找出 config.yaml 檔案。通常位於 Linux 的 /etc/bindplane-agent/ 目錄,或 Windows 的安裝目錄。
使用文字編輯器 (例如 nano、vi 或記事本) 開啟檔案。
按照下列方式編輯 config.yaml 檔案:
receivers:udplog:# Replace with your specific IP and portlisten_address:"0.0.0.0:514"exporters:chronicle/chronicle_w_labels:compression:gzip# Path to the ingestion authentication filecreds:'/path/to/your/ingestion-auth.json'# Your Chronicle customer IDcustomer_id:'your_customer_id'endpoint:malachiteingestion-pa.googleapis.comingestion_labels:log_type:SYSLOGnamespace:radware_wafraw_log_field:bodyservice:pipelines:logs/source0__chronicle_w_labels-0:receivers:-udplogexporters:-chronicle/chronicle_w_labels
視基礎架構需求,替換通訊埠和 IP 位址。
將 <customer_id> 替換為實際的客戶 ID。
將 /path/to/ingestion-authentication-file.json 更新為「取得 Google SecOps 擷取驗證檔案」一節中儲存驗證檔案的路徑。
重新啟動 Bindplane 代理程式,以套用變更
如要在 Linux 中重新啟動 Bindplane 代理程式,請執行下列指令:
sudosystemctlrestartbindplane-agent
如要在 Windows 中重新啟動 Bindplane 代理程式,可以使用「服務」控制台,或輸入下列指令:
net stop BindPlaneAgent && net start BindPlaneAgent
[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-09-04 (世界標準時間)。"],[[["\u003cp\u003eThis guide explains how to collect Radware Web Application Firewall (WAF) logs and ingest them into Google Security Operations (SecOps) using a forwarder.\u003c/p\u003e\n"],["\u003cp\u003eThe process involves installing and configuring the Bindplane Agent, which will be used to collect and forward syslog data to Google SecOps.\u003c/p\u003e\n"],["\u003cp\u003eConfiguration of both the AppWall standalone and the integrated AppWall in Alteon, utilizing Vision Reporter to send logs to the Bindplane Agent, is detailed, including a preference for Vision Reporter over syslog for HTTP request data.\u003c/p\u003e\n"],["\u003cp\u003eThe parser is able to extract fields from Radware firewall syslog messages using grok patterns and map these fields to the Unified Data Model (UDM), and also populate security result fields and categorize events.\u003c/p\u003e\n"],["\u003cp\u003eBefore setup, you need to ensure that you have a Google Security Operations instance, the correct operating system, open firewall ports, and access to both the Radware WAF and Vision Reporter.\u003c/p\u003e\n"]]],[],null,["# Collect Radware WAF logs\n========================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis document explains how to collect the Radware Web Application Firewall (WAF) logs by using a Google Security Operations forwarder.\nThe parser extracts fields from Radware firewall syslog messages using grok patterns, and maps them to the UDM. It handles various log formats, populates security result fields based on attack details, and categorizes events based on `attack_id`, enriching the data for Google SecOps ingestion.\n\nBefore you begin\n----------------\n\n- Ensure that you have a Google Security Operations instance.\n- Ensure that you are using Windows 2016 or later, or a Linux host with `systemd`.\n- If running behind a proxy, ensure firewall [ports](/chronicle/docs/ingestion/use-bindplane-agent#verify_the_firewall_configuration) are open.\n- Ensure that Radware Vision Reporter is installed and configured on AppWall.\n- Ensure that you have privileged access to Radware WAF portal.\n\nGet Google SecOps ingestion authentication file\n-----------------------------------------------\n\n1. Sign in to the Google SecOps console.\n2. Go to **SIEM Settings \\\u003e Collection Agents**.\n3. Download the **Ingestion Authentication File**. Save the file securely on the system where Bindplane Agent will be installed.\n\nGet Google SecOps customer ID\n-----------------------------\n\n1. Sign in to the Google SecOps console.\n2. Go to **SIEM Settings \\\u003e Profile**.\n3. Copy and save the **Customer ID** from the **Organization Details** section.\n\nInstall Bindplane Agent\n-----------------------\n\n### Windows installation\n\n1. Open the **Command Prompt** or **PowerShell** as an administrator.\n2. Run the following command:\n\n msiexec /i \"https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi\" /quiet\n\n### Linux installation\n\n1. Open a terminal with root or sudo privileges.\n2. Run the following command:\n\n sudo sh -c \"$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)\" install_unix.sh\n\n### Additional installation resources\n\n- For additional installation options, consult this [installation guide](/chronicle/docs/ingestion/use-bindplane-agent#install_the_bindplane_agent).\n\nConfigure Bindplane Agent to ingest Syslog and send to Google SecOps\n--------------------------------------------------------------------\n\n1. Access the configuration file:\n\n - Locate the `config.yaml` file. Typically, it's in the `/etc/bindplane-agent/` directory on Linux or in the installation directory on Windows.\n - Open the file using a text editor (for example, `nano`, `vi`, or Notepad).\n2. Edit the `config.yaml` file as follows:\n\n receivers:\n udplog:\n # Replace with your specific IP and port\n listen_address: \"0.0.0.0:514\"\n\n exporters:\n chronicle/chronicle_w_labels:\n compression: gzip\n # Path to the ingestion authentication file\n creds: '/path/to/your/ingestion-auth.json'\n # Your Chronicle customer ID\n customer_id: 'your_customer_id'\n endpoint: malachiteingestion-pa.googleapis.com\n ingestion_labels:\n log_type: SYSLOG\n namespace: radware_waf\n raw_log_field: body\n\n service:\n pipelines:\n logs/source0__chronicle_w_labels-0:\n receivers:\n - udplog\n exporters:\n - chronicle/chronicle_w_labels\n\n- Replace the port and IP address as required in your infrastructure.\n- Replace `\u003ccustomer_id\u003e` with the actual customer ID.\n- Update `/path/to/ingestion-authentication-file.json` to the path where the authentication file was saved in the [Get Google SecOps ingestion authentication file](/chronicle/docs/ingestion/default-parsers/radware-waf#get-auth-file) section.\n\nRestart Bindplane Agent to apply the changes\n--------------------------------------------\n\n- To restart the Bindplane Agent in Linux, run the following command:\n\n sudo systemctl restart bindplane-agent\n\n- To restart the Bindplane Agent in Windows, you can either use the **Services** console or enter the following command:\n\n net stop BindPlaneAgent && net start BindPlaneAgent\n\nConfigure Radware AppWall WAF\n-----------------------------\n\n| **Note:** External logging configuration using syslog doesn't include original HTTP request data in the syslog event details. To include the original HTTP request in event, Google recommends that you configure external logging using Vision Reporter rather than syslog.\n\nTo complete the tasks, do the following three configurations:\n\n- Configure the AppWall standalone using Vision Reporter.\n- Configure the integrated AppWall in Alteon using Vision Reporter (include HTTP request data in event details).\n- Configure Vision Reporter to Send Logs to Bindplane Agent.\n\n### Configure AppWall Standalone using Vision Reporter\n\n1. Sign in to [Radware WAF](https://portal.radwarecloud.com/login) console using administrator credentials.\n2. Go to **Configuration \\\u003e Services \\\u003e Vision Support \\\u003e Vision Reporter** .\n - Enable logging by **selecting** the **Send events to Vision Reporter** checkbox.\n - **Vision Reporter address** : enter the **IP address** of the Vision Reporter.\n - **Port**: enter the port number.\n - **Protocol** : select **UDP** or **TCP**.\n - To include **HTTP response data** , select the **Send replies to Vision Reporter** checkbox.\n3. Click **Save**.\n\n### Configure Integrated AppWall in Alteon using Vision Reporter (preferred for HTTP Request Data Logging)\n\n1. Sign in to Radware WAF console using administrator credentials.\n2. Go to **Configuration \\\u003e Security \\\u003e Web Security \\\u003e Vision Reporter** .\n - Enable logging by **selecting** the **Send events to Vision Reporter** checkbox.\n - Select the **Send events to Vision reporter** checkbox.\n - **Vision Reporter IP address**: enter the IP address of the Vision Reporter.\n - **Port**: enter a high port number.\n - **Security** : select **UDP** or **TCP**.\n3. Click **Save**.\n\n### Configure Vision Reporter to send logs to Bindplane Agent\n\n1. Sign in to Radware Vision Reporter administrator console.\n2. Go to **Configuration \\\u003e SIEM \\& External Logging**.\n3. Click **+ Add New SIEM Destination** .\n - **Destination Name** : enter **Google SecOps Forwarder**.\n - **Log Export Type** : select **Syslog** (RFC 5424 format) for structured logging.\n - **Remote Syslog Server IP** enter the Bindplane Agent's IP address.\n - **Port**: enter a port that the Bindplane Agent listens on (for example, 514 for UDP, 601 for TCP).\n - **Protocol** : select **UDP** or **TCP** depending on the Bindplane configuration.\n4. Click **Save**.\n\nUDM Mapping Table\n-----------------\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
