Console
    Contact Us Start free

    Collect VMware Workspace ONE UEM logs

    Supported in:

    This parser extracts logs from VMware Workspace ONE UEM (formerly known as VMware AirWatch) in Syslog, CEF, or key-value pair formats. It normalizes fields such as usernames, timestamps, and event details, mapping them to the UDM. The parser handles various Workspace ONE UEM event types, populating principal, target, and other UDM fields based on specific event data and logic for different log formats.

    Before you begin

    • Ensure that you have a Google Security Operations instance.
    • Ensure that you have privileged access to the VMware Workspace ONE console.
    • Ensure that you have a Windows or Linux host with systemd.
    • If running behind a proxy, ensure that the firewall ports are open.

    Get Google SecOps ingestion authentication file

    1. Sign in to the Google SecOps console.
    2. Go to SIEM Settings > Collection Agents.
    3. Download the Ingestion Authentication File.

    Get Google SecOps customer ID

    1. Sign in to the Google SecOps console.
    2. Go to SIEM Settings > Profile.
    3. Copy and Save the customer IDfrom the Organization Detailssection.

    Install Bindplane Agent

    1. For Windows installation, run the following script:
      msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet
    2. For Linux installation, run the following script:
      sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh
    3. Additional installation options can be found in this installation guide .

    Configure Bindplane Agent to ingest Syslog and send to Google SecOps

    1. Access the machine where Bindplane is installed.

    2. Edit the config.yaml file as follows:

       receivers:
  tcplog:
    # Replace the below port <54525> and IP (0.0.0.0) with your specific values
    listen_address: "0.0.0.0:54525" 

exporters:
    chronicle/chronicle_w_labels:
        compression: gzip
        # Adjust the creds location below according the placement of the credentials file you downloaded
        creds: '{ json file for creds }'
        # Replace <customer_id> below with your actual ID that you copied
        customer_id: <customer_id>
        endpoint: malachiteingestion-pa.googleapis.com
        # You can apply ingestion labels below as preferred
        ingestion_labels:
        log_type: SYSLOG
        namespace: 
        raw_log_field: body
service:
    pipelines:
        logs/source0__chronicle_w_labels-0:
            receivers:
                - tcplog
            exporters:
                - chronicle/chronicle_w_labels

    3. Restart Bindplane Agent to apply the changes using the following command: sudo systemctl bindplane restart

    Configuring syslog in VMware Workspace ONE UEM

    1. Sign in to the Workspace ONE UEM Console:
    2. Go to Settings > System > Advanced > Syslog.
    3. Check the option to Enable Syslog.
    4. Specify values for the following input parameters:
      • IP Address/Hostname: enter the address of your Bindplane Agent.
      • Port: enter the designated port (default: 514).
      • Protocol: select UDPor TCPdepending on your Bindplane agent configuration.
      • Select Log Types: select the logs you want to send to Google SecOps - Device Management Logs, Console Activity Logs, Compliance Logs, Event Logs
      • Set the log level (for example, Info, Warning, Error).
    5. Click Saveto apply settings

    UDM Mapping Table

    Log Field UDM Mapping Logic
    AdminAccount
    		principal.user.userid The AdminAccount from the raw log is mapped to the principal.user.userid field.
    Application
    		target.application The Application field from the raw log is mapped to the target.application field.
    ApplicationUUID
    		additional.fields The ApplicationUUID field from the raw log is added as a key-value pair to the additional.fields array in the UDM. The key is "ApplicationUUID".
    BytesReceived
    		network.received_bytes The BytesReceived field from the raw log is mapped to the network.received_bytes field.
    Device
    		target.hostname The Device field from the raw log is mapped to the target.hostname field.
    FriendlyName
    		target.hostname The FriendlyName field from the raw log is mapped to the target.hostname field when Device is not available.
    GroupManagementData
    		security_result.description The GroupManagementData field from the raw log is mapped to the security_result.description field.
    Hmac
    		additional.fields The Hmac field from the raw log is added as a key-value pair to the additional.fields array in the UDM. The key is "Hmac".
    LoginSessionID
    		network.session_id The LoginSessionID field from the raw log is mapped to the network.session_id field.
    LogDescription
    		metadata.description The LogDescription field from the raw log is mapped to the metadata.description field.
    MessageText
    		metadata.description The MessageText field from the raw log is mapped to the metadata.description field.
    OriginatingOrganizationGroup
    		principal.user.group_identifiers The OriginatingOrganizationGroup field from the raw log is mapped to the principal.user.group_identifiers field.
    OwnershipType
    		additional.fields The OwnershipType field from the raw log is added as a key-value pair to the additional.fields array in the UDM. The key is "OwnershipType".
    Profile
    		target.resource.name The Profile field from the raw log is mapped to the target.resource.name field when ProfileName is not available.
    ProfileName
    		target.resource.name The ProfileName field from the raw log is mapped to the target.resource.name field.
    Request Url
    		target.url The Request Url field from the raw log is mapped to the target.url field.
    SmartGroupName
    		target.group.group_display_name The SmartGroupName field from the raw log is mapped to the target.group.group_display_name field.
    Tags
    		additional.fields The Tags field from the raw log is added as a key-value pair to the additional.fields array in the UDM. The key is "Tags".
    User
    		target.user.userid The User field from the raw log is mapped to the target.user.userid field. The Event Category from the raw log is added as a key-value pair to the additional.fields array in the UDM. The key is "Event Category". The Event Module from the raw log is added as a key-value pair to the additional.fields array in the UDM. The key is "Event Module". The Event Source from the raw log is added as a key-value pair to the additional.fields array in the UDM. The key is "Event Source". Set to "SSO" by the parser for specific events. Derived from the raw log's timestamp. The parser extracts the date and time from the raw log and converts it to a UDM timestamp. Determined by the parser based on the event_name and other fields. See parser code for the mapping logic. Set to "AIRWATCH" by the parser. The event_name from the raw log is mapped to the metadata.product_event_type field. Set to "AirWatch" by the parser. Set to "VMWare" by the parser. The domain from the raw log is mapped to the principal.administrative_domain field. The hostname is extracted from the device_name field in the raw log or mapped from the Device or FriendlyName fields. The sys_ip from the raw log is mapped to the principal.ip field. Extracted from the raw log for certain event types. Extracted from the raw log for certain event types. The user_name from the raw log is mapped to the principal.user.userid field. Extracted from the raw log for certain event types. Set by the parser for specific events. Set by the parser for specific events. The event_category from the raw log is mapped to the security_result.category_details field. Extracted from the raw log for certain event types. Extracted from the raw log for certain event types. The domain from the raw log is mapped to the target.administrative_domain field. Constructed by combining DeviceSerialNumber and DeviceUdid from the raw log for the "DeleteDeviceRequested" event. Extracted from the raw log for certain event types. Extracted from the raw log for certain event types. The sys_ip or other IP addresses from the raw log are mapped to the target.ip field. Extracted from the raw log for certain event types. Extracted from the raw log for certain event types. Set by the parser for specific events. Extracted from the raw log for certain event types. Extracted from the raw log for certain event types. Extracted from the raw log for certain event types.

    Need more help? Get answers from Community members and Google SecOps professionals.

    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: