Collect Dell ECS logs

This parser extracts fields from DELL ECS syslog messages, mapping them to the UDM. It handles UPDATE and DELETE event types specifically, extracting user and IP information for login/logout events. Other events are categorized as GENERIC_EVENT . It uses grok patterns to parse the message and mutate filters to populate UDM fields, dropping events that don't match the expected format.

Before you begin

• Ensure that you have a Google Security Operations instance.
• Ensure that you are using Windows 2016 or later, or a Linux host with systemd .
• If running behind a proxy, ensure firewall ports are open.
• Ensure that you have privileged access to Dell ECS.

Get Google SecOps ingestion authentication file

1. Sign in to the Google SecOps console.
2. Go to SIEM Settings > Collection Agents.
3. Download the Ingestion Authentication File. Save the file securely on the system where Bindplane Agent will be installed.

Get Google SecOps customer ID

1. Sign in to the Google SecOps console.
2. Go to SIEM Settings > Profile.
3. Copy and save the Customer IDfrom the Organization Detailssection.

Install Bindplane Agent

Windows Installation

1. Open the Command Promptor PowerShellas an administrator.

2. Run the following command:

     msiexec 
     
    / 
    i 
     
    "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" 
     
    / 
    quiet 
    
   

Linux Installation

1. Open a terminal with root or sudo privileges.

2. Run the following command:

    sudo  
   sh  
   -c  
    " 
    $( 
   curl  
   -fsSlL  
   https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh ) 
    " 
     
   install_unix.sh 
   

Additional Installation Resources

• For additional installation options, consult this installation guide .

Configure Bindplane Agent to ingest Syslog and send to Google SecOps

1. Access the configuration file:

   • Locate the config.yaml file. Typically, it's in the /etc/bindplane-agent/ directory on Linux or in the installation directory on Windows.
   • Open the file using a text editor (for example, nano , vi , or Notepad).

2. Edit the config.yaml file as follows:

     receivers 
    : 
     
    tcplog 
    : 
     
    # Replace the below port <54525> and IP <0.0.0.0> with your specific values 
     
    listen_address 
    : 
     
    "0.0.0.0:54525" 
     
    exporters 
    : 
     
    chronicle/chronicle_w_labels 
    : 
     
    compression 
    : 
     
    gzip 
     
    # Adjust the creds location below according the placement of the credentials file you downloaded 
     
    creds 
    : 
     
    '{ 
     
    json 
     
    file 
     
    for 
     
    creds 
     
    }' 
     
    # Replace <customer_id> below with your actual ID that you copied 
     
    customer_id 
    : 
     
   < customer_id 
   >  
    endpoint 
    : 
     
    malachiteingestion-pa.googleapis.com 
     
    # You can apply ingestion labels below as preferred 
     
    ingestion_labels 
    : 
     
    log_type 
    : 
     
    SYSLOG 
     
    namespace 
    : 
     
    dell_ecs 
     
    raw_log_field 
    : 
     
    body 
    service 
    : 
     
    pipelines 
    : 
     
    logs/source0__chronicle_w_labels-0 
    : 
     
    receivers 
    : 
     
    - 
     
    tcplog 
     
    exporters 
    : 
     
    - 
     
    chronicle/chronicle_w_labels 
    
   

3. Replace the port and IP address as required in your infrastructure.

4. Replace <customer_id> with the actual customer ID.

5. Update /path/to/ingestion-authentication-file.json to the path where the authentication file was saved in the Get Google SecOps ingestion authentication file section.

Restart Bindplane Agent to apply the changes

• In Linux, to restart the Bindplane Agent, run the following command:

   sudo  
  systemctl  
  restart  
  bindplane-agent 
  

• In Windows, to restart the Bindplane Agent, you can either use the Servicesconsole or enter the following command:

   net stop BindPlaneAgent && net start BindPlaneAgent 
  

Configure Dell ECS to Forward Logs to the Syslog Server

1. Sign in to the ECS management portal using administrative credentials.
2. Go to Settings > Event Notifications > Syslog.
3. Click New Server.
4. Provide the following details:
   • Protocol: select either UDPor TCP(ensure it matches the protocol configured on the Syslog server).
   • Target: enter the IP addressor Fully Qualified Domain Name(FQDN) of the Syslog server.
   • Port: enter the port number.
   • Severity: select Informationalas the minimum severity level of logs to be forwarded.
5. Click Save.

UDM Mapping Table

Log Field	UDM Mapping	Logic
data	read_only_udm.metadata.description	If eventTypeis UPDATE, the description is extracted from the datafield using a regular expression. If eventTypeis DELETE, the description is extracted from the datafield using a regular expression and further processed to extract the user ID.
data	read_only_udm.principal.ip	If eventTypeis UPDATE, the IP address is extracted from the datafield using a regular expression.
data	read_only_udm.target.resource.product_object_id	If eventTypeis DELETE, the URN token is extracted from the datafield using a regular expression.
data	read_only_udm.target.user.userid	If eventTypeis UPDATE, the user ID is extracted from the datafield using a regular expression. If eventTypeis DELETE, the user ID is extracted from the description field after initial processing of the datafield.
eventType	read_only_udm.metadata.event_type	If eventTypeis UPDATEand a useridis extracted, the event type is set to USER_LOGIN. If eventTypeis DELETEand a useridis extracted, the event type is set to USER_LOGOUT. Otherwise, the event type is set to GENERIC_EVENT.
eventType	read_only_udm.metadata.product_event_type	The value is derived by concatenating the serviceTypeand eventTypefields from the raw log, enclosed in square brackets and separated by " - ".
hostname	read_only_udm.principal.asset.hostname	The hostname is copied from the hostnamefield.
hostname	read_only_udm.principal.hostname	The hostname is copied from the hostnamefield.
log_type	read_only_udm.metadata.log_type	The log type is set to DELL_ECS. The mechanism is hardcoded to MECHANISM_UNSPECIFIED. The event timestamp is copied from the timestampfield of the raw log entry. The product name is hardcoded to ECS. The vendor name is hardcoded to DELL. If eventTypeis DELETE, the resource type is hardcoded to CREDENTIAL.
timestamp	read_only_udm.metadata.event_timestamp	The event timestamp is taken from the timestampfield of the raw log entry.
timestamp	timestamp	The timestamp is parsed from the timestampfield of the raw log entry.

Need more help? Get answers from Community members and Google SecOps professionals.