Console
    Contact Us Start free

    Collect Akeyless Vault logs

    Supported in:

    This document explains how to ingest Akeyless Vault logs to Google Security Operations using direct ingestion or Bindplane. The parser first normalizes the log messages, which can be in either key-value or JSON format, into a consistent structure. Then, it extracts relevant fields and maps them to the Unified Data Model (UDM) schema, categorizing the event type based on the presence of IP addresses and actions performed.

    Before you begin

    Make sure you have the following prerequisites:

    • Google SecOps instance
    • Privileged access to Akeyless Vault

    Get Google SecOps ingestion authentication file

    1. Sign in to the Google SecOps console.
    2. Go to SIEM Settings > Collection Agents.
    3. Download the Ingestion Authentication File.

    Get Google SecOps customer ID

    1. Sign in to the Google SecOps console.
    2. Go to SIEM Settings > Profile.
    3. Copy and save the Customer IDfrom the Organization Detailssection.

    Configure log forwarding for direct ingestion to Google SecOps in Akeyless Vault

    1. Sign in to your Akeyless Gatewayweb UI.
    2. Go to Log Forwarding.
    3. Select Enable.
    4. Provide the following configuration details:
      • Log Format: Select JSON.
      • Audit Log Server: Enter https://audit.akeyless.io/ .
      • Service: Select Google Chronicle.
      • Service Account Key: Provide the JSON file holding service account credentials.
      • Customer ID: Enter your Google SecOps unique identifier.
      • Region: Enter the region where your Google SecOps is provisioned.
      • Log Type: Enter AKEYLESS_VAULT.
    5. Click Save Changes.

    Optional: Ingest Syslog through Bindplane

    Windows Bindplane installation

    1. Open the Command Promptor PowerShellas an administrator.

    2. Run the following command:

        msiexec 
  
 / 
 i 
  
 "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" 
  
 / 
 quiet

    Linux Bindplane installation

    1. Open a terminal with root or sudo privileges.

    2. Run the following command:

       sudo  
sh  
-c  
 " 
 $( 
curl  
-fsSlL  
https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh ) 
 " 
  
install_unix.sh

    Additional installation resources

    For additional installation options, consult the installation guide .

    Configure the Bindplane agent to ingest Syslog and send to Google SecOps

    1. Access the configuration file:
      • Locate the config.yaml file. Typically, it's in the /etc/bindplane-agent/ directory on Linux or in the installation directory on Windows.
      • Open the file using a text editor (for example, nano , vi , or Notepad).

    2. Edit the config.yaml file as follows:

        receivers 
 : 
  
 udplog 
 : 
  
 # Replace the port and IP address as required 
  
 listen_address 
 : 
  
 "0.0.0.0:514" 
 exporters 
 : 
  
 chronicle/chronicle_w_labels 
 : 
  
 compression 
 : 
  
 gzip 
  
 # Adjust the path to the credentials file you downloaded in Step 1 
  
 creds 
 : 
  
 '/path/to/ingestion-authentication-file.json' 
  
 # Replace with your actual customer ID from Step 2 
  
 customer_id 
 : 
  
< customer_id 
>  
 endpoint 
 : 
  
 malachiteingestion-pa.googleapis.com 
  
 # Add optional ingestion labels for better organization 
  
 ingestion_labels 
 : 
  
 log_type 
 : 
  
 'AKEYLESS_VAULT' 
  
 raw_log_field 
 : 
  
 body 
 service 
 : 
  
 pipelines 
 : 
  
 logs/source0__chronicle_w_labels-0 
 : 
  
 receivers 
 : 
  
 - 
  
 udplog 
  
 exporters 
 : 
  
 - 
  
 chronicle/chronicle_w_labels

    3. Replace the port and IP address as required in your infrastructure.

    4. Replace <customer_id> with the actual customer ID.

    5. Update /path/to/ingestion-authentication-file.json to the path where the authentication file was saved in the Get Google SecOps ingestion authentication file section.

    Restart the Bindlane agent to apply the changes

    • To restart the Bindplane agent in Linux, run the following command:

       sudo  
systemctl  
restart  
bindplane-agent

    • To restart the Bindplane agent in Windows, you can either use the Servicesconsole or enter the following command:

       net stop BindPlaneAgent && net start BindPlaneAgent

    Configure Syslog forwarding to Bindplane in Akeyless Vault

    1. Sign in to your Akeyless Gatewayweb UI.
    2. Go to Log Forwarding.
    3. Select Enable.
    4. Provide the following configuration details:
      • Log Format: Select JSON.
      • Audit Log Server: Enter https://audit.akeyless.io/ .
      • Service: Select Syslog.
      • Syslog Network: Select UDP. (You can select another option, depending on your Bindplane agent configuration).
      • Syslog Host: Enter the Bindplane agent IP address.
      • Syslog Formatter: Select Text.
      • ( Optional) TLS: Select the TLScheckbox and upload the TLS Certificate.
    5. Click Save Changes.

    UDM mapping table

    Log Field UDM Mapping Logic
    access_id
    		 read_only_udm.metadata.product_log_id Directly mapped from access_id field. If not present, extracted from the message field using the regex access_id:\s+(?<accessid>[\w-]+) .
    account_id
    		 read_only_udm.target.user.userid Directly mapped from account_id field.
    action
    		 read_only_udm.security_result.action_details Directly mapped from action field.
    component
    		 read_only_udm.target.resource.name Directly mapped from component field.
    duration
    		 read_only_udm.network.session_duration.seconds Directly mapped from duration field and converted to integer.
    remote_addr
    		 read_only_udm.principal.ip Extracted from remote_addr field, split by comma and added to the principal.ip array.
    request_parameters.access_type
    		 read_only_udm.target.resource.attribute.labels.value (where key is 'access_type') Directly mapped from request_parameters.access_type field. If not present, extracted from the message field using the regex access_type:\s+(?<accesstype>[\S]+) .
    request_parameters.comment
    		 read_only_udm.target.resource.attribute.labels.value (where key is 'comment') Directly mapped from request_parameters.comment field.
    request_parameters.operation
    		 read_only_udm.target.resource.attribute.labels.value (where key is 'operation') Directly mapped from request_parameters.operation field.
    request_parameters.product
    		 read_only_udm.target.resource.attribute.labels.value (where key is 'product') Directly mapped from request_parameters.product field. If not present, extracted from the message field using the regex product:\s+(?<product>[\w\s]+) .
    request_parameters.token_id
    		 read_only_udm.target.resource.attribute.labels.value (where key is 'token_id') Directly mapped from request_parameters.token_id field.
    request_parameters.transaction_type
    		 read_only_udm.target.resource.attribute.labels.value (where key is 'transaction_type') Directly mapped from request_parameters.transaction_type field and converted to string. If not present, extracted from the message field using the regex transaction_type:\s+(?<transactiontype>[\S]+) .
    request_parameters.unique_id
    		 read_only_udm.target.resource.attribute.labels.value (where key is 'unique_id') Directly mapped from request_parameters.unique_id field. If not present, extracted from the message field using the regex unique_id:\s+(?<uniqueid>[\w-]+) .
    request_parameters.universal_identity_rotate_type
    		 read_only_udm.target.resource.attribute.labels.value (where key is 'universal_identity_rotate_type') Directly mapped from request_parameters.universal_identity_rotate_type field.
    request_parameters.user_agent
    		 read_only_udm.target.resource.attribute.labels.value (where key is 'user_agent') Directly mapped from request_parameters.user_agent field.
    severity
    		 Directly mapped from severity field.
    status
    		 read_only_udm.network.http.response_code Directly mapped from status field and converted to integer.
    timestamp
    		 read_only_udm.metadata.event_timestamp Directly mapped from the log entry timestamp field.
    		read_only_udm.metadata.log_type Hardcoded to AKEYLESS_VAULT .
    		read_only_udm.metadata.event_type Set to STATUS_UPDATE if ip_present is true, otherwise defaults to GENERIC_EVENT .
    		read_only_udm.metadata.vendor_name Extracted from the message field using the regex CEF:0|%{DATA:device_vendor}|%{DATA:device_product}|%{DATA:device_version}|%{DATA:device_event_class_id}\s+%{WORD}\[%{INT}\]:\s+%{GREEDYDATA:kv_data} .
    		read_only_udm.metadata.product_name Extracted from the message field using the regex CEF:0|%{DATA:device_vendor}|%{DATA:device_product}|%{DATA:device_version}|%{DATA:device_event_class_id}\s+%{WORD}\[%{INT}\]:\s+%{GREEDYDATA:kv_data} .
    		read_only_udm.metadata.product_version Extracted from the message field using the regex CEF:0|%{DATA:device_vendor}|%{DATA:device_product}|%{DATA:device_version}|%{DATA:device_event_class_id}\s+%{WORD}\[%{INT}\]:\s+%{GREEDYDATA:kv_data} .
    		read_only_udm.metadata.product_event_type Extracted from the message field using the regex <%{INT}>%{TIMESTAMP_ISO8601:time}\s+%{DATA}\s+(?P<product_event_type>[\w-]+)\[%{INT}\]:\s+(?P<time2>\d{1,2}-%{MONTH}-\d{1,4}\s+\d{1,2}:\d{1,2}:\d{1,2}.\d+)\s+%{WORD}\s+%{WORD:severity}\s+CEF:0|%{DATA:device_vendor}|%{DATA:device_product}|%{DATA:device_version}|%{DATA:device_event_class_id}\s+%{WORD}\[%{INT}\]:\s+%{GREEDYDATA:kv_data} .
    		read_only_udm.target.namespace Extracted from the message field using the regex namespace:\s+(?<namespace>[\S]+) .
    		read_only_udm.security_result.severity Mapped from severity field: Info to INFORMATIONAL , Error to ERROR , Warning to MEDIUM , otherwise UNKNOWN_SEVERITY .
    		read_only_udm.network.http.method Mapped from action field: get to GET , put and Authentication to PUT , post to POST , delete to DELETE .

    Need more help? Get answers from Community members and Google SecOps professionals.

    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: