Console
    Start free

    Collect Guardicore Centra logs

    Supported in:

    This document explains how to configure Guardicore Centra (now Akamai Guardicore Segmentation) to push logs into Google Security Operations using the Akamai Unified Log Streamer (ULS) with HTTP output.

    Guardicore Centra is a micro-segmentation platform that provides Zero Trust network security for data centers, cloud environments, and endpoints. It delivers visibility into application dependencies, breach detection through deception technology, and granular segmentation controls to prevent lateral movement and contain threats.

    Before you begin

    Make sure you have the following prerequisites:

    • A Google SecOps instance
    • A Guardicore Centra instance (cloud or on-premises)
    • A Linux server to run Akamai ULS (minimum: 1 vCPU, 1 GB RAM, 500 MB disk)
    • Python 3.9 or later installed on the ULS server
    • Guardicore Centra administrator credentials (username and password)
    • Outbound HTTPS access from the ULS server to Google SecOps ingestion endpoints
    • Access to Google Cloud Console (for API key creation)

    Create webhook feed in Google SecOps

    Create the feed

    1. Go to SIEM Settings > Feeds.
    2. Click Add New Feed.
    3. On the next page, click Configure a single feed.
    4. In the Feed namefield, enter a name for the feed (for example, Guardicore Centra Logs ).
    5. Select Webhookas the Source type.
    6. Select Guardicore Centraas the Log type.
    7. Click Next.

    8. Specify values for the following input parameters:

      • Split delimiter: Enter \n to split multi-line events (ULS sends newline-delimited JSON)
      • Asset namespace: The asset namespace
      • Ingestion labels: The label to be applied to the events from this feed

    9. Click Next.

    10. Review your new feed configuration in the Finalizescreen, and then click Submit.

    Generate and save secret key

    After creating the feed, you must generate a secret key for authentication:

    1. On the feed details page, click Generate Secret Key.
    2. A dialog displays the secret key.

    3. Copy and savethe secret key securely.

    Get the feed endpoint URL

    1. Go to the Detailstab of the feed.
    2. In the Endpoint Informationsection, copy the Feed endpoint URL.

    3. The URL format is:

       https://malachiteingestion-pa.googleapis.com/v2/unstructuredlogentries:batchCreate

      or

       https://<REGION>-malachiteingestion-pa.googleapis.com/v2/unstructuredlogentries:batchCreate

    4. Save this URL for the next steps.

    5. Click Done.

    Create Google Cloud API key

    Google SecOps requires an API key for authentication. Create a restricted API key in the Google Cloud Console.

    Create the API key

    1. Go to the Google Cloud Console Credentials page .
    2. Select your project (the project associated with your Google SecOps instance).
    3. Click Create credentials > API key.
    4. An API key is created and displayed in a dialog.
    5. Click Edit API keyto restrict the key.

    Restrict the API key

    1. In the API keysettings page:
      • Name: Enter a descriptive name (for example, Google SecOps Guardicore Webhook API Key )
    2. Under API restrictions:
      1. Select Restrict key.
      2. In the Select APIsdropdown, search for and select Google SecOps API(or Chronicle API).
    3. Click Save.
    4. Copythe API key value from the API keyfield at the top of the page.

    5. Save the API key securely.

    Configure Guardicore Centra credentials

    Create .edgerc file for Guardicore authentication

    Akamai ULS uses a configuration file to store Guardicore credentials.

    1. On the ULS server, create the .edgerc file in the home directory:

       nano  
~/.edgerc

    2. Add the following configuration:

        [default] 
 linode_hostname 
  
 = 
  
 your-instance.cloud.guardicore.com 
 linode_token 
  
 = 
  
 your_username:your_password

      Replace the following values:

      • your-instance.cloud.guardicore.com : Your Guardicore Centra instance hostname (without https:// )
      • your_username : Your Guardicore administrator username
      • your_password : Your Guardicore administrator password

      Example for US region:

        [default] 
 linode_hostname 
  
 = 
  
 cus-1234.cloud.guardicore.com 
 linode_token 
  
 = 
  
 admin@company.com:MySecurePassword123

    3. Save and close the file.

    4. Set appropriate permissions:

       chmod  
 600 
  
~/.edgerc

    Install Akamai Unified Log Streamer

    Install ULS from GitHub

    1. On the ULS server, clone the ULS repository:

       git  
clone  
https://github.com/akamai/uls.git cd 
  
uls

    2. Install Python dependencies:

       pip3  
install  
-r  
requirements.txt

    3. Install the Guardicore log fetcher module:

       git  
clone  
-q  
--depth  
 1 
  
-b  
main  
https://github.com/guardicore/log-fetcher.git  
ext/cli-gc
pip3  
install  
-r  
ext/cli-gc/requirements.txt

    4. Verify the installation:

       python3  
bin/uls.py  
--help

    Configure ULS to send logs to Google SecOps

    Construct the Google SecOps webhook URL

    • Combine the Google SecOps endpoint URL and API key:

       <ENDPOINT_URL>?key=<API_KEY>

      Example:

       https://malachiteingestion-pa.googleapis.com/v2/unstructuredlogentries:batchCreate?key=AIzaSyD...

    Run ULS for Guardicore NETLOG feed

    The NETLOG feed contains network flow logs from Guardicore agents.

    1. Run ULS with the following command:

       python3  
bin/uls.py  
 \ 
  
--input  
gc  
 \ 
  
--feed  
NETLOG  
 \ 
  
--output  
http  
 \ 
  
--httpurl  
 "https://malachiteingestion-pa.googleapis.com/v2/unstructuredlogentries:batchCreate?key=YOUR_API_KEY" 
  
 \ 
  
--httpauthheader  
 '{"x-chronicle-auth": "YOUR_SECRET_KEY"}' 
  
 \ 
  
--httpformat  
 '%s'

      Replace the following values:

      • YOUR_API_KEY : The Google Cloud API key created earlier
      • YOUR_SECRET_KEY : The Google SecOps secret key generated earlier

    2. ULS will start streaming NETLOG events to Google SecOps.

    Run ULS for Guardicore INCIDENT feed

    The INCIDENT feed contains security incidents detected by Guardicore.

    1. Run ULS with the following command:

       python3  
bin/uls.py  
 \ 
  
--input  
gc  
 \ 
  
--feed  
INCIDENT  
 \ 
  
--output  
http  
 \ 
  
--httpurl  
 "https://malachiteingestion-pa.googleapis.com/v2/unstructuredlogentries:batchCreate?key=YOUR_API_KEY" 
  
 \ 
  
--httpauthheader  
 '{"x-chronicle-auth": "YOUR_SECRET_KEY"}' 
  
 \ 
  
--httpformat  
 '%s'

      Replace the following values:

      • YOUR_API_KEY : The Google Cloud API key created earlier
      • YOUR_SECRET_KEY : The Google SecOps secret key generated earlier

    2. ULS will start streaming INCIDENT events to Google SecOps.

    Run ULS for Guardicore AGENT feed

    The AGENT feed contains agent status and health information.

    1. Run ULS with the following command:

       python3  
bin/uls.py  
 \ 
  
--input  
gc  
 \ 
  
--feed  
AGENT  
 \ 
  
--output  
http  
 \ 
  
--httpurl  
 "https://malachiteingestion-pa.googleapis.com/v2/unstructuredlogentries:batchCreate?key=YOUR_API_KEY" 
  
 \ 
  
--httpauthheader  
 '{"x-chronicle-auth": "YOUR_SECRET_KEY"}' 
  
 \ 
  
--httpformat  
 '%s'

      Replace the following values:

      • YOUR_API_KEY : The Google Cloud API key created earlier
      • YOUR_SECRET_KEY : The Google SecOps secret key generated earlier

    2. ULS will start streaming AGENT events to Google SecOps.

    Run ULS for Guardicore SYSTEM feed

    The SYSTEM feed contains system alerts and events.

    1. Run ULS with the following command:

       python3  
bin/uls.py  
 \ 
  
--input  
gc  
 \ 
  
--feed  
SYSTEM  
 \ 
  
--output  
http  
 \ 
  
--httpurl  
 "https://malachiteingestion-pa.googleapis.com/v2/unstructuredlogentries:batchCreate?key=YOUR_API_KEY" 
  
 \ 
  
--httpauthheader  
 '{"x-chronicle-auth": "YOUR_SECRET_KEY"}' 
  
 \ 
  
--httpformat  
 '%s'

      Replace the following values:

      • YOUR_API_KEY : The Google Cloud API key created earlier
      • YOUR_SECRET_KEY : The Google SecOps secret key generated earlier

    2. ULS will start streaming SYSTEM events to Google SecOps.

    Run ULS for Guardicore AUDIT feed

    The AUDIT feed contains audit logs of administrative actions.

    1. Run ULS with the following command:

       python3  
bin/uls.py  
 \ 
  
--input  
gc  
 \ 
  
--feed  
AUDIT  
 \ 
  
--output  
http  
 \ 
  
--httpurl  
 "https://malachiteingestion-pa.googleapis.com/v2/unstructuredlogentries:batchCreate?key=YOUR_API_KEY" 
  
 \ 
  
--httpauthheader  
 '{"x-chronicle-auth": "YOUR_SECRET_KEY"}' 
  
 \ 
  
--httpformat  
 '%s'

      Replace the following values:

      • YOUR_API_KEY : The Google Cloud API key created earlier
      • YOUR_SECRET_KEY : The Google SecOps secret key generated earlier

    2. ULS will start streaming AUDIT events to Google SecOps.

    Run ULS as a background service

    To ensure ULS runs continuously, configure it as a systemd service.

    Create systemd service file for NETLOG feed

    1. Create a service file:

       sudo  
nano  
/etc/systemd/system/uls-guardicore-netlog.service

    2. Add the following content:

        [Unit] 
 Description 
 = 
 Akamai ULS - Guardicore NETLOG 
 After 
 = 
 network.target 
 [Service] 
 Type 
 = 
 simple 
 User 
 = 
 root 
 WorkingDirectory 
 = 
 /root/uls 
 ExecStart=/usr/bin/python3 /root/uls/bin/uls.py --input gc --feed NETLOG --output http --httpurl "https://malachiteingestion-pa.googleapis.com/v2/unstructuredlogentries:batchCreate?key=YOUR_API_KEY" --httpauthheader '{"x-chronicle-auth" 
 : 
  
 "YOUR_SECRET_KEY" 
 }' --httpformat '%%s' 
 Restart 
 = 
 always 
 RestartSec 
 = 
 10 
 [Install] 
 WantedBy 
 = 
 multi-user.target

      Replace the following values:

      • /root/uls : The path where you cloned the ULS repository
      • YOUR_API_KEY : The Google Cloud API key
      • YOUR_SECRET_KEY : The Google SecOps secret key

    3. Save and close the file.

    4. Enable and start the service:

       sudo  
systemctl  
daemon-reload
sudo  
systemctl  
 enable 
  
uls-guardicore-netlog.service
sudo  
systemctl  
start  
uls-guardicore-netlog.service

    5. Check the service status:

       sudo  
systemctl  
status  
uls-guardicore-netlog.service

    Create additional services for other feeds

    Repeat the above steps for each feed you want to collect (INCIDENT, AGENT, SYSTEM, AUDIT), creating separate service files:

    • /etc/systemd/system/uls-guardicore-incident.service
    • /etc/systemd/system/uls-guardicore-agent.service
    • /etc/systemd/system/uls-guardicore-system.service
    • /etc/systemd/system/uls-guardicore-audit.service

    Change the --feed parameter and service name accordingly in each file.

    Verify log ingestion

    1. Wait for 5-10 minutes for logs to be ingested and processed.
    2. In the Google SecOps console, go to Search.

    3. Run the following UDM search query:

       metadata.vendor_name = "Guardicore"

    4. If logs are ingested successfully, you should see Guardicore events in the search results.

    5. You can also search for specific feed types:

       metadata.vendor_name = "Guardicore" AND metadata.product_name = "Centra"

    Troubleshooting

    ULS connection errors

    If ULS fails to connect to Guardicore:

    1. Verify the .edgerc file contains the correct hostname and credentials.

    2. Test connectivity to your Guardicore instance:

       curl  
-u  
 "username:password" 
  
https://your-instance.cloud.guardicore.com/api/v3.0/visibility

    3. Check that the Guardicore instance is accessible from the ULS server.

    ULS HTTP output errors

    If ULS fails to send logs to Google SecOps:

    1. Verify the API key and secret key are correct.
    2. Check that the Google SecOps endpoint URL is correct for your region.

    3. Verify outbound HTTPS connectivity from the ULS server:

       curl  
-I  
https://malachiteingestion-pa.googleapis.com

    4. Review ULS logs for error messages:

       sudo  
journalctl  
-u  
uls-guardicore-netlog.service  
-f

    No logs appearing in Google SecOps

    If logs are not appearing in Google SecOps:

    1. Verify the webhook feed is in Activestatus in SIEM Settings > Feeds.
    2. Check the feed's Healthtab for ingestion errors.
    3. Verify the split delimiter is set to \n in the feed configuration.
    4. Ensure the log type is set to Guardicore Centra.

    Self-signed certificate errors

    If your Guardicore instance uses a self-signed certificate, ULS may fail with SSL verification errors. To bypass SSL verification (not recommended for production):

    • Add the --httpinsecure flag to the ULS command:

       python3  
bin/uls.py  
 \ 
  
--input  
gc  
 \ 
  
--feed  
NETLOG  
 \ 
  
--output  
http  
 \ 
  
--httpurl  
 "https://malachiteingestion-pa.googleapis.com/v2/unstructuredlogentries:batchCreate?key=YOUR_API_KEY" 
  
 \ 
  
--httpauthheader  
 '{"x-chronicle-auth": "YOUR_SECRET_KEY"}' 
  
 \ 
  
--httpformat  
 '%s' 
  
 \ 
  
--httpinsecure

    Available Guardicore feeds

    Akamai ULS supports the following Guardicore feeds:

    Feed Name Description ULS Feed Parameter
    Network Logs
    		 Network flow logs from Guardicore agents NETLOG
    Incidents
    		 Security incidents detected by Guardicore INCIDENT
    Agent Logs
    		 Agent status and health information AGENT
    System Alerts
    		 System-level alerts and events SYSTEM
    Audit Logs
    		 Administrative actions and configuration changes AUDIT

    Authentication methods reference

    Google SecOps webhook feeds support multiple authentication methods. Akamai ULS uses the hybrid method with API key in the URL and secret key in header.

    Method used by ULS: Hybrid (URL + Header)

    • Request format:

        POST <ENDPOINT_URL>?key=<API_KEY> HTTP/1.1 
 Content-Type: application/json 
 x-chronicle-auth: <SECRET_KEY> 
 {"event": "data", "timestamp": "2025-01-15T10:30:00Z"}

    • ULS command format:

       --httpurl  
 "<ENDPOINT_URL>?key=<API_KEY>" 
--httpauthheader  
 '{"x-chronicle-auth": "<SECRET_KEY>"}'

    Authentication header names

    Google SecOps accepts the following header names for authentication:

    • For API key:

      • x-goog-chronicle-auth (recommended)
      • X-Goog-Chronicle-Auth (case-insensitive)

    • For secret key:

      • x-chronicle-auth (recommended)
      • X-Chronicle-Auth (case-insensitive)

    Webhook limits and best practices

    Request limits

    Limit Value
    Max request size 4 MB
    Max QPS (queries per second) 15,000
    Request timeout 30 seconds
    Retry behavior Automatic with exponential backoff

    Best practices

    • Run separate ULS instances for each feed type to improve reliability and troubleshooting.
    • Monitor ULS service status using systemd and set up alerts for service failures.
    • Rotate Guardicore credentials periodically and update the .edgerc file.
    • Use a dedicated service account in Guardicore with read-only API access.
    • Configure log rotation for ULS logs to prevent disk space issues.
    • Test failover scenarios by running ULS on multiple servers with load balancing.

    UDM mapping table

    The following table lists the log fields of the Guardicore Centra log and their corresponding UDM fields.

    Log Field UDM Field Description
    timestamp
    		metadata.event_timestamp Event timestamp
    source_ip
    		principal.ip Source IP address
    destination_ip
    		target.ip Destination IP address
    source_port
    		principal.port Source port number
    destination_port
    		target.port Destination port number
    protocol
    		network.ip_protocol Network protocol
    action
    		security_result.action Security action taken
    severity
    		security_result.severity Event severity
    user
    		principal.user.userid Username
    hostname
    		principal.hostname Source hostname
    process_name
    		principal.process.file.full_path Process name
    incident_id
    		security_result.detection_fields.key Incident identifier
    description
    		security_result.description Event description

    Need more help? Get answers from Community members and Google SecOps professionals.

    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: