Collect IBM Verify Identity Access logs

This document describes how to collect IBM Verify Identity Access logs. The parser extracts common fields using Grok patterns and leverages XML parsing for detailed event information embedded within the description field, ultimately mapping extracted data to the Unified Data Model (UDM) for standardized security event representation.

Before you begin

Make sure you have the following prerequisites:

• Google SecOps instance
• Windows 2016 or later, or a Linux host with systemd
• If running behind a proxy, firewall ports are open
• Privileged access to IBM Verify Identity Access (IVIA)

Get Google SecOps ingestion authentication file

1. Sign in to the Google SecOps console.
2. Go to SIEM Settings > Collection Agents.
3. Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.

Get Google SecOps customer ID

1. Sign in to the Google SecOps console.
2. Go to SIEM Settings > Profile.
3. Copy and save the Customer ID from the Organization Details section.

Install the Bindplane agent

Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.

Windows installation

1. Open the Command Prompt or PowerShell as an administrator.

2. Run the following command:

   msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet
   

Linux installation

1. Open a terminal with root or sudo privileges.

2. Run the following command:

   sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh
   

Additional installation resources

For additional installation options, consult the installation guide.

Configure the Bindplane agent to ingest Syslog and send to Google SecOps

1. Access the configuration file:
   • Locate the config.yaml file. Typically, it's in the /etc/bindplane-agent/ directory on Linux or in the installation directory on Windows.
   • Open the file using a text editor (for example, nano, vi, or Notepad).

2. Edit the config.yaml file as follows:

   receivers:
       udplog:
           # Replace the port and IP address as required
           listen_address: "0.0.0.0:514"
   
   exporters:
       chronicle/chronicle_w_labels:
           compression: gzip
           # Adjust the path to the credentials file you downloaded in Step 1
           creds_file_path: '/path/to/ingestion-authentication-file.json'
           # Replace with your actual customer ID from Step 2
           customer_id: <customer_id>
           endpoint: malachiteingestion-pa.googleapis.com
           # Add optional ingestion labels for better organization
           log_type: 'IBM_SVA'
           raw_log_field: body
           ingestion_labels:
   
   service:
       pipelines:
           logs/source0__chronicle_w_labels-0:
               receivers:
                   - udplog
               exporters:
                   - chronicle/chronicle_w_labels
   

   • Replace the port and IP address as required in your infrastructure.
   • Replace <customer_id> with the actual customer ID.
   • Update /path/to/ingestion-authentication-file.json to the path where the authentication file was saved in the Get Google SecOps ingestion authentication file section.

Restart the Bindplane agent to apply the changes

1. To restart the Bindplane agent in Linux, run the following command:

   sudo systemctl restart bindplane-agent
   

2. To restart the Bindplane agent in Windows, you can either use the Services console or enter the following command:

   net stop BindPlaneAgent && net start BindPlaneAgent
   

Configure Syslog Forwarding in IVIA

1. Sign in to IBM Security Verify Governance.
2. Go to Monitor > Logs > Remote Syslog Forwarding.
3. In the Remote Syslog Forwarding page, click Add.
4. Provide the following configuration details:
   • Server: Enter the Bindplane agent IP address.
   • Port: Enter the Bindplane agent port number.
   • Protocol: Select UDP (the other possible option is TCP, depending on your Bindplane agent configuration).
   • Format: Select the format (BSD Syslog Protocol or Syslog Protocol) in which you want to send the system logs.
5. Click Save Configuration.

Configure Log Sources for the remote log server

1. In the Remote Syslog Forwarding page, click the Sources tab.
2. Provide the following configuration details:
   • Name: Select a log source from the drop-down list.
   • Instance Name: The option is only available if you select Name as IsimNode.
   • Log File: When you select Name as IsimNodes, Install logs, or IsimDmgr then the respective logs file is automatically shown in the drop-down.
   • Tag: This tag name must be unique across all the sources, and must not contain any space (for example: My_Tag or MyTag).
   • Facility: Select a category name for the system log to be forwarded.
   • Severity: Select Informational.
3. Click Save Configuration.

Need more help? Get answers from Community members and Google SecOps professionals.