Collect BeyondTrust Remote Support logs

This parser handles syslog messages from BeyondTrust Remote Support, transforming them into UDM format. It processes both CEF and non-CEF formatted logs, extracting fields, performing data transformations, and mapping them to the appropriate UDM fields, including principal, target, and security result details.

Before you begin

• Ensure that you have a Google Security Operations instance.
• Ensure that you are using Windows 2016 or later, or a Linux host with systemd.
• If running behind a proxy, ensure firewall ports are open.

Get Google SecOps ingestion authentication file

1. Sign in to the Google SecOps console.
2. Go to SIEM Settings > Collection Agents.
3. Download the Ingestion Authentication File.

Get Google SecOps customer ID

1. Sign in to the Google SecOps console.
2. Go to SIEM Settings > Profile.
3. Copy and save the Customer IDfrom the Organization Detailssection.

Install Bindplane Agent

1. For Windows installation, run the following script:
   msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet
2. For Linux installation, run the following script:
   sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh
3. Additional installation options can be found in this installation guide .

Configure Bindplane Agent to ingest Syslog and send to Google SecOps

1. Access the machine where Bindplane is installed.

2. Edit the config.yaml file as follows:

    receivers:
       tcplog:
           # Replace the below port <54525> and IP <0.0.0.0> with your specific values
           listen_address: "0.0.0.0:54525" 
   
   exporters:
       chronicle/chronicle_w_labels:
           compression: gzip
           # Adjust the creds location below according the placement of the credentials file you downloaded
           creds: '{ json file for creds }'
           # Replace <customer_id> below with your actual ID that you copied
           customer_id: <customer_id>
           endpoint: malachiteingestion-pa.googleapis.com
           # You can apply ingestion labels below as preferred
           ingestion_labels:
           log_type: SYSLOG
           namespace: BeyondTrust_Remote_Support
           raw_log_field: body
   service:
       pipelines:
           logs/source0__chronicle_w_labels-0:
               receivers:
                   - tcplog
               exporters:
                   - chronicle/chronicle_w_labels 
   

3. Restart the Bindplane Agent to apply the changes:

    sudo  
   systemctl  
   restart  
   bindplane 
   

Configure Syslog export from BeyondTrust Remote Support

1. Sign in to your BeyondTrust Remote Support.
2. Go to Security > Appliance Administration.
3. Go to the Syslogsection and set the following values:
   • Remote Syslog Server: enter the hostname or IP address of the syslog host server (Bindplane). In this field, you can add up to three syslog servers.
   • Message format: select RFC 5424.
   • Port: enter the port of the syslog host server (Bindplane).
4. Click Submit.

UDM Mapping

Need more help? Get answers from Community members and Google SecOps professionals.