Collect Sophos DHCP logs

This document explains how to ingest Sophos Dynamic Host Configuration Protocol (DHCP) logs to Google Security Operations using Bindplane. The parser first normalizes Sophos DHCP syslog messages into a key-value structure and then maps the extracted fields to the Unified Data Model (UDM) schema. It handles different DHCP message types (DHCPREQUEST, DHCPACK, DHCPOFFER, DHCPNAK) and extracts relevant information like IP addresses, MAC addresses, and DHCP options.

Before you begin

Make sure you have the following prerequisites:

• A Google SecOps instance.
• A Windows 2016 or later, or Linux host with systemd.
• If running behind a proxy, make sure firewall ports are open per the Bindplane agent requirements.
• Privileged access to the Sophos UTM management console or Sophos Firewall (SFOS) Web Admin console.

Get Google SecOps ingestion authentication file

1. Sign in to the Google SecOps console.
2. Go to SIEM Settings > Collection Agents.
3. Download the Ingestion Authentication File.
   • Save the file securely on the system where Bindplane will be installed.

Get Google SecOps customer ID

1. Sign in to the Google SecOps console.
2. Go to SIEM Settings > Profile.
3. Copy and save the customer ID from the Organization Details section.

Install the Bindplane agent

Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.

Windows installation

1. Open the Command Prompt or PowerShell as an administrator.

2. Run the following command:

   msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet
   

Linux installation

1. Open a terminal with root or sudo privileges.

2. Run the following command:

   sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh
   

Additional installation resources

For additional installation options, consult the installation guide.

Configure the Bindplane agent to ingest Syslog and send to Google SecOps

1. Access the configuration file:
   • Locate the config.yaml file. Typically, it's in the /etc/bindplane-agent/ directory on Linux or in the installation directory on Windows.
   • Open the file using a text editor (for example, nano, vi, or Notepad).

2. Edit the config.yaml file as follows:

   receivers:
     udplog:
       # Replace the port and IP address as required
       listen_address: "0.0.0.0:514"
   
   exporters:
     chronicle/chronicle_w_labels:
       compression: gzip
       # Adjust the path to the credentials file you downloaded in Step 1
       creds_file_path: '/path/to/ingestion-authentication-file.json'
       # Replace with your actual customer ID from Step 2
       customer_id: <CUSTOMER_ID>
       endpoint: malachiteingestion-pa.googleapis.com
       # Add optional ingestion labels for better organization
       log_type: 'SOPHOS_DHCP'
       raw_log_field: body
       ingestion_labels:
   
   service:
     pipelines:
       logs/source0__chronicle_w_labels-0:
         receivers:
           - udplog
         exporters:
           - chronicle/chronicle_w_labels
   

   • Replace the port and IP address as required in your infrastructure.
   • Replace <CUSTOMER_ID> with the actual Customer ID.
   • Update /path/to/ingestion-authentication-file.json to the path where the authentication file was saved in the Get Google SecOps ingestion authentication file section.

Restart the Bindplane agent to apply the changes

• To restart the BindPlane agent in Linux, run the following command:

  sudo systemctl restart observiq-otel-collector
  

• To restart the BindPlane agent in Windows, you can either use the Services console or enter the following command:

  sc stop observiq-otel-collector && sc start observiq-otel-collector
  

Option 2: Configure Syslog forwarding on Sophos Firewall

1. Sign in to the Sophos Firewall Web Admin Console.
2. Go to Configure > System services > Log settings.
3. Click Add to configure a syslog server.
4. Provide the following configuration details:
   • Name: Enter a unique name for the Google SecOps collector (for example, Google SecOps BindPlane DHCP).
   • IP address/Domain: Enter the BindPlane IP address.
   • Port: Enter the BindPlane port number (for example, 514).
   • Facility: Select DAEMON.
   • Severity level: Select Information.
   • Format: Select Device standard format.
5. Click Save.
6. Return to the Log Settings page and select the specific log types to forward to the syslog server.
7. Select the appropriate log categories that include DHCP events. DHCP logs are generated by the dhcpd service and are part of network or system logs that will be forwarded when the corresponding log categories are enabled.
8. Click Apply to save the configuration.

Option 1: Configure Syslog forwarding on Sophos UTM

1. Sign in to the Sophos UTM Management Console.
2. Go to Logging & Reporting > Log Settings > Remote Syslog Server.
3. Click the toggle button to enable Remote syslog. The Remote Syslog Settings area becomes editable.
4. In the Syslog servers field, click + Add syslog server.
5. In the Add syslog server dialog, provide the following configuration details:
   • Name: Enter a descriptive name (for example, Google SecOps BindPlane DHCP).
   • Server: Click the + (plus) icon next to the Server field. Create or select a Host from Network Definitions with the BindPlane Agent IP address and click Save.
   • Port: Click the + (plus) icon next to the Port field. Create or select a Service Definition with the appropriate protocol and port (for example, UDP/514) and click Save.
6. Click Save in the Add Syslog Server dialog.
7. Click Apply in the Remote Syslog Settings section.

1. Optional: Adjust the Remote Syslog Buffer setting (default is 1000 lines) and click Apply.
2. In the Remote Syslog Log Selection section, select DHCP Server and the required log categories.
3. Click Apply to save the log selection settings.

UDM mapping table

Need more help? Get answers from Community members and Google SecOps professionals.