Collect VMware Aria Suite (formerly VMware vRealize Suite) logs

Supported in:

Google secops SIEM

This guide explains how to ingest VMware Aria Suite (formerly known as VMware vRealize Suite) logs to Google Security Operations using Bindplane.

VMware Aria Suite (formerly VMware vRealize Suite, now available as part of VMware Cloud Foundation and vSphere Foundation) is a cloud management platform that provides operations management, automation, log analytics, and network visibility for hybrid and multi-cloud environments. The parser extracts fields from syslog messages using grok patterns based on the msg_type field, maps them to the Unified Data Model (UDM), and enriches the data with network information, user details, and resource attributes.

Before you begin

Make sure you have the following prerequisites:

A Google SecOps instance
Windows Server 2016 or later, or Linux host with systemd
Network connectivity between the Bindplane agent and the VMware Aria Suite environment
If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements
Administrative access to VMware Aria Operations (or VMware Aria Suite)

Get Google SecOps ingestion authentication file

Sign in to the Google SecOps console.
Go to SIEM Settings > Collection Agents.
Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.

Note: This JSON file contains credentials for authenticating the Bindplane agent to Google SecOps.

Get Google SecOps customer ID

Sign in to the Google SecOps console.
Go to SIEM Settings > Profile.
Copy and save the Customer IDfrom the Organization Detailssection.

Note: The customer ID is required for configuring the Bindplane agent exporter.

Install the Bindplane agent

Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.

Windows installation

Open Command Promptor PowerShellas an administrator.

Run the following command:

  msiexec 
  
 / 
 i 
  
 "[https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi](https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi)" 
  
 / 
 quiet

Wait for the installation to complete.
Verify the installation by running:
```
 sc query observiq-otel-collector 
```

The service should show as RUNNING.

Linux installation

Open a terminal with root or sudo privileges.

Run the following command:

 sudo  
sh  
-c  
 " 
 $( 
curl  
-fsSlL  
 [ 
https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh ]( 
https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh ) 
 )" 
  
install_unix.sh

Wait for the installation to complete.

Verify the installation by running:

 sudo  
systemctl  
status  
observiq-otel-collector

The service should show as active (running).

Additional installation resources

For additional installation options and troubleshooting, see the Bindplane agent installation guide .

Configure Bindplane agent to ingest syslog and send to Google SecOps

Locate the configuration file

Linux:

 sudo  
nano  
/etc/bindplane-agent/config.yaml

Windows:

 notepad "C:\Program Files\observIQ OpenTelemetry Collector\config.yaml"

Edit the configuration file

Replace the entire contents of config.yaml with the following configuration:

  receivers 
 : 
  
 udplog 
 : 
  
 listen_address 
 : 
  
 "0.0.0.0:514" 
 exporters 
 : 
  
 chronicle/vmware_vrealize 
 : 
  
 compression 
 : 
  
 gzip 
  
 creds_file_path 
 : 
  
 '/etc/bindplane-agent/ingestion-auth.json' 
  
 customer_id 
 : 
  
 '<customer_id>' 
  
 endpoint 
 : 
  
 malachiteingestion-pa.googleapis.com 
  
 log_type 
 : 
  
 VMWARE_VREALIZE 
  
 raw_log_field 
 : 
  
 body 
 service 
 : 
  
 pipelines 
 : 
  
 logs/vmware_vrealize_to_chronicle 
 : 
  
 receivers 
 : 
  
 - 
  
 udplog 
  
 exporters 
 : 
  
 - 
  
 chronicle/vmware_vrealize

Configuration parameters

Replace the following placeholders:

Receiver configuration:
- listen_address : IP address and port to listen on:
  - 0.0.0.0 to listen on all interfaces (recommended)
  - Port 514 is the standard syslog port (requires root on Linux; use 1514 for non-root)
Exporter configuration:
- creds_file_path : Full path to ingestion authentication file:
  - Linux: /etc/bindplane-agent/ingestion-auth.json
  - Windows: C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json
- customer_id : Customer ID copied from the Google SecOps console
- endpoint : Regional endpoint URL:
  - US: malachiteingestion-pa.googleapis.com
  - Europe: europe-malachiteingestion-pa.googleapis.com
  - Asia: asia-southeast1-malachiteingestion-pa.googleapis.com
  - See Regional Endpoints for complete list

Save the configuration file

After editing, save the file:
- Linux: Press Ctrl+O , then Enter , then Ctrl+X
- Windows: Click File > Save

Restart the Bindplane agent to apply the changes

To restart the Bindplane agent in Linux:

Run the following command:

 sudo  
systemctl  
restart  
observiq-otel-collector

Verify the service is running:

 sudo  
systemctl  
status  
observiq-otel-collector

Check logs for errors:

 sudo  
journalctl  
-u  
observiq-otel-collector  
-f

To restart the Bindplane agent in Windows:

Choose one of the following options:
- Command Prompt or PowerShell as administrator:
```
 net stop observiq-otel-collector && net start observiq-otel-collector 
```
- Services console:
  1. Press Win+R , type services.msc , and press Enter.
  2. Locate observIQ OpenTelemetry Collector.
  3. Right-click and select Restart.
Verify the service is running:
```
 sc query observiq-otel-collector 
```

Check logs for errors:

   
 type 
  
 "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"

Configure syslog forwarding in VMware Aria Operations

Sign in to the VMware Aria Operationsweb UI.
Go to Administration > Management > Outbound Settings.
Click Add.
In the Plugin Typedropdown, select Syslog.
Provide the following configuration details:
- Instance Name: Enter a unique name to identify the syslog destination (for example, Chronicle-Bindplane ).
- Node: Enter the IP address of the Bindplane agent host (for example, 192.168.1.100 ).
- Port: Enter 514 .
- Protocol: Select UDP.
Click Testto verify the connection to the Bindplane agent.
Click Saveto apply the outbound syslog settings.

Note: Ensure that VMware Aria Operations is configured to send logs in UTC timezone to avoid timestamp parsing issues.

UDM mapping table

Log Field	UDM Mapping	Logic
`actorDomain`	`principal.hostname`	The value of actorDomain from the raw log is mapped to the UDM field.
`actorId`	`principal.resource.attribute.labels.key`	The string "actorId" is assigned to the key.
`actorId`	`principal.resource.attribute.labels.value`	The value of actorId from the raw log is assigned to the value.
`actorId`	`additional.fields.key`	The string "actorId" is assigned to the key.
`actorId`	`additional.fields.value.string_value`	The value of actorId from the raw log is assigned to the value.
`actorUserName`	`principal.user.userid`	The value of actorUserName from the raw log is mapped to the UDM field.
`actorUuid`	`principal.resource.attribute.labels.key`	The string "actorUuid" is assigned to the key.
`actorUuid`	`principal.resource.attribute.labels.value`	The value of actorUuid from the raw log is assigned to the value.
`actorUuid`	`additional.fields.key`	The string "actorUuid" is assigned to the key.
`actorUuid`	`additional.fields.value.string_value`	The value of actorUuid from the raw log is assigned to the value.
`all_request_headers.sec-ch-ua-platform`	`principal.platform`	The value is derived from all_request_headers.sec-ch-ua-platform. If it contains "win" or "windows" (case-insensitive), the value is "WINDOWS". If it contains "Mac" (case-insensitive), the value is "MAC". If it contains "lin" or "linux" (case-insensitive), the value is "LINUX".
`all_request_headers.X-Requested-With`	`network.application_protocol`	If the value contains "http" (case-insensitive), the value is set to "HTTP".
`automation_tag`	`metadata.product_event_type`	The value of automation_tag from the raw log is mapped to the UDM field.
`client_ip`	`principal.ip`	The value of client_ip from the raw log is mapped to the UDM field.
`client_src_port`	`principal.port`	The value of client_src_port from the raw log is mapped to the UDM field.
`comp`	`about.resource.attribute.labels.key`	The string "Component" is assigned to the key.
`comp`	`about.resource.attribute.labels.value`	The value of comp from the raw log is assigned to the value.
`compression`	`additional.fields.key`	The string "compression" is assigned to the key.
`compression`	`additional.fields.value.string_value`	The value of compression from the raw log is assigned to the value.
`data`	`about.resource.attribute.labels.key`	Logic depends on msg_type. If msg_type is "Vpxa", "Hostd", or "VSANMGMTSVC", the data field is parsed using key-value pairs, and specific keys (like opID, sub) are mapped to about.resource.attribute.labels. If msg_type is "SWITCHING", "FABRIC", "MONITORING", "SYSTEM", "ROUTING", "LOAD", "nsx", "nestdb", "cfgAgent", "NSX", or "NSXV", the data field is parsed for keys like comp, subcomp, s2comp, which are then mapped to about.resource.attribute.labels.
`data`	`about.resource.attribute.labels.value`	See logic for about.resource.attribute.labels.key.
`data`	`security_result.description`	If msg_type is "Vpxa", "Hostd", or "VSANMGMTSVC", and after parsing data for key-value pairs, if a msg field exists, its value is assigned to security_result.description.
`description`	`security_result.description`	If the description field exists in the raw log, its value is mapped to the UDM field.
`deviceId`	`principal.resource.attribute.labels.key`	The string "deviceType" is assigned to the key.
`deviceId`	`principal.resource.attribute.labels.value`	The value of values.deviceType from the raw log is assigned to the value.
`deviceId`	`additional.fields.key`	The string "deviceType" is assigned to the key.
`deviceId`	`additional.fields.value.string_value`	The value of values.deviceType from the raw log is assigned to the value.
`direction`	`network.direction`	If the value is "OUT", it's mapped to "OUTBOUND". If it's "IN", it's mapped to "INBOUND".
`dst_ip`	`target.ip`	The value of dst_ip from the raw log is mapped to the UDM field.
`dst_port`	`target.port`	The value of dst_port from the raw log is mapped to the UDM field.
`event_source`	`principal.url`	The value of event_source from the raw log is mapped to the UDM field.
`headers_received_from_server.Access-Control-Allow-Origin`	`target.resource.attribute.labels.key`	The string "headers_received_from_server.Access-Control-Allow-Origin" is assigned to the key.
`headers_received_from_server.Access-Control-Allow-Origin`	`target.resource.attribute.labels.value`	The value of headers_received_from_server.Access-Control-Allow-Origin from the raw log is assigned to the value.
`headers_received_from_server.Content-Security-Policy`	`principal.resource.attribute.labels.key`	The string "headers_received_from_server.Content-Security-Policy" is assigned to the key.
`headers_received_from_server.Content-Security-Policy`	`principal.resource.attribute.labels.value`	The value of headers_received_from_server.Content-Security-Policy from the raw log is assigned to the value.
`headers_received_from_server.Cookie`	`target.resource.attribute.labels.key`	The string "headers_received_from_server.Cookie" is assigned to the key.
`headers_received_from_server.Cookie`	`target.resource.attribute.labels.value`	The value of headers_sent_to_server.Cookie from the raw log is assigned to the value.
`headers_received_from_server.set-cookie`	`target.resource.attribute.labels.key`	The string "headers_received_from_server.set-cookie" is assigned to the key.
`headers_received_from_server.set-cookie`	`target.resource.attribute.labels.value`	The value of headers_received_from_server.set-cookie from the raw log is assigned to the value.
`headers_sent_to_server.sec-ch-ua`	`principal.resource.attribute.labels.key`	The string "headers_sent_to_server.sec-ch-ua" is assigned to the key.
`headers_sent_to_server.sec-ch-ua`	`principal.resource.attribute.labels.value`	The value of headers_sent_to_server.sec-ch-ua from the raw log is assigned to the value.
`headers_sent_to_server.X-CSRF-TOKEN`	`principal.resource.attribute.labels.key`	The string "headers_sent_to_server.X-CSRF-TOKEN" is assigned to the key.
`headers_sent_to_server.X-CSRF-TOKEN`	`principal.resource.attribute.labels.value`	The value of headers_sent_to_server.X-CSRF-TOKEN from the raw log is assigned to the value.
`hostname`	`principal.hostname`	The value of hostname from the raw log is mapped to the UDM field.
`hostname`	`intermediary.hostname`	The value of hostname from the raw log is mapped to the UDM field.
`host`	`principal.hostname`	The value of host from the raw log is mapped to the UDM field.
`isLocal`	`additional.fields.key`	The string "isLocal" is assigned to the key.
`isLocal`	`additional.fields.value.string_value`	The value of isLocal from the raw log is assigned to the value.
`json_data`	`Various fields within principal, target, additional, and security_result`	The json_data field from the raw log is parsed as JSON, and the extracted fields are mapped to various UDM fields based on their names and the parser's logic. This includes fields like uuid, tenantId, actorId, actorUserName, actorDomain, sourceIp, objectName, objectType, objectId, values.resourceType, values.success, and others.
`kv_data`	`Various fields`	The kv_data field is parsed as key-value pairs, and the extracted fields are mapped to various UDM fields based on their names and the parser's logic.
`level`	`security_result.severity`	If the value is "info" (case-insensitive), it's mapped to "INFORMATIONAL".
`log_id`	`metadata.product_log_id`	The value of log_id from the raw log is mapped to the UDM field.
`message`	`Various fields`	The message field is the main source of data and is parsed extensively using grok patterns to extract various fields like ts, hostname, msg_type, sub_msg, and others. These extracted fields are then used to populate different UDM fields based on the parser's logic.
`method`	`network.http.method`	The value of method from the raw log is mapped to the UDM field.
`msg`	`security_result.description`	If msg_type is "Vpxa", "Hostd", "VSANMGMTSVC", "SWITCHING", "FABRIC", "ROUTING", "LOAD-BALANCER", "nsx", "nestdb", "cfgAgent", "NSX", "NSXV", or "Rhttpproxy", and after any relevant grok parsing, if the msg field exists, its value is assigned to security_result.description. There are special cases within this logic for specific message content like "keepalive connection".
`msg_type`	`metadata.product_event_type`	If msg_type is "FIREWALL_PKTLOG" or "FIREWALL-PKTLOG", its value is mapped to the UDM field.
`objectName`	`target.resource.attribute.labels.key`	The string "objectName" is assigned to the key.
`objectName`	`target.resource.attribute.labels.value`	The value of objectName from the raw log is assigned to the value.
`objectName`	`additional.fields.key`	The string "objectName" is assigned to the key.
`objectName`	`additional.fields.value.string_value`	The value of objectName from the raw log is assigned to the value.
`objectId`	`target.resource.attribute.labels.key`	The string "objectId" is assigned to the key.
`objectId`	`target.resource.attribute.labels.value`	The value of objectId from the raw log is assigned to the value.
`objectId`	`additional.fields.key`	The string "objectId" is assigned to the key.
`objectId`	`additional.fields.value.string_value`	The value of objectId from the raw log is assigned to the value.
`objectType`	`target.resource.attribute.labels.key`	The string "objectType" is assigned to the key.
`objectType`	`target.resource.attribute.labels.value`	The value of objectType from the raw log is assigned to the value.
`objectType`	`additional.fields.key`	The string "objectType" is assigned to the key.
`objectType`	`additional.fields.value.string_value`	The value of objectType from the raw log is assigned to the value.
`objectType`	`security_result.description`	If objectType is "LAUNCH" and success is not "true", the description is "application launch attempt was successful". If objectType is "LAUNCH_ERROR" and success is not "true", the description is "User launched an application with an invalid request".
`opID`	`about.resource.attribute.labels.key`	The string "opId" is assigned to the key.
`opID`	`about.resource.attribute.labels.value`	The value of opID from the raw log is assigned to the value.
`pool`	`additional.fields.key`	The string "pool" is assigned to the key.
`pool`	`additional.fields.value.string_value`	The value of pool from the raw log is assigned to the value.
`pool_name`	`additional.fields.key`	The string "pool_name" is assigned to the key.
`pool_name`	`additional.fields.value.string_value`	The value of pool_name from the raw log is assigned to the value.
`protocol`	`network.ip_protocol`	The value of protocol from the raw log is converted to uppercase and mapped to the UDM field. If the value is "PROTO", it is not mapped.
`protocol`	`additional.fields.key`	If the value of protocol is "PROTO", the string "ip_protocol" is assigned to the key.
`protocol`	`additional.fields.value.string_value`	If the value of protocol is "PROTO", the value of protocol from the raw log is assigned to the value.
`query_data`	`network.dns.questions.name`	The query_data field is parsed to extract the question_name, which is then mapped to the UDM field.
`query_data`	`network.dns.questions.type`	The query_data field is parsed to extract the query_type, which is then mapped to the UDM field using a lookup included from "dns_record_type.include".
`query_data`	`network.dns.questions.class`	The query_data field is parsed to extract the dns_class, which is then mapped to the UDM field using a lookup included from "dns_query_class_mapping.include".
`referer`	`principal.url`	The value of referer from the raw log is mapped to the UDM field.
`request_content_type`	`additional.fields.key`	The string "request_content_type" is assigned to the key.
`request_content_type`	`additional.fields.value.string_value`	The value of request_content_type from the raw log is assigned to the value.
`request_state`	`additional.fields.key`	The string "request_state" is assigned to the key.
`request_state`	`additional.fields.value.string_value`	The value of request_state from the raw log is assigned to the value.
`response_code`	`network.http.response_code`	The value of response_code or server_response_code from the raw log is mapped to the UDM field.
`response_content_type`	`additional.fields.key`	The string "request_content_type" is assigned to the key.
`response_content_type`	`additional.fields.value.string_value`	The value of response_content_type from the raw log is assigned to the value.
`rule_id`	`security_result.rule_id`	The value of rule_id from the raw log is mapped to the UDM field.
`s2comp`	`about.resource.attribute.labels.key`	The string "S2-Component" is assigned to the key.
`s2comp`	`about.resource.attribute.labels.value`	The value of s2comp from the raw log is assigned to the value.
`server_ip`	`target.ip`	The value of server_ip from the raw log is mapped to the UDM field.
`server_name`	`target.hostname`	The value of server_name from the raw log is mapped to the UDM field.
`server_response_code`	`network.http.response_code`	See logic for response_code.
`server_src_port`	`target.port`	The value of server_src_port from the raw log is mapped to the UDM field.
`service_engine`	`additional.fields.key`	The string "service_engine" is assigned to the key.
`service_engine`	`additional.fields.value.string_value`	The value of service_engine from the raw log is assigned to the value.
`sourceIp`	`principal.ip`	The value of sourceIp from the raw log is mapped to the UDM field.
`ssl_cipher`	`network.tls.cipher`	The value of ssl_cipher from the raw log is mapped to the UDM field.
`ssl_session_id`	`network.session_id`	The value of ssl_session_id from the raw log is mapped to the UDM field.
`ssl_version`	`network.tls.version_protocol`	The value of ssl_version from the raw log is mapped to the UDM field.
`sub`	`about.resource.attribute.labels.key`	The string "Sub Component" is assigned to the key.
`sub`	`about.resource.attribute.labels.value`	The value of sub from the raw log is assigned to the value.
`subClusterUuid`	`additional.fields.key`	The string "subClusterUuid" is assigned to the key.
`subClusterUuid`	`additional.fields.value.string_value`	The value of subClusterUuid from the raw log is assigned to the value.
`sub_msg`	`Various fields within principal, target, network, security_result, and about`	The sub_msg field is parsed differently based on the msg_type. It can be parsed as JSON, using grok patterns, or using key-value pairs. The extracted fields are then mapped to various UDM fields based on their names and the parser's logic. This includes fields like ip_type, action, rule_id, direction, protocol, tcp_flag, src_ip, src_port, dst_ip, dst_port, data, msg, and others.
`subcomp`	`about.resource.attribute.labels.key`	The string "Sub Component" is assigned to the key.
`subcomp`	`about.resource.attribute.labels.value`	The value of subcomp from the raw log is assigned to the value.
`tenantId`	`principal.resource.attribute.labels.key`	The string "tenantId" is assigned to the key.
`tenantId`	`principal.resource.attribute.labels.value`	The value of tenantId from the raw log is assigned to the value.
`tenantId`	`additional.fields.key`	The string "tenantId" is assigned to the key.
`tenantId`	`additional.fields.value.string_value`	The value of tenantId from the raw log is assigned to the value.
`ts`	`metadata.event_timestamp`	The value of ts from the raw log is parsed as a timestamp and mapped to the UDM field.
`ts`	`timestamp`	The value of ts from the raw log is parsed as a timestamp and mapped to the UDM field.
`updateType`	`additional.fields.key`	The string "updateType" is assigned to the key.
`updateType`	`additional.fields.value.string_value`	The value of updateType from the raw log is assigned to the value.
`uri_path`	`network.http.referral_url`	The value of uri_path from the raw log is mapped to the UDM field.
`user_agent`	`network.http.user_agent`	The value of user_agent from the raw log is mapped to the UDM field.
`user_agent`	`network.http.parsed_user_agent`	The value of user_agent from the raw log is parsed as a user agent string and mapped to the UDM field.
`USER`	`principal.user.user_display_name`	The value of USER from the raw log is mapped to the UDM field.
`values.actorExternalId`	`principal.resource.attribute.labels.key`	The string "actorExternalId" is assigned to the key.
`values.actorExternalId`	`principal.resource.attribute.labels.value`	The value of values.actorExternalId from the raw log is assigned to the value.
`values.actorExternalId`	`additional.fields.key`	The string "actorExternalId" is assigned to the key.
`values.actorExternalId`	`additional.fields.value.string_value`	The value of values.actorExternalId from the raw log is assigned to the value.
`values.deviceType`	`principal.resource.attribute.labels.key`	The string "deviceType" is assigned to the key.
`values.deviceType`	`principal.resource.attribute.labels.value`	The value of values.deviceType from the raw log is assigned to the value.
`values.deviceType`	`additional.fields.key`	The string "deviceType" is assigned to the key.
`values.deviceType`	`additional.fields.value.string_value`	The value of values.deviceType from the raw log is assigned to the value.
`values.resourceType`	`principal.resource.resource_subtype`	The value of values.resourceType from the raw log is mapped to the UDM field. The principal.resource.type is set to "VIRTUAL_MACHINE".
`values.success`	`security_result.action`	If the value is "true" (case-insensitive), it's mapped to "ALLOW". If it's "false" (case-insensitive), it's mapped to "BLOCK".
`virtualservice`	`additional.fields.key`	The string "virtualservice" is assigned to the key.
`virtualservice`	`additional.fields.value.string_value"	The value of virtualservice from the raw log is assigned to the value.
`vmw_vr_ops_appname`	`about.resource.attribute.labels.key`	The string "Ops AppName" is assigned to the key.
`vmw_vr_ops_appname`	`about.resource.attribute.labels.value`	The value of vmw_vr_ops_appname from the raw log is assigned to the value.
`vmw_vr_ops_clustername`	`about.resource.attribute.labels.key`	The string "Ops ClusterName" is assigned to the key.
`vmw_vr_ops_clustername`	`about.resource.attribute.labels.value`	The value of vmw_vr_ops_clustername from the raw log is assigned to the value.
`vmw_vr_ops_logtype`	`about.resource.attribute.labels.key`	The string "Ops Logtype" is assigned to the key.
`vmw_vr_ops_logtype"	`about.resource.attribute.labels.value`	The value of vmw_vr_ops_logtype from the raw log is assigned to the value.
`vmw_vr_ops_nodename`	`about.resource.attribute.labels.key`	The string "Ops NodeName" is assigned to the key.
`vmw_vr_ops_nodename`	`about.resource.attribute.labels.value`	The value of vmw_vr_ops_nodename from the raw log is assigned to the value.
`vs_name`	`additional.fields.key`	The string "vs_name" is assigned to the key.
`vs_name`	`additional.fields.value.string_value`	The value of vs_name from the raw log is assigned to the value.

Need more help? Get answers from Community members and Google SecOps professionals.