Console
    Start free

    Collect Nokia VitalQIP DDI logs

    Supported in:

    This document explains how to ingest Nokia VitalQIP DDI logs to Google Security Operations using Bindplane.

    Nokia VitalQIP (now owned by Cygna Labs) is an enterprise-grade DDI solution providing centralized management of DNS (Domain Name System), DHCP (Dynamic Host Configuration Protocol), and IPAM (IP Address Management). VitalQIP delivers carrier-grade IP address management with scalable, secure DNS/DHCP services designed for large enterprises, telecom providers, and service providers requiring high-performance, on-premises, and hybrid cloud DDI solutions.

    Before you begin

    • Make sure you have the following prerequisites:

      • A Google SecOps instance
      • Windows Server 2016 or later, or Linux host with systemd
      • Network connectivity between the Bindplane agent and VitalQIP Appliance Management Software (AMS)
      • If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements
      • Administrative access to the VitalQIP Appliance Management Software (AMS) web interface
      • VitalQIP Appliance Manager version 1.7 or later (for multiple syslog server support)
      • At least one VitalQIP appliance (AMS, ESM, or AMM) configured in your environment

    Get Google SecOps ingestion authentication file

    1. Sign in to the Google SecOps console.
    2. Go to SIEM Settings > Collection Agents.
    3. Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.

    Get Google SecOps customer ID

    1. Sign in to the Google SecOps console.
    2. Go to SIEM Settings > Profile.
    3. Copy and save the Customer IDfrom the Organization Detailssection.

    Install the Bindplane agent

    Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.

    Windows installation

    1. Open Command Promptor PowerShellas an administrator.

    2. Run the following command:

        msiexec 
  
 / 
 i 
  
 "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" 
  
 / 
 quiet

    3. Wait for the installation to complete.

    4. Verify the installation by running:

       sc query observiq-otel-collector

      The service should show as RUNNING.

    Linux installation

    1. Open a terminal with root or sudo privileges.

    2. Run the following command:

       sudo  
sh  
-c  
 " 
 $( 
curl  
-fsSlL  
https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh ) 
 " 
  
install_unix.sh

    3. Wait for the installation to complete.

    4. Verify the installation by running:

       sudo  
systemctl  
status  
observiq-otel-collector

      The service should show as active (running).

    Additional installation resources

    For additional installation options and troubleshooting, see Bindplane agent installation guide .

    Configure Bindplane agent to ingest syslog and send to Google SecOps

    Locate the configuration file

    • Linux:

       sudo  
nano  
/etc/bindplane-agent/config.yaml

    • Windows:

       notepad "C:\Program Files\observIQ OpenTelemetry Collector\config.yaml"

    Edit the configuration file

    • Replace the entire contents of config.yaml with the following configuration:

        receivers 
 : 
  
 udplog 
 : 
  
 listen_address 
 : 
  
 "0.0.0.0:514" 
 exporters 
 : 
  
 chronicle/vitalqip 
 : 
  
 compression 
 : 
  
 gzip 
  
 creds_file_path 
 : 
  
 '/etc/bindplane-agent/ingestion-auth.json' 
  
 customer_id 
 : 
  
 'YOUR_CUSTOMER_ID' 
  
 endpoint 
 : 
  
 malachiteingestion-pa.googleapis.com 
  
 log_type 
 : 
  
 VITALQIP 
  
 raw_log_field 
 : 
  
 body 
  
 ingestion_labels 
 : 
  
 env 
 : 
  
 production 
  
 source 
 : 
  
 vitalqip 
 service 
 : 
  
 pipelines 
 : 
  
 logs/vitalqip_to_chronicle 
 : 
  
 receivers 
 : 
  
 - 
  
 udplog 
  
 exporters 
 : 
  
 - 
  
 chronicle/vitalqip

    Configuration parameters

    Replace the following placeholders:

    • Receiver configuration:

      • listen_address : Set to 0.0.0.0:514 to listen on all interfaces on UDP port 514
        • For Linux systems running as non-root, use port 1514 or higher
        • Adjust the port number if your environment requires a different port

    • Exporter configuration:

      • creds_file_path : Full path to ingestion authentication file:
        • Linux: /etc/bindplane-agent/ingestion-auth.json
        • Windows: C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json
      • customer_id : Replace YOUR_CUSTOMER_ID with the customer ID from the previous step
      • endpoint : Regional endpoint URL:
        • US: malachiteingestion-pa.googleapis.com
        • Europe: europe-malachiteingestion-pa.googleapis.com
        • Asia: asia-southeast1-malachiteingestion-pa.googleapis.com
        • See Regional Endpoints for complete list
      • log_type : Set to VITALQIP (exact match for Chronicle parser)
      • ingestion_labels : Optional labels for filtering and organization

    Save the configuration file

    • After editing, save the file:
      • Linux: Press Ctrl+O , then Enter , then Ctrl+X
      • Windows: Click File > Save

    Restart the Bindplane agent to apply the changes

    To restart the Bindplane agent in Linux:

    1. Run the following command:

       sudo  
systemctl  
restart  
observiq-otel-collector

    2. Verify the service is running:

       sudo  
systemctl  
status  
observiq-otel-collector

    3. Check logs for errors:

       sudo  
journalctl  
-u  
observiq-otel-collector  
-f

    To restart the Bindplane agent in Windows:

    1. Choose one of the following options:

      • Command Prompt or PowerShell as administrator:
       net stop observiq-otel-collector && net start observiq-otel-collector
      • Services console:
        1. Press Win+R , type services.msc , and press Enter.
        2. Locate observIQ OpenTelemetry Collector.
        3. Right-click and select Restart.

    2. Verify the service is running:

       sc query observiq-otel-collector

    3. Check logs for errors:

        type 
  
 "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"

    Configure VitalQIP syslog forwarding

    VitalQIP Appliance Manager (AM) version 1.7 and later supports configuring up to 10 remote syslog servers per appliance through the AMS web interface.

    1. Open a web browser and navigate to your VitalQIP AMS web interface URL:

      • For non-secure connection: http://<AMS_HOSTNAME>:<PORT>/qip
      • For secure connection: https://<AMS_HOSTNAME>:<PORT>/qip

    2. Enter your VitalQIP administrator credentials and click Login.

    Configure remote syslog server for appliances

    1. In the VitalQIP AMS web interface, expand the Appliancessection in the left navigation panel.
    2. Select the appliance you want to configure for syslog forwarding (AMS, ESM, or AMM appliance).
    3. Navigate to the appliance configuration settings.
    4. Locate the Remote Loggingor Syslog Configurationsection.
    5. Click Addto add a new remote syslog server.
    6. Configure the following syslog server parameters:
      • Server Name: Enter a descriptive name (for example, Chronicle-Bindplane )
      • IP Address: Enter the IP address of the Bindplane agent host
      • Port: Enter 514 (or the port configured in your Bindplane agent)
      • Protocol: Select UDP
      • Facility: Select local0through local7(or as required by your organization)
      • Severity Level: Select Infoor Debugto capture all relevant log events
    7. Click Saveor Applyto save the syslog server configuration.
    8. Deploy the configuration to the appliance:
      1. Navigate to the appliance deployment section.
      2. Select the configuration changes.
      3. Click Deployto push the syslog configuration to the appliance.
    9. Repeat steps 2-8 for each VitalQIP appliance (ESM, AMM) that you want to forward logs from.

    Verify syslog forwarding

    1. Generate test activity in VitalQIP:
      • Perform a DNS query
      • Allocate or release a DHCP lease
      • Make an administrative change in the VitalQIP GUI
    2. Check the Bindplane agent logs to verify log reception:
      • Linux: sudo journalctl -u observiq-otel-collector -f
      • Windows: type "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"
    3. Sign in to the Google SecOps console and verify that VitalQIP logs are appearing in the log search.

    Additional configuration notes

    • VitalQIP logs include DNS query logs, DHCP lease events, IP address management actions, and audit trails for administrator activities.
    • VitalQIP supports syslog format compliant with RFC 3164 (BSD syslog).
    • For high-volume environments, consider configuring multiple Bindplane agents with load balancing.
    • VitalQIP appliances can be configured to send logs to multiple remote syslog servers simultaneously (up to 10 servers per appliance in AM 1.7+).
    • Ensure network connectivity and firewall rules allow UDP port 514 (or your configured port) from VitalQIP appliances to the Bindplane agent host.

    UDM mapping table

    Log Field UDM Mapping Logic
    tty
    		 additional.fields Merged with labels for terminal (tty), pwd, and subnet
    pwd
    		 additional.fields
    subnet
    		 additional.fields
    dhcp_client_ip
    		 dhcp.ciaddr Set for Delete Lease or Auto Release
    req_addr
    		 dhcp.requested_address Value copied directly
    dhcp.type
    		 dhcp.type Set to "RELEASE" for Delete Lease or Auto Release, "ACK" for RenewLease or GrantLease
    dhcp_client_ip
    		 dhcp.yiaddr Renamed for RenewLease or GrantLease
    log_msg
    		 metadata.description Value copied directly
    event_type
    		 metadata.event_type Set to event_type if not empty, else "GENERIC_EVENT"
    log_source
    		 network.application_protocol Set to "DNS" for named log_source, "DHCP" for dhcpd
    dhcp_domain
    		 principal.administrative_domain Value copied directly
    log_source
    		 principal.application Set if log_source does not contain / or sudo
    dns_server
    		 principal.ip Value copied directly
    log_source
    		 principal.process.command_line Set to log_source if contains / or sudo, else to cmd
    cmd
    		 principal.process.command_line
    pid
    		 principal.process.pid Value copied directly
    user
    		 principal.user.userid Value copied directly
    questions_name
    		 questions.name Value copied directly
    QTYPE
    		 questions.type Converted to uinteger
    client_id
    		 target.asset_id Set to "id: " + client_id
    dhcp_client_hostname
    		 target.hostname Value copied directly
    client_ip_address
    		 target.ip Merged from client_ip_address (DNS) or dhcp_client_ip (DHCP)
    dhcp_client_ip
    		 target.ip
    client_mac
    		 target.mac Value copied directly (after formatting)
    client_port
    		 target.port Converted to integer
    metadata.product_name
    		 metadata.product_name Set to "VITALQIP"
    metadata.vendor_name
    		 metadata.vendor_name Set to "NOKIA"

    Need more help? Get answers from Community members and Google SecOps professionals.

    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: