Collect Progress MOVEit Transfer logs

Supported in:

Google secops SIEM

This document explains how to ingest Progress MOVEit Transfer logs into Google Security Operations using Bindplane.

Progress MOVEit Transfer is a managed file transfer (MFT) solution that provides secure, encrypted file transfers using protocols such as HTTPS, FTPS, and SFTP. It offers tamper-evident audit logging, role-based access controls, and compliance support for regulations including HIPAA, PCI DSS, and GDPR. MOVEit Transfer records all file transfer activity, user authentication events, and administrative actions in its audit database.

Before you begin

Make sure you have the following prerequisites:

A Google SecOps instance
Windows Server 2016 or later, or Linux host with systemd
Network connectivity between the Bindplane agent and the Progress MOVEit Transfer server
If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements
SysAdmin-level access to the Progress MOVEit Transfer web administration console
UDP port 514 (or your chosen syslog port) open from the MOVEit Transfer server to the Bindplane agent host

Get Google SecOps ingestion authentication file

Sign in to the Google SecOps console.
Go to SIEM Settings > Collection Agents.
Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.

Get Google SecOps customer ID

Sign in to the Google SecOps console.
Go to SIEM Settings > Profile.
Copy and save the Customer IDfrom the Organization Detailssection.

Install the Bindplane agent

Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.

Windows installation

Open Command Promptor PowerShellas an administrator.

Run the following command:

  msiexec 
  
 / 
 i 
  
 "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" 
  
 / 
 quiet

Wait for the installation to complete.
Verify the installation by running:
```
 sc query observiq-otel-collector 
```
The service should show as RUNNING.

Linux installation

Open a terminal with root or sudo privileges.

Run the following command:

 sudo  
sh  
-c  
 " 
 $( 
curl  
-fsSlL  
https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh ) 
 " 
  
install_unix.sh

Wait for the installation to complete.
Verify the installation by running:
```
 sudo  
systemctl  
status  
observiq-otel-collector 
```
The service should show as active (running).

Additional installation resources

For additional installation options and troubleshooting, see Bindplane agent installation guide .

Configure Bindplane agent to ingest syslog and send to Google SecOps

Locate the configuration file

Linux:

 sudo  
nano  
/etc/bindplane-agent/config.yaml

Windows:

 notepad "C:\Program Files\observIQ OpenTelemetry Collector\config.yaml"

Edit the configuration file

Replace the entire contents of config.yaml with the following configuration:

  receivers 
 : 
  
 udplog 
 : 
  
 listen_address 
 : 
  
 "0.0.0.0:514" 
 exporters 
 : 
  
 chronicle/moveit_transfer 
 : 
  
 compression 
 : 
  
 gzip 
  
 creds_file_path 
 : 
  
 '<CREDS_FILE_PATH>' 
  
 customer_id 
 : 
  
 '<CUSTOMER_ID>' 
  
 endpoint 
 : 
  
< REGION_ENDPOINT 
>  
 log_type 
 : 
  
 IPSWITCH_MOVEIT_TRANSFER 
  
 raw_log_field 
 : 
  
 body 
  
 ingestion_labels 
 : 
  
 log_source 
 : 
  
 moveit_transfer 
 service 
 : 
  
 pipelines 
 : 
  
 logs/moveit_to_chronicle 
 : 
  
 receivers 
 : 
  
 - 
  
 udplog 
  
 exporters 
 : 
  
 - 
  
 chronicle/moveit_transfer

Configuration parameters

Replace the following placeholders.

Exporter configuration:

<CREDS_FILE_PATH> : Full path to ingestion authentication file:
- Linux: /etc/bindplane-agent/ingestion-auth.json
- Windows: C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json
<CUSTOMER_ID> : Google SecOps customer ID copied earlier
<REGION_ENDPOINT> : Regional endpoint URL:
- US: malachiteingestion-pa.googleapis.com
- Europe: europe-malachiteingestion-pa.googleapis.com
- Asia: asia-southeast1-malachiteingestion-pa.googleapis.com
- See Regional Endpoints for complete list

Example configuration

  receivers 
 : 
  
 udplog 
 : 
  
 listen_address 
 : 
  
 "0.0.0.0:514" 
 exporters 
 : 
  
 chronicle/moveit_transfer 
 : 
  
 compression 
 : 
  
 gzip 
  
 creds_file_path 
 : 
  
 '/etc/bindplane-agent/ingestion-auth.json' 
  
 customer_id 
 : 
  
 'a1b2c3d4-e5f6-g7h8-i9j0-k1l2m3n4o5p6' 
  
 endpoint 
 : 
  
 malachiteingestion-pa.googleapis.com 
  
 log_type 
 : 
  
 IPSWITCH_MOVEIT_TRANSFER 
  
 raw_log_field 
 : 
  
 body 
  
 ingestion_labels 
 : 
  
 log_source 
 : 
  
 moveit_transfer 
 service 
 : 
  
 pipelines 
 : 
  
 logs/moveit_to_chronicle 
 : 
  
 receivers 
 : 
  
 - 
  
 udplog 
  
 exporters 
 : 
  
 - 
  
 chronicle/moveit_transfer

Save the configuration file

After editing, save the file: * Linux: Press Ctrl+O , then Enter , then Ctrl+X * Windows: Click File > Save

Restart the Bindplane agent to apply the changes

To restart the Bindplane agent in Linux, do the following:

Run the following command:

 sudo  
systemctl  
restart  
observiq-otel-collector

Verify the service is running:

 sudo  
systemctl  
status  
observiq-otel-collector

Check logs for errors:

 sudo  
journalctl  
-u  
observiq-otel-collector  
-f

To restart the Bindplane agent in Windows, do the following:

Choose one of the following options:
- Command Prompt or PowerShell as administrator:
```
 net stop observiq-otel-collector && net start observiq-otel-collector 
```
- Services console:
  1. Press Win+R , type services.msc , and press Enter.
  2. Locate observIQ OpenTelemetry Collector.
  3. Right-click and select Restart.
  4. Verify the service is running:
```
 sc query observiq-otel-collector 
```
  5. Check logs for errors:
```
  type 
  
 "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log" 
 
```

Configure Progress MOVEit Transfer syslog forwarding

To configure MOVEit Transfer to forward audit log entries to the Bindplane agent via syslog:

Sign in to the MOVEit Transferweb administration console as a user with SysAdminpermissions.
Go to SETTINGS > System > Auditing > Syslog. The Configure Syslog Settingspage displays.
In the Syslog Loggingsection, select Enabled. When enabled, each audit log entry is sent to the specified syslog host as well as to the MOVEit Transfer audit database.
In the Syslog Hostfield, enter the IP address or hostname of the Bindplane agent host (for example, 192.168.1.100 ).
In the Syslog Portfield, enter 514 . If this field is left blank, it reverts to the default port 514 .

Note: MOVEit Transfer uses the BSD Syslog implementation based on UDP. Ensure the port matches the listen_address port configured in the Bindplane agent config.yaml .
In the Syslog Facilitydropdown, select the facility under which MOVEit Transfer syslog messages will appear on the remote syslog host. The default value is FTP. The following standard syslog facilities are available:
- KERN
- USER
- MAIL
- DAEMON
- AUTH
- SYSLOG
- LPR
- NEWS
- UUCP
- CRON
- AUTHPRIV
- FTP (default)
- LOCAL0 through LOCAL7
Click Change Logging Settingsto save the configuration.
Click Send Test Syslog Messageto send a test message to the specified Bindplane agent host. Because the BSD Syslog implementation is based on UDP, manually verify that the test message arrived by checking the Bindplane agent logs.

Verify the test message was received by the Bindplane agent:

Linux:

 sudo  
journalctl  
-u  
observiq-otel-collector  
-f

Windows:

  type 
  
 "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"

Firewall requirements

Ensure the following firewall rule is in place to allow syslog traffic from MOVEit Transfer to the Bindplane agent:

Direction	Protocol	Source	Destination	Port
Outbound from MOVEit Transfer	UDP	MOVEit Transfer server IP	Bindplane agent host IP	514

UDM mapping table

Log field	UDM mapping	Logic
column1	metadata.collected_timestamp	Converted using date match patterns: d/M/yyyy H:mm:ss A, M/d/yyyy H:mm:ss A, MM/dd/yyyy HH:mm:ss A
column1	metadata.event_timestamp	Converted using date match patterns: d/M/yyyy H:mm:ss A, M/d/yyyy H:mm:ss A, MM/dd/yyyy HH:mm:ss A
column2	security_result.action_details	Value copied directly
column3	target.hostname, target.asset.hostname	Value copied directly from column3
column4	principal.ip, principal.asset.ip	Extracted from column4 using grok pattern for IP
column6	target.file.full_path	Concatenated from folderPath and fileName if both present, else from fileName alone
column7	target.file.full_path
column15	target.file.full_path
column7	target.user.email_addresses	Merged if column2 == file_sentemail
column10	metadata.description	Value copied directly
column11	metadata.product_event_type	Value copied directly if not None
column12	target.ip, target.asset.ip	Extracted from column12 using grok pattern for IP
column16	target.file.full_path	Concatenated from folderPath and fileName if both present, else from fileName alone
column23	target.file.full_path
column19	target.user.user_display_name	Value copied directly if column2 == file_sentemail and column8 == sender, else for target user
event_received_time	metadata.collected_timestamp	Converted using date match patterns: UNIX_MS, dd/MM/yyyy HH:mm:ss, yyyy-MM-dd HH:mm:ss, MM/dd/yyyy HH:mm:ss A, yyyy/MM/dd HH:mm:ss, RFC3339, yyyy-MM-ddTHH:mm:ss
timestamp	metadata.event_timestamp	Converted using date match patterns: MMM d HH:mm:ss, MMM dd HH:mm:ss, ISO8601, yyyy-MM-dd HH:mm:ss, yyyy-MM-dd HH:mm:ss Z, MM/dd/yyyy HH:mm:ss A, yy-MM-dd HH:mm:ss, RFC3339, yyyy-MM-ddTHH:mm:ss
prin_ip	principal.ip, principal.asset.ip	Value copied directly
AgentVersion	metadata.product_version	Value copied directly
principal_host	principal.hostname, principal.asset.hostname	Value copied directly
Username	principal.user.userid	Value copied directly
company_name	principal.user.company_name	Value copied directly
ID	target.process.pid	Value copied directly
InstID	metadata.product_log_id	Value copied directly
FileID	target.resource.attribute.labels	Merged as additional_id_2 with key FileID and value from FileID
FolderID	target.resource.attribute.labels	Merged as additional_id_3 with key FolderID and value from FolderID
FolderPath	target.file.full_path	Concatenated from FolderPath and FileName if both present, else from FolderPath
FileName	target.file.full_path
FileName	target.resource.attribute.labels	Merged as filename with key FileName and value from FileName
host	principal.hostname, principal.asset.hostname	Value copied directly
log_level	security_result.severity	Set to INFORMATIONAL if INFO or DEBUG, ERROR if ERROR
source_module_name	observer.resource.attribute.labels	Merged as source_module_label with key source_module_name and value from source_module_name
source_module_type	observer.application	Value copied directly
log_msg	metadata.description	Value from log_msg if http_method != GET and file_path empty, else log_desc, else description, else Message
log_desc	metadata.description
description	metadata.description
Message	metadata.description
port	principal.port	Value copied directly, converted to integer
tgtport	target.port	Value copied directly, converted to integer
package	principal.process.command_line	Value copied directly
srcip	principal.ip, principal.asset.ip	Value copied directly
username	principal.user.userid	Value copied directly
version	metadata.product_version	Value copied directly
http_method	network.http.method	Value copied directly
action	security_result.action_details	Value copied directly
summary	security_result.summary	Value copied directly
security_result	security_result	Merged directly
tgtip	target.ip, target.asset.ip	Value copied directly
application_proto	network.application_protocol	Uppercased and copied directly
url	network.http.referral_url	Value copied directly
status_code	network.http.response_code	Value copied directly, converted to integer
file_path	principal.process.file.full_path	Value copied directly
file_size	principal.process.file.size	Converted to uinteger if not 0
process_id	principal.process.pid	Value copied directly
session_id	network.session_id	Value copied directly
task_id	additional.fields	Merged as additional_field with key TASK_ID and string_value from task_id
AgentBrand	metadata.product_event_type	Value copied directly
Parm1	additional.fields	Merged as additional_field_3 with key Parm1 and string_value from Parm1
Parm2	additional.fields	Merged as additional_field_4 with key Parm2 and string_value from Parm2
Error	additional.fields	Merged as additional_field_5 with key Error and string_value from Error
XFerSize	target.resource.attribute.labels	Merged as additional_field_1 with key XFerSize and value from XFerSize
FolderPath	metadata.event_type	Set to FILE_DELETION if FolderPath and action_performed matches Delete File, NETWORK_HTTP if tgtip or host and application_proto == HTTP, USER_LOGIN if Username or username, STATUS_UPDATE if tgtip or host or principal_host or IPAddress, else GENERIC_EVENT
tgtip	metadata.event_type
host	metadata.event_type
principal_host	metadata.event_type
IPAddress	metadata.event_type
Username	metadata.event_type
username	metadata.event_type
tgtip	metadata.event_type	Set to USER_LOGIN if column2 == sec_signon and tgtip or tar_host, USER_LOGOUT if sec_signoff and tgtip or tar_host, FILE_UNCATEGORIZED if folder_add, FILE_CREATION if file_upload or download and tgtip and is_tgt_file_present, FILE_DELETION if file_delete and srcip and is_tgt_file_present, FILE_MODIFICATION if file_rename, FILE_UNCATEGORIZED if file_dlhashchk, EMAIL_TRANSACTION if file_sentemail and useremail, STATUS_UPDATE if srcip, else GENERIC_EVENT
tar_host	metadata.event_type
srcip	metadata.event_type
is_tgt_file_present	metadata.event_type
column2	metadata.event_type
useremail	metadata.event_type
security_result	metadata.event_type
extensions.auth.type	extensions.auth.type	Set to MACHINE for login/logout events
metadata.vendor_name	metadata.vendor_name	Set to "IPS"
metadata.product_name	metadata.product_name	Set to "IPSWITCH MOVEIT TRANSFER"

Need more help? Get answers from Community members and Google SecOps professionals.