Collect HPE iLO logs

Supported in:

Google secops SIEM

This document explains how to ingest the HPE iLO (Hewlett Packard Enterprise Integrated Lights-Out) logs to Google Security Operations using Bindplane. The parser code first attempts to parse the raw log message as JSON. If that fails, it uses regular expressions (grok patterns) to extract fields from the message based on common HP iLO log formats.

Before you begin

Ensure that you have the following prerequisites:

Google SecOps instance
Windows 2016 or later or Linux host with systemd
If running behind a proxy, firewall ports are open
Privileged access to HPE iLO

Get Google SecOps ingestion authentication file

Sign in to the Google SecOps console.
Go to SIEM Settings > Collection Agents.
Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.

Get Google SecOps customer ID

Sign in to the Google SecOps console.
Go to SIEM Settings > Profile.
Copy and save the Customer ID from the Organization Details section.

Install the Bindplane agent

Windows installation

Open the Command Prompt or PowerShell as an administrator.

Run the following command:

msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet

Linux installation

Open a terminal with root or sudo privileges.

Run the following command:

sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh

Additional installation resources

For additional installation options, consult the installation guide.

Configure the Bindplane agent to ingest Syslog and send to Google SecOps

Access the configuration file:
- Locate the config.yaml file. Typically, it's in the /etc/bindplane-agent/ directory on Linux or in the installation directory on Windows.
- Open the file using a text editor (for example, nano, vi, or Notepad).

Edit the config.yaml file as follows:

        receivers:
            udplog:
                # Replace the port and IP address as required
                listen_address: "0.0.0.0:514"

        exporters:
            chronicle/chronicle_w_labels:
                compression: gzip
                # Adjust the path to the credentials file you downloaded in Step 1
                creds: '/path/to/ingestion-authentication-file.json'
                # Replace with your actual customer ID from Step 2
                customer_id: <customer_id>
                endpoint: malachiteingestion-pa.googleapis.com
                # Add optional ingestion labels for better organization
                ingestion_labels:
                    log_type: HPE_ILO
                    raw_log_field: body

        service:
            pipelines:
                logs/source0__chronicle_w_labels-0:
                    receivers:
                        - udplog
                    exporters:
                        - chronicle/chronicle_w_labels

Replace the port and IP address as required in your infrastructure.
Replace <customer_id> with the actual customer ID.
Update /path/to/ingestion-authentication-file.json to the path where the authentication file was saved in the Get Google SecOps ingestion authentication file section.

Restart the Bindplane agent to apply the changes

To restart the Bindplane agent in Linux, run the following command:
```
sudo systemctl restart bindplane-agent
```
To restart the Bindplane agent in Windows, you can either use the Services console or enter the following command:
```
net stop BindPlaneAgent && net start BindPlaneAgent
```

Configure Syslog in HP iLO

Sign in to the HPE iLO web UI.
Go to Management > Remote Syslog tab.
Click Enable iLO Remote Syslog.
Provide the following configuration details:
- Remote Syslog Port: Enter the Bindplane port number (for example, 514).
- Remote Syslog Server: Enter the Bindplane IP address.
Click Send Test Syslog and validate it was received in Google SecOps.
Click Apply.

UDM mapping table

Log field	UDM mapping	Logic
`data`		This field is parsed and mapped to various UDM fields based on its content.
`data.HOSTNAME`	principal.hostname	Mapped when the first grok pattern in the "message" field matches, or when the "description" field contains "Host". Determines if event_type is STATUS_UPDATE.
`data.HOSTNAME`	network.dns.questions.name	Populated by grok pattern matching "DATA" in "message". Used to populate dns.questions if not empty and doesn't contain "(?i)not found".
`data.HOSTNAME`	target.user.user_display_name	Populated by grok pattern matching "DATA" in "message".
`data.IP`	target.ip	Populated by grok patterns matching "IP" in "message" or "summary".
`data.WORD`	metadata.product_event_type	Populated by grok pattern matching "WORD" in "message".
`data.GREEDYDATA`	security_result.summary	Populated by grok pattern matching "GREEDYDATA" in "message". Used to determine network.application_protocol and event_type based on its content.
`data.TIMESTAMP_ISO8601`	metadata.event_timestamp	Populated by the date plugin based on various timestamp formats.
`data.MONTHNUM`		Not Mapped
`data.MONTHDAY`		Not Mapped
`data.YEAR`		Not Mapped
`data.TIME`		Not Mapped
`data.HOST`	principal.hostname	Mapped when the second grok pattern in the "message" field matches.
`data.INT`		Not Mapped
`data.UserAgent`	network.http.user_agent	Mapped when the `description` field contains `User-Agent`.
`data.Connection`	security_result.description	Mapped when the `description` field contains `Connection`.
N/A	metadata.event_type	Defaults to `GENERIC_EVENT`. Changes to `STATUS_UPDATE` if `data.HOSTNAME` is successfully mapped to principal.hostname, `NETWORK_DNS` if `question` is populated, or `USER_LOGIN` if `summary` contains `Browser login`.
N/A	metadata.vendor_name	Hardcoded to `HP`.
N/A	metadata.log_type	Set to `HPE_ILO`.
N/A	network.application_protocol	Set to `LDAP` if `summary` contains `LDAP`, or `DNS` if `question` is populated.
N/A	extensions.auth.type	Set to `MACHINE` if `summary` contains `Browser login`.

Need more help? Get answers from Community members and Google SecOps professionals.