Console
    Start free

    Collect ArcSight CEF logs

    Supported in:

    This document explains how to ingest ArcSight CEF logs to Google Security Operations using Bindplane agent.

    ArcSight (now part of OpenText) uses the Common Event Format (CEF) for normalizing security events from multiple sources. The ArcSight SmartConnector collects events and forwards them in CEF format via syslog to downstream consumers including SIEM platforms.

    Before you begin

    Make sure you have the following prerequisites:

    • A Google SecOps instance
    • Windows Server 2016 or later, or Linux host with systemd
    • Network connectivity between the Bindplane agent and the ArcSight SmartConnector host
    • If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements
    • Access to the OpenText support portal to download SmartConnector
    • Administrative access to the SmartConnector server

    Get Google SecOps ingestion authentication file

    1. Sign in to the Google SecOps console.
    2. Go to SIEM Settings > Collection Agents.
    3. Download the Ingestion Authentication File.

    4. Save the file securely on the system where the Bindplane agent will be installed.

    Get Google SecOps customer ID

    1. Sign in to the Google SecOps console.
    2. Go to SIEM Settings > Profile.

    3. Copy and save the Customer IDfrom the Organization Detailssection.

    Install the Bindplane agent

    Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.

    Windows installation

    1. Open Command Promptor PowerShellas an administrator.

    2. Run the following command:

        msiexec 
  
 / 
 i 
  
 "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" 
  
 / 
 quiet

    3. Wait for the installation to complete.

    4. Verify the installation by running:

       sc query observiq-otel-collector

      The service should show as RUNNING.

    Linux installation

    1. Open a terminal with root or sudo privileges.

    2. Run the following command:

       sudo  
sh  
-c  
 " 
 $( 
curl  
-fsSlL  
https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh ) 
 " 
  
install_unix.sh

    3. Wait for the installation to complete.

    4. Verify the installation by running:

       sudo  
systemctl  
status  
observiq-otel-collector

      The service should show as active (running).

    Additional installation resources

    For additional installation options and troubleshooting, see Bindplane agent installation guide .

    Configure Bindplane agent to ingest syslog and send to Google SecOps

    Locate the configuration file

    • Linux:

       sudo  
nano  
/etc/bindplane-agent/config.yaml

    • Windows:

       notepad "C:\Program Files\observIQ OpenTelemetry Collector\config.yaml"

    Edit the configuration file

    • Replace the entire contents of config.yaml with the following configuration:

        receivers 
 : 
  
 udplog 
 : 
  
 listen_address 
 : 
  
 "0.0.0.0:514" 
 exporters 
 : 
  
 chronicle/arcsight_cef 
 : 
  
 compression 
 : 
  
 gzip 
  
 creds_file_path 
 : 
  
 '/etc/bindplane-agent/ingestion-auth.json' 
  
 customer_id 
 : 
  
 '<customer_id>' 
  
 endpoint 
 : 
  
 malachiteingestion-pa.googleapis.com 
  
 log_type 
 : 
  
 ARCSIGHT_CEF 
  
 raw_log_field 
 : 
  
 body 
 service 
 : 
  
 pipelines 
 : 
  
 logs/arcsight_to_chronicle 
 : 
  
 receivers 
 : 
  
 - 
  
 udplog 
  
 exporters 
 : 
  
 - 
  
 chronicle/arcsight_cef

    Configuration parameters

    Replace the following placeholders:

    • Receiver configuration:

      • listen_address : IP address and port to listen on:
        • 0.0.0.0 to listen on all interfaces (recommended)
        • Port 514 is the standard syslog port (requires root on Linux; use 1514 for non-root)

    • Exporter configuration:

      • creds_file_path : Full path to ingestion authentication file:
        • Linux: /etc/bindplane-agent/ingestion-auth.json
        • Windows: C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json
      • customer_id : Customer ID copied from the Google SecOps console
      • endpoint : Regional endpoint URL:
        • US: malachiteingestion-pa.googleapis.com
        • Europe: europe-malachiteingestion-pa.googleapis.com
        • Asia: asia-southeast1-malachiteingestion-pa.googleapis.com
        • See Regional Endpoints for complete list

    Save the configuration file

    • After editing, save the file:
      • Linux: Press Ctrl+O , then Enter , then Ctrl+X
      • Windows: Click File > Save

    Restart the Bindplane agent to apply the changes

    • To restart the Bindplane agent in Linux, run the following command:

       sudo  
systemctl  
restart  
observiq-otel-collector

      1. Verify the service is running:

         sudo  
systemctl  
status  
observiq-otel-collector

      2. Check logs for errors:

         sudo  
journalctl  
-u  
observiq-otel-collector  
-f

    • To restart the Bindplane agent in Windows, choose one of the following options:

      • Command Prompt or PowerShell as administrator:

         net stop observiq-otel-collector && net start observiq-otel-collector

      • Services console:

        1. Press Win+R , type services.msc , and press Enter.
        2. Locate observIQ OpenTelemetry Collector.
        3. Right-click and select Restart.

        4. Verify the service is running:

           sc query observiq-otel-collector

        5. Check logs for errors:

            type 
  
 "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"

    Download ArcSight SmartConnector

    1. Sign in to the OpenText support portal.
    2. Find and download the latest ArcSight SmartConnector for Linux.
    3. Example filename: ArcSight-Connector-Linux64-8.4.0.8499.0.bin .

    Install the ArcSight SmartConnector

    1. Upload the .bin file to the SmartConnector server:

       scp  
ArcSight-Connector-Linux64-8.4.0.8499.0.bin  
user@your-smartconnector-host:/tmp

    2. Sign in to the SmartConnectorserver using SSH and run:

        cd 
  
/tmp
chmod  
+x  
ArcSight-Connector-Linux64-8.4.0.8499.0.bin
./ArcSight-Connector-Linux64-8.4.0.8499.0.bin

    3. Follow the interactive installer:

      • Select installation directory (for example, /opt/arcsight/connectors/current ).
      • Accept the license.
      • Select Install connectorwhen prompted.

    Configure ArcSight SmartConnector to send CEF to syslog

    1. In the SmartConnector host, launch the destination wizard:

        cd 
  
/opt/arcsight/connectors/current/bin
./arcsight  
connectors

    2. In the wizard, do the following:

      • Select Add Destination.
      • Select CEF Syslog.

    3. Provide the following configuration details:

      • Host/IP: Enter the Bindplane agent IP address.
      • Port: Enter the Bindplane agent port number (for example, 514 ).
      • Protocol: Select UDP.

    4. Finish the setup and restart the connector:

       ./arcsight  
agents

    5. Run a check for connectivity (look for: Successfully connected to syslog: X.X.X.X:514 ):

       tail  
-f  
/opt/arcsight/connectors/current/logs/agent.log

    UDM mapping table

    Log field UDM mapping Logic
    act
    		 security_result.action_details Directly mapped from the act field.
    agt
    		 principal.ip Directly mapped from the agt field.
    agt
    		 principal.asset.ip Directly mapped from the agt field.
    app
    		 network.application_protocol Directly mapped from the app field.
    art
    		 metadata.event_timestamp.seconds Directly mapped from the art field.
    cs2
    		 additional.fields.value.string_value Directly mapped from the cs2 field when cs2Label is EventlogCategory .
    cs2Label
    		 additional.fields.key Directly mapped from the cs2Label field when its value is EventlogCategory .
    cs3
    		 additional.fields.value.string_value Directly mapped from the cs3 field when cs3Label is Process ID .
    cs3Label
    		 additional.fields.key Directly mapped from the cs3Label field when its value is Process ID .
    cs5
    		 additional.fields.value.string_value Directly mapped from the cs5 field when cs5Label is Authentication Package Name .
    cs5Label
    		 additional.fields.key Directly mapped from the cs5Label field when its value is Authentication Package Name .
    cs6
    		 additional.fields.value.string_value Directly mapped from the cs6 field when cs6Label is Logon GUID .
    cs6Label
    		 additional.fields.key Directly mapped from the cs6Label field when its value is Logon GUID .
    dhost
    		 about.hostname Directly mapped from the dhost field.
    dhost
    		 target.hostname Directly mapped from the dhost field.
    dntdom
    		 about.administrative_domain Directly mapped from the dntdom field.
    dntdom
    		 target.administrative_domain Directly mapped from the dntdom field.
    dproc
    		 about.process.command_line Directly mapped from the dproc field.
    dproc
    		 target.process.command_line Directly mapped from the dproc field.
    dst
    		 principal.ip Directly mapped from the dst field.
    dst
    		 principal.asset.ip Directly mapped from the dst field.
    dst
    		 target.ip Directly mapped from the dst field.
    duid
    		 target.user.userid Directly mapped from the duid field.
    duser
    		 target.user.user_display_name Directly mapped from the duser field.
    dvc
    		 about.ip Directly mapped from the dvc field.
    dvchost
    		 about.hostname Directly mapped from the dvchost field.
    eventId
    		 additional.fields.value.string_value Directly mapped from the eventId field.
    externalId
    		 metadata.product_log_id Directly mapped from the externalId field.
    fname
    		 additional.fields.value.string_value Directly mapped from the fname field.
    msg
    		 metadata.description Directly mapped from the msg field.
    proto
    		 network.ip_protocol Directly mapped from the proto field. Translates protocol names to their respective constants (e.g., tcp to TCP ).
    rt
    		 metadata.event_timestamp.seconds Directly mapped from the rt field.
    shost
    		 about.hostname Directly mapped from the shost field.
    shost
    		 principal.hostname Directly mapped from the shost field.
    src
    		 principal.ip Directly mapped from the src field.
    src
    		 principal.asset.ip Directly mapped from the src field.
    src
    		 target.ip Directly mapped from the src field.
    sproc
    		 principal.process.command_line Directly mapped from the sproc field.
    spt
    		 principal.port Directly mapped from the spt field.
    spt
    		 target.port Directly mapped from the spt field.
    additional.EventRecordID
    		 additional.fields.value.string_value Directly mapped from the ad.EventRecordID field.
    additional.ThreadID
    		 additional.fields.value.string_value Directly mapped from the ad.ThreadID field.
    additional.Opcode
    		 additional.fields.value.string_value Directly mapped from the ad.Opcode field.
    additional.ProcessID
    		 additional.fields.value.string_value Directly mapped from the ad.ProcessID field.
    additional.TargetDomainName
    		 additional.fields.value.string_value Directly mapped from the ad.TargetDomainName field.
    additional.Version
    		 additional.fields.value.string_value Directly mapped from the ad.Version field.
    deviceExternalId
    		 about.asset.hardware.serial_number Directly mapped from the deviceExternalId field.
    deviceInboundInterface
    		 additional.fields.value.string_value Directly mapped from the deviceInboundInterface field.
    deviceOutboundInterface
    		 additional.fields.value.string_value Directly mapped from the deviceOutboundInterface field.
    PanOSConfigVersion
    		 security_result.detection_fields.value Directly mapped from the PanOSConfigVersion field.
    PanOSContentVersion
    		 security_result.detection_fields.value Directly mapped from the PanOSContentVersion field.
    PanOSDGHierarchyLevel1
    		 security_result.detection_fields.value Directly mapped from the PanOSDGHierarchyLevel1 field.
    PanOSDestinationLocation
    		 target.location.country_or_region Directly mapped from the PanOSDestinationLocation field.
    PanOSRuleUUID
    		 metadata.product_log_id Directly mapped from the PanOSRuleUUID field.
    PanOSThreatCategory
    		 security_result.category_details Directly mapped from the PanOSThreatCategory field.
    PanOSThreatID
    		 security_result.threat_id Directly mapped from the PanOSThreatID field.
    		about.asset.asset_id Generated by concatenating Palo Alto Networks. , the vendor name ( LF ), and the deviceExternalId field.
    		extensions.auth.type Set to AUTHTYPE_UNSPECIFIED if the event_name field contains logged on .
    		metadata.description If the description field contains by followed by an IP address, the IP address is extracted and mapped to principal.ip and principal.asset.ip .
    		metadata.event_type Determined based on a series of conditional checks on various fields, including event_name , principal_* , target_* , and device_event_class_id . The logic determines the most appropriate event type based on the available information.
    		metadata.log_type Set to ARCSIGHT_CEF .
    		metadata.product_event_type Generated by concatenating \[ , the device_event_class_id field, \] - , and the name field.
    		metadata.product_name Set to NGFW if the product_name field is LF .
    		principal.asset.ip If the description field contains by followed by an IP address, the IP address is extracted and mapped to principal.ip and principal.asset.ip .
    		principal.ip If the description field contains by followed by an IP address, the IP address is extracted and mapped to principal.ip and principal.asset.ip .
    		security_result.action Set to ALLOW if the act field is alert , otherwise set to BLOCK .
    		security_result.severity Set to HIGH if the sev field is greater than or equal to 7, otherwise set to LOW .

    Need more help? Get answers from Community members and Google SecOps professionals.

    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: