This document explains how to ingest the Claroty xDome logs to
Google Security Operations by using a Bindplane agent. The parser processes the logs
in JSON format, transforming them into the Unified Data Model (UDM). It cleans
the input, parses the JSON data, maps fields to UDM, handles specific event types
and severities, and enriches the UDM with additional metadata and details.
Before you begin
Make sure you have the following prerequisites:
A Google SecOps instance
A Windows 2016 or later, or a Linux host with systemd
If running behind a proxy, firewall ports are open
Privileged access to Claroty xDome
Get Google SecOps ingestion authentication file
Sign in to the Google SecOps console.
Go to SIEM Settings > Collection Agents.
Download the Ingestion Authentication File. Save the file securely on the
system where Bindplane will be installed.
Get Google SecOps customer ID
Sign in to the Google SecOps console.
Go to SIEM Settings > Profile.
Copy and save the Customer ID from the Organization Details section.
Install the Bindplane agent
Install the Bindplane agent on your Windows or Linux operating system
according to the following instructions.
Windows installation
Open the Command Prompt or PowerShell as an administrator.
Configure the Bindplane agent to ingest Syslog and send to Google SecOps
Access the configuration file:
Locate the config.yaml file. Typically, it's in the /etc/bindplane-agent/ directory on Linux or in the installation directory on Windows.
Open the file using a text editor (for example, nano, vi, or Notepad).
Edit the config.yaml file as follows:
receivers:udplog:# Replace the port and IP address as requiredlisten_address:"0.0.0.0:514"exporters:chronicle/chronicle_w_labels:compression:gzip# Adjust the path to the credentials file you downloaded in Step 1creds_file_path:'/path/to/ingestion-authentication-file.json'# Replace with your actual customer ID from Step 2customer_id:<customer_id>
endpoint:malachiteingestion-pa.googleapis.com# Add optional ingestion labels for better organizationlog_type:'CLAROTY_XDOME'raw_log_field:bodyservice:pipelines:logs/source0__chronicle_w_labels-0:receivers:-udplogexporters:-chronicle/chronicle_w_labels
Replace the port and IP address as required in your infrastructure.
Replace <customer_id> with the actual customer ID.
To restart the Bindplane agent in Linux, run the following command:
sudosystemctlrestartbindplane-agent
To restart the Bindplane agent in Windows, you can either use the Services console or enter the following command:
net stop BindPlaneAgent && net start BindPlaneAgent
Configure Syslog on Claroty xDome
Sign in to the Claroty xDome Web UI.
Click the Settings tab in the navigation bar.
Select System Settings from the menu.
Click My Integrations in the Integrations section.
Click Add Integration.
Select Internal Services from the Category menu.
Select SIEM and Syslog from the Integration menu.
Click Add.
Enter the following configuration details:
Destination IP: Enter the Bindplane agent IP address.
Transport Protocol: Select UDP (you can also select TCP, or TLS depending on your Bindplane configuration).
If you select the TLS security protocol, do the following:
Check the Check Hostnames option to verify if the server's hostname matches any of the names present in the X. 509 certificate.
Check the Use Custom Certificate Authority option to use a custom Certificate Authority (CA) instead of the default CA. Upload the custom certificate file or insert the certificate (in PEM format) into the space provided.
Destination Port: The default value for TCP, TLS, and UDP is 514. (Hover over the field to use the clickable arrows to select a different destination port).
Advanced Options: Enter the following settings:
Message Format: Select JSON.
Syslog Protocol Standard: Select RFC 5424 or RFC 3164.
Integration Name: Enter a meaningful name for the integration (for example, Google SecOps syslog).
Deployment options: Select Run from the collection server or Run from the cloud option, depending on your xDome configuration.
Go to the Integration Tasks parameters.
Turn on the Export Claroty xDome Communication Events Using Syslog option to enable exporting Claroty xDome communication events.
From the Event Types Selection menu, click Select All.
Choose the device conditions to export: Select All Devices option to export the communication event data of all affected devices.
Turn on the Export Claroty xDome Device Changes Alerts Change Log to Syslog option to export Claroty xDome change events.
In the Change Event Types Selection menu, select the change event types you want to export.
Choose the device conditions you want to export: Select All Devices to export the change event data of all the affected devices.
Turn on the Export Claroty xDome Alert Information for Affected Devices Using Syslog option to export alert information for any alert type, including custom alerts.
From alert types, click Select All.
Turn on the Export Claroty xDome Vulnerability Information for Affected Devices Using Syslog option to export Claroty xDome vulnerability types.
In the Vulnerability Types Selection menu, select the Vulnerability types you want to export.
Specify the CVSS Threshold number. This parameter lets you set a CVSS threshold to send a vulnerability using Syslog. (Only vulnerabilities greater or equal to this threshold will be exported. The threshold will revert to the CVSS V3 Base Score by default and CVSS V2 Base Score if the CVSS V3 score is unknown).
Choose the device conditions to export: Select All Devices to export the data of all affected devices.
Turn on the Export Claroty xDome Server Incidents Information to Syslog option to export Claroty xDome server incidents.
Select the collection server types you want to export from the Collection Server Selection menu.
Select the server incidents you want to export on the Server Incidents Selection menu.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-07 UTC."],[],[],null,["# Collect Claroty xDome logs\n==========================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis document explains how to ingest the Claroty xDome logs to\nGoogle Security Operations by using a Bindplane agent. The parser processes the logs\nin JSON format, transforming them into the Unified Data Model (UDM). It cleans\nthe input, parses the JSON data, maps fields to UDM, handles specific event types\nand severities, and enriches the UDM with additional metadata and details.\n\nBefore you begin\n----------------\n\nMake sure you have the following prerequisites:\n\n- A Google SecOps instance\n- A Windows 2016 or later, or a Linux host with `systemd`\n- If running behind a proxy, firewall [ports](/chronicle/docs/ingestion/use-bindplane-agent#verify_the_firewall_configuration) are open\n- Privileged access to Claroty xDome\n\nGet Google SecOps ingestion authentication file\n-----------------------------------------------\n\n1. Sign in to the Google SecOps console.\n2. Go to **SIEM Settings \\\u003e Collection Agents**.\n3. Download the **Ingestion Authentication File**. Save the file securely on the system where Bindplane will be installed.\n\nGet Google SecOps customer ID\n-----------------------------\n\n1. Sign in to the Google SecOps console.\n2. Go to **SIEM Settings \\\u003e Profile**.\n3. Copy and save the **Customer ID** from the **Organization Details** section.\n\nInstall the Bindplane agent\n---------------------------\n\nInstall the Bindplane agent on your Windows or Linux operating system\naccording to the following instructions.\n\n### Windows installation\n\n1. Open the **Command Prompt** or **PowerShell** as an administrator.\n2. Run the following command:\n\n msiexec /i \"https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi\" /quiet\n\n### Linux installation\n\n1. Open a terminal with root or sudo privileges.\n2. Run the following command:\n\n sudo sh -c \"$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)\" install_unix.sh\n\n### Additional installation resources\n\nFor additional installation options, consult the [installation guide](/chronicle/docs/ingestion/use-bindplane-agent#install_the_bindplane_agent).\n\nConfigure the Bindplane agent to ingest Syslog and send to Google SecOps\n------------------------------------------------------------------------\n\n1. Access the configuration file:\n - Locate the `config.yaml` file. Typically, it's in the `/etc/bindplane-agent/` directory on Linux or in the installation directory on Windows.\n - Open the file using a text editor (for example, `nano`, `vi`, or Notepad).\n2. Edit the `config.yaml` file as follows:\n\n receivers:\n udplog:\n # Replace the port and IP address as required\n listen_address: \"0.0.0.0:514\"\n\n exporters:\n chronicle/chronicle_w_labels:\n compression: gzip\n # Adjust the path to the credentials file you downloaded in Step 1\n creds_file_path: '/path/to/ingestion-authentication-file.json'\n # Replace with your actual customer ID from Step 2\n customer_id: \u003ccustomer_id\u003e\n endpoint: malachiteingestion-pa.googleapis.com\n # Add optional ingestion labels for better organization\n log_type: 'CLAROTY_XDOME'\n raw_log_field: body\n\n service:\n pipelines:\n logs/source0__chronicle_w_labels-0:\n receivers:\n - udplog\n exporters:\n - chronicle/chronicle_w_labels\n\n - Replace the port and IP address as required in your infrastructure.\n - Replace `\u003ccustomer_id\u003e` with the actual customer ID.\n - Update `/path/to/ingestion-authentication-file.json` to the path where the authentication file was saved in the [Get Google SecOps ingestion authentication file](/chronicle/docs/ingestion/default-parsers/claroty-xdome#get-auth-file) section.\n\nRestart the Bindplane agent to apply the changes\n------------------------------------------------\n\n- To restart the Bindplane agent in Linux, run the following command:\n\n sudo systemctl restart bindplane-agent\n\n- To restart the Bindplane agent in Windows, you can either use the **Services** console or enter the following command:\n\n net stop BindPlaneAgent && net start BindPlaneAgent\n\nConfigure Syslog on Claroty xDome\n---------------------------------\n\n1. Sign in to the **Claroty xDome** Web UI.\n2. Click the **Settings** tab in the navigation bar.\n3. Select **System Settings** from the menu.\n4. Click **My Integrations** in the **Integrations** section.\n5. Click **Add Integration**.\n6. Select **Internal Services** from the **Category** menu.\n7. Select **SIEM** and **Syslog** from the **Integration** menu.\n8. Click **Add**.\n9. Enter the following configuration details:\n 1. **Destination IP**: Enter the Bindplane agent IP address.\n 2. **Transport Protocol** : Select **UDP** (you can also select TCP, or TLS depending on your Bindplane configuration).\n 3. If you select the TLS security protocol, do the following:\n - Check the **Check Hostnames** option to verify if the server's hostname matches any of the names present in the **X. 509 certificate**.\n - Check the **Use Custom Certificate Authority** option to use a custom Certificate Authority (CA) instead of the default CA. Upload the custom certificate file or insert the certificate (in PEM format) into the space provided.\n 4. **Destination Port** : The default value for TCP, TLS, and UDP is **514**. (Hover over the field to use the clickable arrows to select a different destination port).\n 5. **Advanced Options** : Enter the following settings:\n - **Message Format** : Select **JSON**.\n - **Syslog Protocol Standard** : Select **RFC 5424** or **RFC 3164**.\n 6. **Integration Name** : Enter a meaningful name for the integration (for example, `Google SecOps syslog`).\n 7. **Deployment options** : Select **Run from the collection server** or **Run from the cloud** option, depending on your xDome configuration.\n10. Go to the **Integration Tasks** parameters.\n11. Turn on the **Export Claroty xDome Communication Events Using Syslog** option to enable exporting Claroty xDome communication events.\n12. From the **Event Types Selection** menu, click **Select All**.\n13. **Choose the device conditions to export** : Select **All Devices** option to export the communication event data of all affected devices.\n\n | **Note:** To receive OT Activity events through Syslog, it's necessary to create and enable OT Activity Alerts for the relevant event types. This is because xDome only sends events related to alerts for OT Activity.\n14. Turn on the **Export Claroty xDome Device Changes Alerts Change Log to Syslog** option to export Claroty xDome change events.\n\n15. In the **Change Event Types Selection** menu, select the **change event types** you want to export.\n\n16. **Choose the device conditions you want to export** : Select **All Devices** to export the change event data of all the affected devices.\n\n17. Turn on the **Export Claroty xDome Alert Information for Affected Devices Using Syslog** option to export alert information for any alert type, including custom alerts.\n\n18. From alert types, click **Select All**.\n\n19. Turn on the **Export Claroty xDome Vulnerability Information for Affected Devices Using Syslog** option to export Claroty xDome vulnerability types.\n\n20. In the **Vulnerability Types Selection** menu, select the **Vulnerability types** you want to export.\n\n21. Specify the **CVSS Threshold** number. This parameter lets you set a CVSS threshold to send a vulnerability using Syslog. (Only vulnerabilities greater or equal to this threshold will be exported. The threshold will revert to the CVSS V3 Base Score by default and CVSS V2 Base Score if the CVSS V3 score is unknown).\n\n22. **Choose the device conditions to export** : Select **All Devices** to export the data of all affected devices.\n\n23. Turn on the **Export Claroty xDome Server Incidents Information to Syslog** option to export Claroty xDome server incidents.\n\n24. Select the collection server types you want to export from the **Collection Server Selection** menu.\n\n25. Select the server incidents you want to export on the **Server Incidents Selection** menu.\n\n26. Click **Apply** to save the configuration settings.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]