Collect Versa Networks Secure Access Service Edge (SASE) logs

This document describes how you can collect the Versa Networks Secure Access Service Edge (SASE) logs. The parser extracts key-value pairs after an initial grok filter. It then maps these values to the Unified Data Model (UDM), handling various log formats like firewall events, application logs, and alarm logs, and performs conversions and enrichments for specific fields like IP protocol and risk score.

Before you begin

• Ensure that you have a Google Security Operations instance.
• Ensure that you are using Windows 2016 or later, or a Linux host with systemd.
• If running behind a proxy, ensure firewall ports are open.
• Ensure that you have privileged access to Versa SASE.

Get Google SecOps ingestion authentication file

1. Sign in to the Google SecOps console.
2. Go to SIEM Settings > Collection Agents.
3. Download the Ingestion Authentication File. Save the file securely on the system where BindPlane will be installed.

Get Google SecOps customer ID

1. Sign in to the Google SecOps console.
2. Go to SIEM Settings > Profile.
3. Copy and save the Customer ID from the Organization Details section.

Install BindPlane Agent

Windows Installation

1. Open the Command Prompt or PowerShell as an administrator.

2. Run the following command:

   msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet
   

Linux Installation

1. Open a terminal with root or sudo privileges.

2. Run the following command:

   sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh
   

Additional Installation Resources

• For additional installation options, consult this installation guide.

Configure BindPlane Agent to ingest Syslog and send to Google SecOps

1. Access the configuration file:

   • Locate the config.yaml file. Typically, it's in the /etc/bindplane-agent/ directory on Linux or in the installation directory on Windows.
   • Open the file using a text editor (for example, nano, vi, or Notepad).

2. Edit the config.yaml file as follows:

   receivers:
       tcplog:
           # Replace the port and IP address as required
           listen_address: "0.0.0.0:54525"
   
   exporters:
       chronicle/chronicle_w_labels:
           compression: gzip
           # Adjust the path to the credentials file you downloaded in Step 1
           creds: `/path/to/ingestion-authentication-file.json`
           # Replace with your actual customer ID from Step 2
           customer_id: <customer_id>
           endpoint: malachiteingestion-pa.googleapis.com
           # Add optional ingestion labels for better organization
           ingestion_labels:
               log_type: SYSLOG
               namespace: versa_networks_sase
               raw_log_field: body
   
   service:
       pipelines:
           logs/source0__chronicle_w_labels-0:
               receivers:
                   - tcplog
               exporters:
                   - chronicle/chronicle_w_labels
   
   

3. Replace the port and IP address as required in your infrastructure.

4. Replace <customer_id> with the actual customer ID.

5. Update /path/to/ingestion-authentication-file.json to the path where the authentication file was saved in the Get Google SecOps ingestion authentication file section.

Restart BindPlane Agent to apply the changes

• In Linux, to restart the BindPlane Agent, run the following command:

  sudo systemctl restart bindplane-agent
  

• In Windows, to restart the BindPlane Agent, you can either use the Services console or enter the following command:

  net stop BindPlaneAgent && net start BindPlaneAgent
  

Configure Versa Networks SASE

Administrators must configure remote collectors on each Versa Analytics node to forward logs to third-party systems.

To configure the Versa analytics nodes, do the following:

• Enable log forwarding
• Enable session ID logging

Enable log forwarding

1. Sign in to the Versa analytics server.
2. Go to CLI by running the cli command.
3. Switch to Configuration mode by running the configure command, and then enter load merge terminal.

4. Copy and paste the following commands to set up log forwarding:

   • Replace <collector_ip> and <collector_port> with the IP address and port of your syslog collector (Bindplane).

   set system analytics log-collector-exporter destination-address <collector_ip>
   set system analytics log-collector-exporter destination-port <collector_port>
   set system analytics log-collector-exporter transport tcp
   set system analytics log-collector-exporter log-types firewall-log
   set system analytics log-collector-exporter log-types threat-log
   commit
   

5. Save the configuration:

   save
   

Enable session ID logging

To log IP-related information, enable session ID logging.

1. Sign in to Versa Director.
2. Switch to Director View.
3. Go to Configuration > Devices > Tenant > Device to access Appliance View.
4. Select Configuration > Others > System > Configuration > Configuration.
5. In the Parameters pane, click Edit.
6. In the Edit parameters window, select LEF.

7. In the Firewall section, select the Include session ID logging checkbox.

8. Click OK.

UDM Mapping Table

Changes

2024-06-03

• Mapped "idpAction" to "security_result.action".
• Mapped "threatType" to "security_result.detection_fields".
• Mapped "ipsDirection" to "security_result.detection_fields".
• Mapped "ipsProfile" to "security_result.detection_fields".
• Mapped "signaturePriority" to "security_result.severity".
• Mapped "signatureMsg" to "security_result.detection_fields".
• Mapped "signatureId" to "security_result.detection_fields".
• Mapped "ipsApplication" to "security_result.detection_fields".
• Mapped "classMsg" to "security_result.description".
• Mapped "ipsProfileRule" to "security_result.rule_name".
• Mapped "ipsProtocol" to "network.ip_protocol".

2023-07-03

• Added support for "entitlementlog", "monstatslog", and "tcpappmonlog".

2022-11-04

• Mewly created parser.