找出 config.yaml 檔案。通常位於 Linux 的 /etc/bindplane-agent/ 目錄,或 Windows 的安裝目錄。
使用文字編輯器 (例如 nano、vi 或記事本) 開啟檔案。
按照下列方式編輯 config.yaml 檔案:
receivers:udplog:# Replace the below port <54525> and IP <0.0.0.0> with your specific valueslisten_address:"0.0.0.0:54525"exporters:chronicle/chronicle_w_labels:compression:gzip# Adjust the creds location below according the placement of the credentials file you downloadedcreds:'{jsonfileforcreds}'# Replace <customer_id> below with your actual ID that you copiedcustomer_id:<customer_id>
endpoint:malachiteingestion-pa.googleapis.com# You can apply ingestion labels below as preferredingestion_labels:log_type:SYSLOGnamespace:trendmicro_deep_securityraw_log_field:bodyservice:pipelines:logs/source0__chronicle_w_labels-0:receivers:-udplogexporters:-chronicle/chronicle_w_labels
視基礎架構需求,替換通訊埠和 IP 位址。
將 <customer_id> 替換為實際的客戶 ID。
將 /path/to/ingestion-authentication-file.json 更新為「取得 Google SecOps 擷取驗證檔案」一節中儲存驗證檔案的路徑。
重新啟動 Bindplane 代理程式,以套用變更
在 Linux 中,如要重新啟動 Bindplane 代理程式,請執行下列指令:
sudosystemctlrestartbindplane-agent
在 Windows 中,如要重新啟動 Bindplane 代理程式,可以使用「服務」主控台,也可以輸入下列指令:
net stop BindPlaneAgent && net start BindPlaneAgent
[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-09-04 (世界標準時間)。"],[[["\u003cp\u003eThis document provides instructions for collecting Trend Micro Deep Security logs using Google SecOps, supporting both LEEF+CEF and CEF log formats, which are then parsed into a unified data model (UDM).\u003c/p\u003e\n"],["\u003cp\u003eThe collection process involves downloading an ingestion authentication file and customer ID from the Google SecOps console, installing the Bindplane Agent, and configuring it to send Syslog data.\u003c/p\u003e\n"],["\u003cp\u003eConfiguration of the Trend Micro Deep Security console is needed to forward security and system events via Syslog, specifying settings like server name, port, and event format (LEEF or CEF).\u003c/p\u003e\n"],["\u003cp\u003eThe document details how various fields from Trend Micro Deep Security logs are mapped to UDM fields, including recent updates to map "event_name", "act", and other relevant fields to improve data organization.\u003c/p\u003e\n"],["\u003cp\u003eBindplane Agent can be installed on Windows or Linux, with configuration done by editing a config.yaml file, to specify the receiver (udplog), exporter (chronicle), customer ID and ingestion credentials location, and then restart the agent to activate it.\u003c/p\u003e\n"]]],[],null,["# Collect Trend Micro Deep Security logs\n======================================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis document describes how you can collect the Trend Micro Deep Security logs using Google Security Operations. This parser the logs, which can be in either LEEF+CEF or CEF format, into a unified data model (UDM). It extracts fields from the log messages using grok patterns and key-value pairs, then maps them to corresponding UDM fields, handling various data cleaning and normalization tasks along the way.\n\nBefore you begin\n----------------\n\n- Ensure that you have a Google SecOps instance.\n- Ensure that you are using Windows 2016 or later, or a Linux host with `systemd`.\n- If running behind a proxy, ensure firewall [ports](/chronicle/docs/ingestion/use-bindplane-agent#verify_the_firewall_configuration) are open.\n- Ensure that you have privileged access to TrendMicro Deep Security console.\n\nGet Google SecOps ingestion authentication file\n-----------------------------------------------\n\n1. Sign in to the Google SecOps console.\n2. Go to **SIEM Settings \\\u003e Collection Agents**.\n3. Download the **Ingestion Authentication File**. Save the file securely on the system where Bindplane Agent will be installed.\n\nGet Google SecOps customer ID\n-----------------------------\n\n1. Sign in to the Google SecOps console.\n2. Go to **SIEM Settings \\\u003e Profile**.\n3. Copy and save the **Customer ID** from the **Organization Details** section.\n\nInstall Bindplane Agent\n-----------------------\n\n### Windows Installation\n\n1. Open the **Command Prompt** or **PowerShell** as an administrator.\n2. Run the following command:\n\n msiexec /i \"https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi\" /quiet\n\n### Linux Installation\n\n1. Open a terminal with root or sudo privileges.\n2. Run the following command:\n\n sudo sh -c \"$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)\" install_unix.sh\n\n### Additional Installation Resources\n\n- For additional installation options, consult this [installation guide](/chronicle/docs/ingestion/use-bindplane-agent#install_the_bindplane_agent).\n\nConfigure Bindplane Agent to ingest Syslog and send to Google SecOps\n--------------------------------------------------------------------\n\n1. Access the configuration file:\n\n - Locate the `config.yaml` file. Typically, it's in the `/etc/bindplane-agent/` directory on Linux or in the installation directory on Windows.\n - Open the file using a text editor (for example, `nano`, `vi`, or Notepad).\n2. Edit the `config.yaml` file as follows:\n\n receivers:\n udplog:\n # Replace the below port \u003c54525\u003e and IP \u003c0.0.0.0\u003e with your specific values\n listen_address: \"0.0.0.0:54525\" \n\n exporters:\n chronicle/chronicle_w_labels:\n compression: gzip\n # Adjust the creds location below according the placement of the credentials file you downloaded\n creds: '{ json file for creds }'\n # Replace \u003ccustomer_id\u003e below with your actual ID that you copied\n customer_id: \u003ccustomer_id\u003e\n endpoint: malachiteingestion-pa.googleapis.com\n # You can apply ingestion labels below as preferred\n ingestion_labels:\n log_type: SYSLOG\n namespace: trendmicro_deep_security\n raw_log_field: body\n service:\n pipelines:\n logs/source0__chronicle_w_labels-0:\n receivers:\n - udplog\n exporters:\n - chronicle/chronicle_w_labels\n\n3. Replace the port and IP address as required in your infrastructure.\n\n4. Replace `\u003ccustomer_id\u003e` with the actual customer ID.\n\n5. Update `/path/to/ingestion-authentication-file.json` to the path where the authentication file was saved in the\n [Get Google SecOps ingestion authentication file](/chronicle/docs/ingestion/default-parsers/trendmicro-ds#get-auth-file) section.\n\nRestart Bindplane Agent to apply the changes\n--------------------------------------------\n\n- In Linux, to restart the Bindplane Agent, run the following command:\n\n sudo systemctl restart bindplane-agent\n\n- In Windows, to restart the Bindplane Agent, you can either use the **Services** console or enter the following command:\n\n net stop BindPlaneAgent && net start BindPlaneAgent\n\nConfigure Syslog in TrendMicro Deep Security\n--------------------------------------------\n\n1. Sign in to TrenMicro Deep Security console.\n2. Go to **Policies \\\u003e Common Objects \\\u003e Other \\\u003e Syslog Configurations**.\n3. Click **New \\\u003e New Configuration**.\n4. Provide the following details for the configuration:\n - **Name** : unique name that identifies the configuration (for example, **Google SecOps Bindplane**)\n - Optional: **Description**: add a description.\n - **Log Source Identifier**: specify an identifier to use instead of Deep Security Manager's hostname, if desired.\n - **Server Name**: enter the hostname or IP address of the Syslog server (Bindplane).\n - **Server Port**: specify the listening port number on the server (Bindplane).\n - **Transport** : select **UDP** as the transport protocol.\n - **Event Format** : select **LEEF** or **CEF** (LEEF format requires that you set **Agents should forward logs** to **Via the Deep Security Manager**).\n - Optional: **Include time zone in events**: whether to add the full date (including year and time zone) to the event.\n - Optional: **Agents should forward logs** : select **Via the Deep Security Manager** if logs are formatted with LEEF.\n5. Click **Apply** to finalize the settings.\n\nConfigure Security Events forwarding\n------------------------------------\n\n1. Go to **Policies** and select the policy applied to the computers you want to configure.\n2. Click **Details**.\n3. In the **Policy editor** window, click **Settings \\\u003e Event Forwarding**.\n4. From the **Period between sending of events** section, set the period value to a time period between 10 and 60 seconds.\n - The default value is 60 seconds, and the recommended value is 10 seconds.\n5. For each of these protection modules:\n - **Anti-Malware Syslog Configuration**\n - **Web reputation Syslog Configuration**\n - **Firewall**\n - **Intrusion prevention Syslog Configuration**\n - **Log inspection and Integrity monitoring Syslog Configuration**\n6. Select the syslog configuration to use from the context menu:\n - **Syslog Configuration Name**: Select the appropriate configuration.\n7. Click **Save** to apply the settings.\n\nConfigure System Events forwarding\n----------------------------------\n\n1. Go to **Administration \\\u003e System Settings \\\u003e Event Forwarding**.\n2. From **Forward System Events to a remote computer (via Syslog) using configuration** , select the **existing configuration** created earlier.\n3. Click **Save**.\n\nUDM Mapping Table\n-----------------\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
