Configure the Bindplane agent to ingest Syslog and send to Google SecOps
Access the configuration file:
Locate theconfig.yamlfile. Typically, it's in the/etc/bindplane-agent/directory on Linux or in the installation directory on Windows.
Open the file using a text editor (for example,nano,vi, or Notepad).
Edit theconfig.yamlfile as follows:
receivers:udplog:# Replace the port and IP address as requiredlisten_address:"0.0.0.0:514"exporters:chronicle/chronicle_w_labels:compression:gzip# Adjust the path to the credentials file you downloaded in Step 1creds:'/path/to/ingestion-authentication-file.json'# Replace with your actual customer ID from Step 2customer_id:<customer_id>endpoint:malachiteingestion-pa.googleapis.com# Add optional ingestion labels for better organizationingestion_labels:log_type:FORTINET_FORTIAUTHENTICATORraw_log_field:bodyservice:pipelines:logs/source0__chronicle_w_labels-0:receivers:-udplogexporters:-chronicle/chronicle_w_labels
Replace the port and IP address as required in your infrastructure.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Collect Fortinet FortiAuthenticator logs\n========================================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis document explains how to ingest Fortinet FortiAuthenticator logs to Google Security Operations by using Bindplane.\n\nBefore you begin\n----------------\n\n- Ensure that you have a Google Security Operations instance.\n- Ensure that you are using Windows 2016 or later, or a Linux host with `systemd`.\n- If running behind a proxy, ensure firewall [ports](/chronicle/docs/ingestion/use-bindplane-agent#verify_the_firewall_configuration) are open.\n- Ensure that you have privileged access to Fortinet FortiAuthenticator.\n\nGet Google SecOps ingestion authentication file\n-----------------------------------------------\n\n1. Sign in to the Google SecOps console.\n2. Go to **SIEM Settings \\\u003e Collection Agents**.\n3. Download the **Ingestion Authentication File**. Save the file securely on the system where Bindplane will be installed.\n\nGet Google SecOps customer ID\n-----------------------------\n\n1. Sign in to the Google SecOps console.\n2. Go to **SIEM Settings \\\u003e Profile**.\n3. Copy and save the **Customer ID** from the **Organization Details** section.\n\nInstall the Bindplane agent\n---------------------------\n\n### Windows installation\n\n1. Open the **Command Prompt** or **PowerShell** as an administrator.\n2. Run the following command:\n\n msiexec /i \"https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi\" /quiet\n\n### Linux installation\n\n1. Open a terminal with root or sudo privileges.\n2. Run the following command:\n\n sudo sh -c \"$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)\" install_unix.sh\n\n### Additional installation resources\n\n- For additional installation options, consult this [installation guide](/chronicle/docs/ingestion/use-bindplane-agent#install_the_bindplane_agent).\n\n### Configure the Bindplane agent to ingest Syslog and send to Google SecOps\n\n1. Access the configuration file:\n\n 1. Locate the `config.yaml` file. Typically, it's in the `/etc/bindplane-agent/` directory on Linux or in the installation directory on Windows.\n 2. Open the file using a text editor (for example, `nano`, `vi`, or Notepad).\n2. Edit the `config.yaml` file as follows:\n\n receivers:\n udplog:\n # Replace the port and IP address as required\n listen_address: \"0.0.0.0:514\"\n\n exporters:\n chronicle/chronicle_w_labels:\n compression: gzip\n # Adjust the path to the credentials file you downloaded in Step 1\n creds: '/path/to/ingestion-authentication-file.json'\n # Replace with your actual customer ID from Step 2\n customer_id: \u003ccustomer_id\u003e\n endpoint: malachiteingestion-pa.googleapis.com\n # Add optional ingestion labels for better organization\n ingestion_labels:\n log_type: FORTINET_FORTIAUTHENTICATOR\n raw_log_field: body\n\n service:\n pipelines:\n logs/source0__chronicle_w_labels-0:\n receivers:\n - udplog\n exporters:\n - chronicle/chronicle_w_labels\n\n3. Replace the port and IP address as required in your infrastructure.\n\n4. Replace `\u003ccustomer_id\u003e` with the actual customer ID.\n\n5. Update `/path/to/ingestion-authentication-file.json` to the path where the authentication file was saved in the\n [Get Google SecOps ingestion authentication file](/chronicle/docs/ingestion/default-parsers/fortinet-faut#get-auth-file) section.\n\nRestart the Bindplane agent to apply the changes\n------------------------------------------------\n\n- To restart the Bindplane agent in Linux, run the following command:\n\n sudo systemctl restart bindplane-agent\n\n- To restart the Bindplane agent in Windows, you can either use the **Services** console or enter the following command:\n\n net stop BindPlaneAgent && net start BindPlaneAgent\n\nConfigure a Syslog Server in FortiAuthenticator\n-----------------------------------------------\n\n1. Sign in to the **FortiAuthenticator** web UI.\n2. Select **Logging \\\u003e Log config \\\u003e Syslog servers**.\n3. In the **Syslog servers** list, select **Create new**.\n4. Specify the following configuration details:\n - **Name** : enter a unique name for the syslog server; for example, `Google SecOps`.\n - **Server name/IP**: enter the IP address of your Bindplane agent.\n - **Port** : enter the Bindplane agent port number; for example, `514`.\n - **Level** : select **Information**.\n - **Facility**: select a facility.\n5. Select **OK** to add the syslog server.\n\nConfigure Remote Syslog in FortiAuthenticator\n---------------------------------------------\n\n1. After adding the syslog server, select **Logging \\\u003e Log config \\\u003e Log settings**.\n2. In the **Remote syslog** session, click to enable **Send logs to remote syslog servers**.\n3. Select the server name created previously and move it to the **Chosen syslog server** list.\n4. Click **OK**.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
