
event.idm.read_only_udm.principal.resource.name | |
|
oldattr_address
|
event.idm.read_only_udm.principal.ip | |
|
oldattr_addresses
|
event.idm.read_only_udm.principal.ip | |
|
outitf
|
event.idm.read_only_udm.security_result.about.labels.value | Key is hardcoded to Out Interface
|
|
pid
|
event.idm.read_only_udm.principal.process.pid | |
|
proto
|
event.idm.read_only_udm.network.ip_protocol | |
|
severity
|
event.idm.read_only_udm.security_result.severity | If severity is info
or debug
then security_result.severity is INFORMATIONAL
. If severity is warn
then security_result.severity is MEDIUM
|
|
severity
|
event1.idm.read_only_udm.security_result.severity | If severity is info
or debug
then security_result.severity is INFORMATIONAL
. If severity is warn
then security_result.severity is MEDIUM
|
|
sid
|
event.idm.read_only_udm.security_result.about.labels.value | Key is hardcoded to sid
|
|
src_host
|
event.idm.read_only_udm.principal.hostname | When process_type is dhcpd
and dhcp_type is DHCPREQUEST
or DHCPACK
or DHCPOFFER
|
|
src_host
|
event.idm.read_only_udm.observer.hostname | When process_type is dhcpd
and dhcp_type is DHCPREQUEST
|
|
src_host
|
event.idm.read_only_udm.network.dhcp.client_hostname | When process_type is dhcpd
and dhcp_type is DHCPACK
or DHCPOFFER
|
|
src_ip
|
event.idm.read_only_udm.network.dhcp.ciaddr | When process_type is dhcpd
and dhcp_type is DHCPREQUEST
|
|
src_ip
|
event.idm.read_only_udm.network.dhcp.yiaddr | When process_type is dhcpd
and dhcp_type is DHCPACK
or DHCPOFFER
or DHCPNAK
|
|
src_ip
|
event.idm.read_only_udm.principal.ip | When process_type is dhcpd
and dhcp_type is DHCPREQUEST
or DHCPACK
or DHCPOFFER
or DHCPNAK
|
|
src_ip
|
event.idm.read_only_udm.observer.ip | When process_type is dhcpd
and dhcp_type is DHCPREQUEST
or DHCPACK
or DHCPOFFER
|
|
src_mac
|
event.idm.read_only_udm.network.dhcp.chaddr | When process_type is dhcpd
and dhcp_type is DHCPREQUEST
or DHCPACK
or DHCPOFFER
or DHCPNAK
|
|
src_mac
|
event.idm.read_only_udm.principal.mac | When process_type is dhcpd
and dhcp_type is DHCPREQUEST
or DHCPACK
or DHCPOFFER
or DHCPNAK
|
|
srcip
|
event.idm.read_only_udm.principal.ip | |
|
srcip
|
event1.idm.read_only_udm.principal.ip | |
|
srcmac
|
event.idm.read_only_udm.principal.mac | |
|
srcport
|
event.idm.read_only_udm.principal.port | |
|
sub
|
event.idm.read_only_udm.metadata.description | |
|
sub
|
event1.idm.read_only_udm.metadata.description | |
|
tcpflags
|
event.idm.read_only_udm.security_result.about.labels.value | Key is hardcoded to TCP Flags
|
|
user
|
event.idm.read_only_udm.principal.user.userid | |
|
user
|
event1.idm.read_only_udm.principal.user.userid | |
| |
event.idm.read_only_udm.metadata.event_type | GENERIC_EVENT
if no other event_type is set. NETWORK_CONNECTION
if srcip and dstip are not empty. RESOURCE_WRITTEN
if name is object changed
. NETWORK_DHCP
if process_type is dhcpd
|
| |
event.idm.read_only_udm.metadata.log_type | Hardcoded to SOPHOS_DHCP
|
| |
event.idm.read_only_udm.metadata.product_name | Hardcoded to SOPHOS_DHCP
|
| |
event.idm.read_only_udm.metadata.vendor_name | Hardcoded to SOPHOS
|
| |
event.idm.read_only_udm.network.application_protocol | Hardcoded to DHCP
when process_type is dhcpd
|
| |
event.idm.read_only_udm.network.dhcp.opcode | Hardcoded to BOOTREQUEST
when process_type is dhcpd
and dhcp_type is DHCPREQUEST
. Hardcoded to BOOTREPLY
when process_type is dhcpd
and dhcp_type is DHCPACK
or DHCPOFFER
or DHCPNAK
|
| |
event.idm.read_only_udm.network.dhcp.type | REQUEST
when process_type is dhcpd
and dhcp_type is DHCPREQUEST
. ACK
when process_type is dhcpd
and dhcp_type is DHCPACK
. OFFER
when process_type is dhcpd
and dhcp_type is DHCPOFFER
. NAK
when process_type is dhcpd
and dhcp_type is DHCPNAK
|
| |
event1.idm.read_only_udm.metadata.event_type | Hardcoded to GENERIC_EVENT
|
| |
event1.idm.read_only_udm.metadata.log_type | Hardcoded to SOPHOS_DHCP
|
| |
event1.idm.read_only_udm.metadata.product_name | Hardcoded to SOPHOS_DHCP
|
| |
event1.idm.read_only_udm.metadata.vendor_name | Hardcoded to SOPHOS
|
Need more help? Get answers from Community members and Google SecOps professionals.
