如要在 Windows 上安裝,請執行下列指令碼: msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet。
如要在 Linux 上安裝,請執行下列指令碼: sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh。
receivers:
tcplog:
# Replace the below port <54525> and IP <0.0.0.0> with your specific values
listen_address: "0.0.0.0:54525"
exporters:
chronicle/chronicle_w_labels:
compression: gzip
# Adjust the creds location below according the placement of the credentials file you downloaded
creds: '{ json file for creds }'
# Replace <customer_id> below with your actual ID that you copied
customer_id: <customer_id>
endpoint: malachiteingestion-pa.googleapis.com
# You can apply ingestion labels below as preferred
ingestion_labels:
log_type: SYSLOG
namespace: auditd
raw_log_field: body
service:
pipelines:
logs/source0__chronicle_w_labels-0:
receivers:
- tcplog
exporters:
- chronicle/chronicle_w_labels
[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-09-04 (世界標準時間)。"],[[["\u003cp\u003eThis guide details how to collect Apple macOS syslog data for Google SecOps, utilizing a parser that extracts key information like timestamp, hostname, and process details.\u003c/p\u003e\n"],["\u003cp\u003eThe process involves using Bindplane Agent to ingest syslog data, which requires configuration of \u003ccode\u003econfig.yaml\u003c/code\u003e to specify the receiver port, customer ID, and credential details, and then restarting it.\u003c/p\u003e\n"],["\u003cp\u003eSyslog-ng needs to be installed and configured on macOS to export syslog data, which is done through editing the \u003ccode\u003esyslog-ng.conf\u003c/code\u003e file to route logs to the Bindplane Agent's IP and port.\u003c/p\u003e\n"],["\u003cp\u003eThe parser uses grok patterns to map extracted data from macOS syslog messages into the Unified Data Model (UDM), categorizing events as either \u003ccode\u003eSTATUS_UPDATE\u003c/code\u003e or \u003ccode\u003eGENERIC_EVENT\u003c/code\u003e based on the presence of a hostname.\u003c/p\u003e\n"],["\u003cp\u003ePrerequisites include having a Google Security Operations instance, root access to the Auditd host, and proper installation of rsyslog and Bindplane Agent, in addition to having the corresponding firewall ports open.\u003c/p\u003e\n"]]],[],null,["# Collect Apple macOS syslog data\n===============================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis parser uses grok patterns to extract fields from Apple macOS syslog messages and populates the Unified Data Model (UDM) with the extracted values, including the timestamp, hostname, intermediary host, command line, process ID, and description. The parser categorizes the event as `STATUS_UPDATE` if a hostname is present; otherwise, it assigns the category `GENERIC_EVENT` to the event. Finally, the parser enriches the UDM event with vendor and product information.\n\nBefore you begin\n----------------\n\n- Ensure that you have a Google Security Operations instance.\n- Ensure that you have root access to the Auditd host.\n- Ensure that you installed rsyslog on the Auditd host.\n- Ensure that you have a Windows 2012 SP2 or later or Linux host with systemd.\n- If running behind a proxy, ensure firewall [ports](/chronicle/docs/ingestion/use-bindplane-agent#verify_the_firewall_configuration) are open.\n\nGet Google SecOps ingestion authentication file\n-----------------------------------------------\n\n1. Sign in to the Google SecOps console.\n2. Go to **SIEM Settings** \\\u003e **Collection Agent**.\n3. Download the **Ingestion Authentication File**.\n\nGet Google SecOps customer ID\n-----------------------------\n\n1. Sign in to the Google SecOps console.\n2. Go to **SIEM Settings** \\\u003e **Profile**.\n3. Copy and save the **Customer ID** from the **Organization Details** section.\n\nInstall Bindplane Agent\n-----------------------\n\n1. For **Windows installation** , run the following script: \n `msiexec /i \"https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi\" /quiet`.\n2. For **Linux installation** , run the following script: \n `sudo sh -c \"$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)\" install_unix.sh`.\n3. Additional installation options can be found in this [installation guide](/chronicle/docs/ingestion/use-bindplane-agent#install_the_bindplane_agent).\n\nConfigure Bindplane Agent to ingest Syslog and send to Google SecOps\n--------------------------------------------------------------------\n\n1. Access the machine where Bindplane Agent is installed.\n2. Edit the `config.yaml` file as follows:\n\n receivers:\n tcplog:\n # Replace the below port \u003c54525\u003e and IP \u003c0.0.0.0\u003e with your specific values\n listen_address: \"0.0.0.0:54525\" \n\n exporters:\n chronicle/chronicle_w_labels:\n compression: gzip\n # Adjust the creds location below according the placement of the credentials file you downloaded\n creds: '{ json file for creds }'\n # Replace \u003ccustomer_id\u003e below with your actual ID that you copied\n customer_id: \u003ccustomer_id\u003e\n endpoint: malachiteingestion-pa.googleapis.com\n # You can apply ingestion labels below as preferred\n ingestion_labels:\n log_type: SYSLOG\n namespace: auditd\n raw_log_field: body\n service:\n pipelines:\n logs/source0__chronicle_w_labels-0:\n receivers:\n - tcplog\n exporters:\n - chronicle/chronicle_w_labels\n\n3. Restart Bindplane Agent to apply the changes using the following command:\n `sudo systemctl bindplane restart`\n\nExporting Syslog from macOS\n---------------------------\n\n1. Install `syslog-ng` using Homebrew:\n\n brew install syslog-ng\n\n2. Configure syslog-ng:\n\n - Edit `syslog-ng.conf` file (usually located at `/usr/local/etc/syslog-ng/syslog-ng.conf`):\n\n sudo vi /usr/local/etc/syslog-ng/syslog-ng.conf\n\n - Add the following configuration block.\n - Depending on the Bindplane configuration, you can change the delivery method to `tcp` or leave it as `udp`.\n - Replace `\u003cBindPlaneAgent_IP\u003e` and `\u003cBindPlaneAgent_Port\u003e` with the actual IP address and port of your Bindplane Agent:\n\n source s_local { system(); internal(); };\n destination d_secops { tcp(\"\u003cBindPlaneAgent_IP\u003e:\u003cBindPlaneAgent_Port\u003e\"); };\n log { source(s_local); destination(d_secops); };\n\n3. Restart the `syslog-ng` service:\n\n brew services restart syslog-ng\n\n4. Check the status of `syslog-ng` (you should see `syslog-ng` listed as started):\n\n brew services list\n\nUDM Mapping Table\n-----------------\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
