receivers:udplog:# Replace the port and IP address as requiredlisten_address:"0.0.0.0:514"exporters:chronicle/chronicle_w_labels:compression:gzip# Adjust the path to the credentials file you downloaded in Step 1creds:'/path/to/ingestion-authentication-file.json'# Replace with your actual customer ID from Step 2customer_id:<customer_id>
endpoint:malachiteingestion-pa.googleapis.com# Add optional ingestion labels for better organizationingestion_labels:log_type:'NGINX'raw_log_field:bodyservice:pipelines:logs/source0__chronicle_w_labels-0:receivers:-udplogexporters:-chronicle/chronicle_w_labels
[[["わかりやすい","easyToUnderstand","thumb-up"],["問題の解決に役立った","solvedMyProblem","thumb-up"],["その他","otherUp","thumb-up"]],[["わかりにくい","hardToUnderstand","thumb-down"],["情報またはサンプルコードが不正確","incorrectInformationOrSampleCode","thumb-down"],["必要な情報 / サンプルがない","missingTheInformationSamplesINeed","thumb-down"],["翻訳に関する問題","translationIssue","thumb-down"],["その他","otherDown","thumb-down"]],["最終更新日 2025-09-04 UTC。"],[[["\u003cp\u003eThis guide explains how to collect NGINX logs, which are supported in Google SecOps and parse both JSON and syslog formatted logs into the UDM format, enriching them with metadata for network activity and server management.\u003c/p\u003e\n"],["\u003cp\u003eTo begin, users must have a Google Security Operations instance, ensure NGINX is running, and obtain the necessary Google SecOps ingestion authentication file and customer ID.\u003c/p\u003e\n"],["\u003cp\u003eThe Bindplane Agent needs to be installed on the target machine via provided Windows or Linux scripts, and then configured to ingest Syslog and forward it to Google SecOps, including editing a \u003ccode\u003econfig.yaml\u003c/code\u003e file with specific parameters and restarting the agent.\u003c/p\u003e\n"],["\u003cp\u003eNGINX's log files are located in \u003ccode\u003e/var/log/nginx/access.log\u003c/code\u003e for access logs and \u003ccode\u003e/var/log/nginx/error.log\u003c/code\u003e for error logs, which should be located by using a command on the NGINX host.\u003c/p\u003e\n"],["\u003cp\u003eNGINX configuration files must be modified to forward logs to Bindplane by specifying the Bindplane server and port, and then restarting NGINX to apply the changes.\u003c/p\u003e\n"]]],[],null,["# Collect NGINX logs\n==================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis NGINX parser handles JSON and syslog formatted logs. It extracts fields from various log formats and normalizes them into the UDM format. The parser enriches the event with metadata for server management and network activity, including user logins and HTTP requests. It also handles logic for SSH events and populates UDM fields based on extracted data.\n\nBefore you begin\n----------------\n\nEnsure that you have the following prerequisites:\n\n- Google SecOps instance\n- NGINX is running and generating logs\n- Root access to NGINX host machine\n\nGet Google SecOps ingestion authentication file\n-----------------------------------------------\n\n1. Sign in to the Google SecOps console.\n2. Go to **SIEM Settings \\\u003e Collection Agents**.\n3. Download the **Ingestion Authentication File**. Save the file securely on the system where Bindplane will be installed.\n\nGet Google SecOps customer ID\n-----------------------------\n\n1. Sign in to the Google SecOps console.\n2. Go to **SIEM Settings \\\u003e Profile**.\n3. Copy and save the **Customer ID** from the **Organization Details** section.\n\nInstall the Bindplane agent\n---------------------------\n\n### Windows installation\n\n1. Open the **Command Prompt** or **PowerShell** as an administrator.\n2. Run the following command:\n\n msiexec /i \"https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi\" /quiet\n\n### Linux installation\n\n1. Open a terminal with root or sudo privileges.\n2. Run the following command:\n\n sudo sh -c \"$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)\" install_unix.sh\n\n### Additional installation resources\n\n- For additional installation options, consult this [installation guide](/chronicle/docs/ingestion/use-bindplane-agent#install_the_bindplane_agent).\n\nConfigure the Bindplane agent to ingest Syslog and send to Google SecOps\n------------------------------------------------------------------------\n\n1. Access the configuration file:\n\n 1. Locate the `config.yaml` file. Typically, it's in the `/etc/bindplane-agent/` directory on Linux or in the installation directory on Windows.\n 2. Open the file using a text editor (for example, `nano`, `vi`, or Notepad).\n2. Edit the `config.yaml` file as follows:\n\n receivers:\n udplog:\n # Replace the port and IP address as required\n listen_address: \"0.0.0.0:514\"\n\n exporters:\n chronicle/chronicle_w_labels:\n compression: gzip\n # Adjust the path to the credentials file you downloaded in Step 1\n creds: '/path/to/ingestion-authentication-file.json'\n # Replace with your actual customer ID from Step 2\n customer_id: \u003ccustomer_id\u003e\n endpoint: malachiteingestion-pa.googleapis.com\n # Add optional ingestion labels for better organization\n ingestion_labels:\n log_type: 'NGINX'\n raw_log_field: body\n\n service:\n pipelines:\n logs/source0__chronicle_w_labels-0:\n receivers:\n - udplog\n exporters:\n - chronicle/chronicle_w_labels\n\n3. Replace the port and IP address as required in your infrastructure.\n\n4. Replace `\u003ccustomer_id\u003e` with the actual customer ID.\n\n5. Update `/path/to/ingestion-authentication-file.json` to the path where the authentication file was saved in the\n [Get Google SecOps ingestion authentication file](/chronicle/docs/ingestion/default-parsers/nginx#get-auth-file) section.\n\nRestart the Bindplane agent to apply the changes\n------------------------------------------------\n\n- To restart the Bindplane agent in Linux, run the following command:\n\n sudo systemctl restart bindplane-agent\n\n- To restart the Bindplane agent in Windows, you can either use the **Services** console or enter the following command:\n\n net stop BindPlaneAgent && net start BindPlaneAgent\n\nIdentify NGINX log files location\n---------------------------------\n\n1. Typically NGINX logs are stored in:\n - **Access logs** : `/var/log/nginx/access.log`\n - **Error logs** : `/var/log/nginx/error.log`\n2. Access NGINX host using administrative credentials.\n3. Run the following command and look for the path to logs on your NGINX host:\n\n sudo cat /etc/nginx/nginx.conf | grep log\n\nConfigure NGINX to forward logs to Bindplane\n--------------------------------------------\n\n1. Open the NGINX configuration file (for example, `/etc/nginx/nginx.conf`):\n\n sudo vi /etc/nginx/nginx.conf\n\n2. Edit the configuration, replacing `\u003cBINDPLANE_SERVER\u003e` and `\u003cBINDPLANE_PORT\u003e` with your values:\n\n http {\n access_log syslog:server=\u003cBINDPLANE_SERVER\u003e:\u003cBINDPLANE_PORT\u003e,facility=local7,tag=nginx_access;\n error_log syslog:server=\u003cBINDPLANE_SERVER\u003e:\u003cBINDPLANE_PORT\u003e,facility=local7,tag=nginx_error;\n }\n\n3. Restart NGINX to apply the changes:\n\n sudo systemctl reload nginx\n\nUDM Mapping Table\n-----------------\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]