Collect BMC Helix Discovery logs

This parser extracts fields from BMC Helix Discovery syslog messages using grok patterns. It focuses on login/logout events and status updates. It maps extracted fields like timestamps, usernames, source IPs, and descriptions to the UDM. Events are categorized based on the extracted product_event_type and log details.

Before you begin

• Ensure that you have a Google Security Operations instance.
• Ensure that you are using Windows 2016 or later, or a Linux host with systemd.
• If running behind a proxy, ensure firewall ports are open.
• Ensure that you have privileged access to the BeyondTrust instance.

Get Google SecOps ingestion authentication file

1. Sign in to the Google SecOps console.
2. Go to SIEM Settings > Collection Agents.
3. Download the Ingestion Authentication File.

Get Google SecOps customer ID

1. Sign in to the Google SecOps console.
2. Go to SIEM Settings > Profile.
3. Copy and save the Customer ID from the Organization Details section.

Install BindPlane Agent

1. For Windows installation, run the following script:
   msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet
2. For Linux installation, run the following script:
   sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh
3. Additional installation options can be found in this installation guide.

Configure BindPlane Agent to ingest Syslog and send to Google SecOps

1. Access the machine where BindPlane is installed.

2. Edit the config.yaml file as follows:

   receivers:
       tcplog:
           # Replace the below port <54525> and IP <0.0.0.0> with your specific values
           listen_address: "0.0.0.0:54525" 
   
   exporters:
       chronicle/chronicle_w_labels:
           compression: gzip
           # Adjust the creds location below according the placement of the credentials file you downloaded
           creds: '{ json file for creds }'
           # Replace <customer_id> below with your actual ID that you copied
           customer_id: <customer_id>
           endpoint: malachiteingestion-pa.googleapis.com
           # You can apply ingestion labels below as preferred
           ingestion_labels:
           log_type: SYSLOG
           namespace: BMC_HELIX_DISCOVERY
           raw_log_field: body
   service:
       pipelines:
           logs/source0__chronicle_w_labels-0:
               receivers:
                   - tcplog
               exporters:
                   - chronicle/chronicle_w_labels
   

3. Restart the BindPlane Agent to apply the changes:

   sudo systemctl restart bindplane
   

Export Syslog from BMC Helix Discovery

1. Access the BMC Discovery instance as a root user.
2. Edit the syslog configuration file: etc/rsyslog.conf
3. Add the following entry at the top: # Send everything to the remote syslog server.

4. Replace the IP address with that of your syslog server:

   # Send everything to the remote syslog server
   
   *.* @192.168.1.100
   

5. Restart the syslog service on the appliance:

   sudo /usr/bin/systemctl restart rsyslog.service
   

6. Test the forwarding configuration.

7. Use the logger utility to send a syslog message:

   logger this is a test of remote logging
   

8. Verify this has been logged:

   su -
   Password:
   
   tail -n5 /var/log/messages
   Jan 17 11:42:10 localhost seclab: this is a test of remote logging
   

9. Sign in to Google SecOps and check that the same messages appear.

UDM Mapping Table

Changes

2022-08-29

• Newly created parser.