receivers:
tcplog:
# Replace the below port <54525> and IP (0.0.0.0) with your specific values
listen_address: "0.0.0.0:54525"
exporters:
chronicle/chronicle_w_labels:
compression: gzip
# Adjust the creds location below according the placement of the credentials file you downloaded
creds: '{ json file for creds }'
# Replace <customer_id> below with your actual ID that you copied
customer_id: <customer_id>
endpoint: malachiteingestion-pa.googleapis.com
# You can apply ingestion labels below as preferred
ingestion_labels:
log_type: SYSLOG
namespace: Namespace
raw_log_field: body
service:
pipelines:
logs/source0__chronicle_w_labels-0:
receivers:
- tcplog
exporters:
- chronicle/chronicle_w_labels
[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-09-04 (世界標準時間)。"],[[["\u003cp\u003eThis parser ingests and processes Nutanix Prism logs in both JSON and syslog formats, normalizing them into UDM (Unified Data Model).\u003c/p\u003e\n"],["\u003cp\u003eThe parser enriches log data with context such as user information, network details, and security severity, and categorizes events into UDM event types like \u003ccode\u003eUSER_LOGIN\u003c/code\u003e, \u003ccode\u003eSTATUS_UPDATE\u003c/code\u003e, and \u003ccode\u003eGENERIC_EVENT\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eSetting up this system requires a Google SecOps instance, privileged access to Nutanix Prism Central, and a Windows or Linux host, along with configuring the Bindplane Agent for syslog ingestion and communication with Google SecOps.\u003c/p\u003e\n"],["\u003cp\u003eNutanix Prism syslog must be configured to send logs via TCP to the Bindplane Agent after it is set up to communicate with Google SecOps, with configuration that requires specifying server details, data sources, and severity levels.\u003c/p\u003e\n"],["\u003cp\u003eUDM mapping dictates how various fields from Nutanix Prism logs are transformed and aligned with the Universal Data Model, including crucial details like event timestamps, host information, user details, and security findings.\u003c/p\u003e\n"]]],[],null,["# Collect Nutanix Prism logs\n==========================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nOverview\n--------\n\nThis parser processes Nutanix Prism logs, handling both JSON and syslog formats. It extracts fields from various log structures, normalizes them into UDM, and enriches the data with additional context like user information, network details, and security severity. The parser also performs specific actions based on the HTTP method and log level, categorizing events into UDM event types like **USER_LOGIN** , **STATUS_UPDATE** , and **GENERIC_EVENT**.\n\nBefore you begin\n----------------\n\n- Ensure that you have a Google SecOps instance.\n- Ensure that you have privileged access to Nutanix Prism Central.\n- Ensure that you have a Windows 2012 SP2 or later or Linux host with systemd.\n- If running behind a proxy, ensure the firewall [ports](/chronicle/docs/ingestion/use-bindplane-agent#verify_the_firewall_configuration) are open.\n\nGet Google SecOps ingestion authentication file\n-----------------------------------------------\n\n1. Sign in to the Google SecOps console.\n2. Go to **SIEM Settings** \\\u003e **Collection Agents**.\n3. Download the **Ingestion Authentication File**.\n\nGet Google SecOps customer ID\n-----------------------------\n\n1. Sign in to the Google SecOps console.\n2. Go to **SIEM Settings** \\\u003e **Profile**.\n3. Copy and save the **Customer ID** from the **Organization Details** section.\n\nInstall Bindplane Agent\n-----------------------\n\n1. For **Windows installation** , run the following script: `msiexec /i \"https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi\" /quiet`.\n2. For **Linux installation** , run the following script: `sudo sh -c \"$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)\" install_unix.sh`.\n3. Additional installation options can be found in this [installation guide](/chronicle/docs/ingestion/use-bindplane-agent#install_the_bindplane_agent).\n\nConfigure Bindplane Agent to ingest Syslog and send to Google SecOps\n--------------------------------------------------------------------\n\n1. Access the machine where Bindplane Agent is installed.\n2. Edit the `config.yaml` file as follows:\n\n receivers:\n tcplog:\n # Replace the below port \u003c54525\u003e and IP (0.0.0.0) with your specific values\n listen_address: \"0.0.0.0:54525\" \n\n exporters:\n chronicle/chronicle_w_labels:\n compression: gzip\n # Adjust the creds location below according the placement of the credentials file you downloaded\n creds: '{ json file for creds }'\n # Replace \u003ccustomer_id\u003e below with your actual ID that you copied\n customer_id: \u003ccustomer_id\u003e\n endpoint: malachiteingestion-pa.googleapis.com\n # You can apply ingestion labels below as preferred\n ingestion_labels:\n log_type: SYSLOG\n namespace: Namespace\n raw_log_field: body\n service:\n pipelines:\n logs/source0__chronicle_w_labels-0:\n receivers:\n - tcplog\n exporters:\n - chronicle/chronicle_w_labels\n\n3. Restart Bindplane Agent to apply the changes using the following command:\n `sudo systemctl bindplane restart`\n\nExporting Syslog from Nutanix Prism\n-----------------------------------\n\n1. Sign in to Prism Central using privileged account.\n2. Select **Prism Central Settings** from the menu.\n3. Go to **Syslog Server**.\n4. Click **+ Configure Syslog Server**.\n5. Specify values for the input parameters in the **Syslog Servers** dialog:\n - **Server Name** : Enter a name for the server (for example, **Google SecOps Bindplane Server**)\n - **IP Address**: Enter the IP of your Bindplane Agent.\n - **Port**: Enter the port on which Bindplane Agent is listening.\n - **Transport Protocol** : Select **TCP**.\n - Click **Configure**.\n6. Click **+ Edit** on the **Data Sources** option.\n7. Specify values for the input parameters in the **Data Sources and Respective Severity Level** dialog:\n - Select **API Audit** , **Audit** and **Flow**.\n - Set Severity Level for each at **6 - Informational**.\n - Click **Save**.\n\nUDM Mapping Table\n-----------------\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
