Collect Brocade switch logs

This parser extracts fields from Brocade switch logs using grok patterns matching various log formats. It then maps these extracted fields to UDM fields, handling different log structures and enriching the data with metadata like vendor and product information. The parser also performs data transformations, such as converting severity levels and handling repeated messages, before generating the final UDM output.

Before you begin

• Ensure that you have a Google Security Operations instance.
• Ensure that you are using Windows 2016 or later, or a Linux host with systemd.
• If running behind a proxy, ensure firewall ports are open.
• Ensure that you have CLI Admin access to the Brocade Switch.

Get Google SecOps ingestion authentication file

1. Sign in to the Google SecOps console.
2. Go to SIEM Settings > Collection Agents.
3. Download the Ingestion Authentication File.

Get Google SecOps customer ID

1. Sign in to the Google SecOps console.
2. Go to SIEM Settings > Profile.
3. Copy and save the Customer ID from the Organization Details section.

Install BindPlane Agent

1. For Windows installation, run the following script:
   msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet
2. For Linux installation, run the following script:
   sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh
3. Additional installation options can be found in this installation guide.

Configure BindPlane Agent to ingest Syslog and send to Google SecOps

1. Access the machine where BindPlane is installed.

2. Edit the config.yaml file as follows:

   receivers:
       tcplog:
           # Replace the below port <54525> and IP <0.0.0.0> with your specific values
           listen_address: "0.0.0.0:54525" 
   
   exporters:
       chronicle/chronicle_w_labels:
           compression: gzip
           # Adjust the creds location below according the placement of the credentials file you downloaded
           creds: '{ json file for creds }'
           # Replace <customer_id> below with your actual ID that you copied
           customer_id: <customer_id>
           endpoint: malachiteingestion-pa.googleapis.com
           # You can apply ingestion labels below as preferred
           ingestion_labels:
           log_type: SYSLOG
           namespace: Brocade_Switch
           raw_log_field: body
   service:
       pipelines:
           logs/source0__chronicle_w_labels-0:
               receivers:
                   - tcplog
               exporters:
                   - chronicle/chronicle_w_labels
   

3. Restart the BindPlane Agent to apply the changes:

   sudo systemctl restart bindplane
   

Configure Syslog Export from a Brocade Switch

1. Connect to the Brocade switch using SSH or Telnet with the appropriate credentials.

2. Run the following command to specify the IP address or hostname and the Port of the syslog server (Bindplane):

   syslogadmin --set -ip <IP> -port <Port>
   

   For example:

   syslogadmin --set -ip 10.10.10.10 -port 54525
   

3. Run the following command to display the configured syslog servers:

   syslogadmin --show -ip
   

UDM Mapping Table

Changes

2024-04-15

• Added support for customer specific logs.

2023-12-01

• Newly created parser.