Collect Versa Networks Secure Access Service Edge (SASE) logs

Supported in:

Google SecOps SIEM

This document describes how you can collect the Versa Networks Secure Access Service Edge (SASE) logs. The parser extracts key-value pairs after an initial grok filter. It then maps these values to the Unified Data Model (UDM), handling various log formats like firewall events, application logs, and alarm logs, and performs conversions and enrichments for specific fields like IP protocol and risk score.

Before you begin

Ensure that you have a Google Security Operations instance.
Ensure that you are using Windows 2016 or later, or a Linux host with systemd.
If running behind a proxy, ensure firewall ports are open.
Ensure that you have privileged access to Versa SASE.

Get Google SecOps ingestion authentication file

Sign in to the Google SecOps console.
Go to SIEM Settings > Collection Agents.
Download the Ingestion Authentication File. Save the file securely on the system where Bindplane Agent will be installed.

Get Google SecOps customer ID

Sign in to the Google SecOps console.
Go to SIEM Settings > Profile.
Copy and save the Customer ID from the Organization Details section.

Install Bindplane Agent

Windows Installation

Open the Command Prompt or PowerShell as an administrator.

Run the following command:

msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet

Linux Installation

Open a terminal with root or sudo privileges.

Run the following command:

sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh

Additional Installation Resources

For additional installation options, consult this installation guide.

Configure Bindplane Agent to ingest Syslog and send to Google SecOps

Access the configuration file:
- Locate the config.yaml file. Typically, it's in the /etc/bindplane-agent/ directory on Linux or in the installation directory on Windows.
- Open the file using a text editor (for example, nano, vi, or Notepad).

Edit the config.yaml file as follows:

receivers:
    tcplog:
        # Replace the port and IP address as required
        listen_address: "0.0.0.0:54525"

exporters:
    chronicle/chronicle_w_labels:
        compression: gzip
        # Adjust the path to the credentials file you downloaded in Step 1
        creds: `/path/to/ingestion-authentication-file.json`
        # Replace with your actual customer ID from Step 2
        customer_id: <customer_id>
        endpoint: malachiteingestion-pa.googleapis.com
        # Add optional ingestion labels for better organization
        ingestion_labels:
            log_type: SYSLOG
            namespace: versa_networks_sase
            raw_log_field: body

service:
    pipelines:
        logs/source0__chronicle_w_labels-0:
            receivers:
                - tcplog
            exporters:
                - chronicle/chronicle_w_labels

Replace the port and IP address as required in your infrastructure.
Replace <customer_id> with the actual customer ID.
Update /path/to/ingestion-authentication-file.json to the path where the authentication file was saved in the Get Google SecOps ingestion authentication file section.

Restart Bindplane Agent to apply the changes

In Linux, to restart the Bindplane Agent, run the following command:
```
sudo systemctl restart bindplane-agent
```
In Windows, to restart the Bindplane Agent, you can either use the Services console or enter the following command:
```
net stop BindPlaneAgent && net start BindPlaneAgent
```

Configure Versa Networks SASE

Administrators must configure remote collectors on each Versa Analytics node to forward logs to third-party systems.

To configure the Versa analytics nodes, do the following:

Enable log forwarding
Enable session ID logging

Enable log forwarding

Sign in to the Versa analytics server.
Go to CLI by running the cli command.
Switch to Configuration mode by running the configure command, and then enter load merge terminal.

Copy and paste the following commands to set up log forwarding:

Replace <collector_ip> and <collector_port> with the IP address and port of your syslog collector (Bindplane).

set system analytics log-collector-exporter destination-address <collector_ip>
set system analytics log-collector-exporter destination-port <collector_port>
set system analytics log-collector-exporter transport tcp
set system analytics log-collector-exporter log-types firewall-log
set system analytics log-collector-exporter log-types threat-log
commit

Save the configuration:
```
save
```

Enable session ID logging

To log IP-related information, enable session ID logging.

Sign in to Versa Director.
Switch to Director View.
Go to Configuration > Devices > Tenant > Device to access Appliance View.
Select Configuration > Others > System > Configuration > Configuration.
In the Parameters pane, click Edit.
In the Edit parameters window, select LEF.
In the Firewall section, select the Include session ID logging checkbox.

Note: In Releases 21.1.1 and newer, session identification is automatically enabled. Check if this feature is active in your configuration.
Click OK.

UDM Mapping Table

Log Field	UDM Mapping	Logic
`accCkt`	`additional.fields[].key`: "accCkt" `additional.fields[].value.string_value`: `accCkt`	Value taken directly from the `accCkt` field.
`accCktId`	`additional.fields[].key`: "accCktId" `additional.fields[].value.string_value`: `accCktId`	Value taken directly from the `accCktId` field.
`accCktName`	`additional.fields[].key`: "accCktName" `additional.fields[].value.string_value`: `accCktName`	Value taken directly from the `accCktName` field.
`accessType`	`additional.fields[].key`: "accessType" `additional.fields[].value.string_value`: `accessType`	Value taken directly from the `accessType` field.
`action`	`security_result.action`: `action`	If `action`, `type`, `idpAction`, `avAction`, or `urlAction` are "allow" then `ALLOW`. If `action`, `type`, `idpAction`, `avAction`, or `urlAction` are "reject", "drop", "block", "deny" then `BLOCK`. If `idpAction` is anything else then `UNKNOWN_ACTION`.
`alarmCause`	`security_result.detection_fields[].key`: "alarmCause" `security_result.detection_fields[].value`: `alarmCause`	Value taken directly from the `alarmCause` field.
`alarmClass`	`security_result.detection_fields[].key`: "alarmClass" `security_result.detection_fields[].value`: `alarmClass`	Value taken directly from the `alarmClass` field.
`alarmClearable`	`security_result.detection_fields[].key`: "alarmClearable" `security_result.detection_fields[].value`: `alarmClearable`	Value taken directly from the `alarmClearable` field.
`alarmEventType`	`metadata.product_event_type`: `alarmEventType`	Value taken directly from the `alarmEventType` field.
`alarmKey`	`security_result.detection_fields[].key`: "alarmKey" `security_result.detection_fields[].value`: `alarmKey`	Value taken directly from the `alarmKey` field.
`alarmKind`	`security_result.detection_fields[].key`: "alarmKind" `security_result.detection_fields[].value`: `alarmKind`	Value taken directly from the `alarmKind` field.
`alarmOwner`	`security_result.detection_fields[].key`: "alarmOwner" `security_result.detection_fields[].value`: `alarmOwner`	Value taken directly from the `alarmOwner` field.
`alarmSeqNo`	`security_result.detection_fields[].key`: "alarmSeqNo" `security_result.detection_fields[].value`: `alarmSeqNo`	Value taken directly from the `alarmSeqNo` field.
`alarmSeverity`	`security_result.severity_details`: `alarmSeverity`	Value taken directly from the `alarmSeverity` field.
`alarmText`	`security_result.summary`: `alarmText`	Value taken directly from the `alarmText` field, with double quotes removed.
`alarmType`	`security_result.description`: `alarmType`	Value taken directly from the `alarmType` field.
`appFamily`	`metadata.product_event_type`: `appFamily` `security_result.detection_fields[].key`: "appFamily" `security_result.detection_fields[].value`: `appFamily`	Value taken directly from the `appFamily` field.
`appId`	`security_result.detection_fields[].key`: "Application ID" `security_result.detection_fields[].value`: `appId`	Value taken directly from the `appId` field.
`appIdStr`	`security_result.detection_fields[].key`: "appIdStr" `security_result.detection_fields[].value`: `appIdStr`	Value taken directly from the `appIdStr` field.
`applianceName`	`principal.hostname`: `applianceName`	Value taken directly from the `applianceName`, `siteName`, or `site` field.
`appProductivity`	`security_result.detection_fields[].key`: "appProductivity" `security_result.detection_fields[].value`: `appProductivity`	Value taken directly from the `appProductivity` field.
`appRisk`	`security_result.severity_details`: `appRisk`	Value taken directly from the `appRisk` field.
`appSubFamily`	`security_result.detection_fields[].key`: "appSubFamily" `security_result.detection_fields[].value`: `appSubFamily`	Value taken directly from the `appSubFamily` field.
`avAccuracy`	`additional.fields[].key`: "avAccuracy" `additional.fields[].value.string_value`: `avAccuracy`	Value taken directly from the `avAccuracy` field.
`avAction`	`security_result.action`: `avAction`	See `action` for logic.
`avMalwareName`	`security_result.threat_name`: `avMalwareName`	Value taken directly from the `avMalwareName` field.
`avMalwareType`	`security_result.category_details`: `avMalwareType`	Value taken directly from the `avMalwareType` field.
`classMsg`	`security_result.description`: `classMsg`	Value taken directly from the `classMsg` field, with double quotes removed.
`clientIPv4Address`	`target.ip`: `clientIPv4Address`	Value taken directly from the `clientIPv4Address` field.
`destIp`	`target.ip`: `destIp` `destinationIPv4Address`: `destIp`	Value taken directly from the `destIp` field.
`destinationIPv4Address`	`target.ip`: `destinationIPv4Address`	Value taken directly from the `destinationIPv4Address` or derived from `networkPrefix` field.
`destinationIPv6Address`	`target.ip`: `destinationIPv6Address`	Value taken directly from the `destinationIPv6Address` field.
`destinationPort`	`target.port`: `destinationPort`	Value taken directly from the `destinationPort` field and converted to integer.
`destinationTransportPort`	`target.port`: `destinationTransportPort`	Value taken directly from the `destinationTransportPort` field and converted to integer.
`deviceKey`	`about.resource.attribute.labels[].key`: "deviceKey" `about.resource.attribute.labels[].value`: `deviceKey`	Value taken directly from the `deviceKey` field if not "Unknown".
`deviceName`	`about.resource.attribute.labels[].key`: "deviceName" `about.resource.attribute.labels[].value`: `deviceName`	Value taken directly from the `deviceName` field if not "Unknown".
`duration`	`network.session_duration.seconds`: `duration`	Value taken directly from the `duration` field and converted to integer.
`egressInterfaceName`	`additional.fields[].key`: "egressInterfaceName" `additional.fields[].value.string_value`: `egressInterfaceName`	Value taken directly from the `egressInterfaceName` field.
`event.type`	`metadata.event_type`: `event.type`	If both `applianceName` (or `sourceIPv4Address` or `user` or `sourceIPv6Address`) and `destinationIPv4Address` (or `remoteSite` or `destinationIPv6Address` or `clientIPv4Address` or `hostname`) are present, then `NETWORK_CONNECTION`. Otherwise, `STATUS_UPDATE`. If `applianceName` is empty, then `GENERIC_EVENT`.
`eventType`	`principal.resource.attribute.labels[].key`: "eventType" `principal.resource.attribute.labels[].value`: `eventType`	Value taken directly from the `eventType` field.
`family`	`security_result.detection_fields[].key`: "family" `security_result.detection_fields[].value`: `family`	Value taken directly from the `family` field.
`fc`	`security_result.detection_fields[].key`: "ForwardingClass" `security_result.detection_fields[].value`: `fc`	Value taken directly from the `fc` field.
`fileTransDir`	`additional.fields[].key`: "fileTransDir" `additional.fields[].value.string_value`: `fileTransDir`	Value taken directly from the `fileTransDir` field.
`filename`	`target.file.names`: `filename`	Value taken directly from the `filename` field.
`flowCookie`	`metadata.collected_timestamp`: `flowCookie`	Value taken directly from the `flowCookie` field and converted to timestamp using UNIX format.
`flowId`	`principal.resource.product_object_id`: `flowId`	Value taken directly from the `flowId` field.
`forwardForwardingClass`	`security_result.detection_fields[].key`: "forwardForwardingClass" `security_result.detection_fields[].value`: `forwardForwardingClass`	Value taken directly from the `forwardForwardingClass` field.
`fromCountry`	`principal.location.country_or_region`: `fromCountry` `target.location.country_or_region`: `fromCountry`	Value taken directly from the `fromCountry` field.
`fromUser`	`principal.user.userid`: `fromUser`	Value taken directly from the `fromUser` field if not empty, "unknown", or "Unknown".
`fromZone`	`additional.fields[].key`: "fromZone" `additional.fields[].value.string_value`: `fromZone`	Value taken directly from the `fromZone` field.
`generateTime`	`metadata.collected_timestamp`: `generateTime`	Value taken directly from the `generateTime` field and converted to timestamp using UNIX format.
`hostname`	`target.hostname`: `hostname`	Value taken directly from the `hostname` field.
`httpUrl`	`target.url`: `httpUrl`	Value taken directly from the `httpUrl` field.
`icmpTypeIPv4`	`additional.fields[].key`: "icmpTypeIPv4" `additional.fields[].value.string_value`: `icmpTypeIPv4`	Value taken directly from the `icmpTypeIPv4` field.
`idpAction`	`security_result.action`: `idpAction`	See `action` for logic.
`ingressInterfaceName`	`additional.fields[].key`: "ingressInterfaceName" `additional.fields[].value.string_value`: `ingressInterfaceName`	Value taken directly from the `ingressInterfaceName` field.
`ipsApplication`	`additional.fields[].key`: "ipsApplication" `additional.fields[].value.string_value`: `ipsApplication`	Value taken directly from the `ipsApplication` field.
`ipsDirection`	`security_result.detection_fields[].key`: "ipsDirection" `security_result.detection_fields[].value`: `ipsDirection`	Value taken directly from the `ipsDirection` field.
`ipsProfile`	`security_result.detection_fields[].key`: "ipsProfile" `security_result.detection_fields[].value`: `ipsProfile`	Value taken directly from the `ipsProfile` field.
`ipsProfileRule`	`security_result.rule_name`: `ipsProfileRule`	Value taken directly from the `ipsProfileRule` field.
`ipsProtocol`	`network.ip_protocol`: `ipsProtocol`	Value taken directly from the `ipsProtocol` field.
`log_type`	`metadata.description`: `log_type` `metadata.log_type`: `log_type`	Value taken directly from the `log_type` field.
`mstatsTimeBlock`	`metadata.collected_timestamp`: `mstatsTimeBlock`	Value taken directly from the `mstatsTimeBlock` field and converted to timestamp using UNIX format.
`mstatsTotRecvdOctets`	`network.received_bytes`: `mstatsTotRecvdOctets`	Value taken directly from the `mstatsTotRecvdOctets` field and converted to unsigned integer.
`mstatsTotSentOctets`	`network.sent_bytes`: `mstatsTotSentOctets`	Value taken directly from the `mstatsTotSentOctets` field and converted to unsigned integer.
`mstatsTotSessCount`	`additional.fields[].key`: "mstatsTotSessCount" `additional.fields[].value.string_value`: `mstatsTotSessCount`	Value taken directly from the `mstatsTotSessCount` field.
`mstatsTotSessDuration`	`network.session_duration.seconds`: `mstatsTotSessDuration`	Value taken directly from the `mstatsTotSessDuration` field and converted to integer.
`mstatsType`	`security_result.category_details`: `mstatsType`	Value taken directly from the `mstatsType` field.
`networkPrefix`	`target.ip`: `networkPrefix` `target.port`: `networkPrefix`	IP address extracted from the `networkPrefix` field. Port extracted from the `networkPrefix` field and converted to integer.
`protocolIdentifier`	`network.ip_protocol`: `protocolIdentifier`	Value taken directly from the `protocolIdentifier` field, converted to integer, and mapped to IP protocol name using a lookup.
`recvdOctets`	`network.received_bytes`: `recvdOctets`	Value taken directly from the `recvdOctets` field and converted to unsigned integer.
`recvdPackets`	`network.received_packets`: `recvdPackets`	Value taken directly from the `recvdPackets` field and converted to integer.
`remoteSite`	`target.hostname`: `remoteSite`	Value taken directly from the `remoteSite` field.
`reverseForwardingClass`	`security_result.detection_fields[].key`: "reverseForwardingClass" `security_result.detection_fields[].value`: `reverseForwardingClass`	Value taken directly from the `reverseForwardingClass` field.
`risk`	`security_result.risk_score`: `risk`	Value taken directly from the `risk` field and converted to float.
`rule`	`security_result.rule_name`: `rule`	Value taken directly from the `rule` field.
`sentOctets`	`network.sent_bytes`: `sentOctets`	Value taken directly from the `sentOctets` field and converted to unsigned integer.
`sentPackets`	`network.sent_packets`: `sentPackets`	Value taken directly from the `sentPackets` field and converted to integer.
`serialNum`	`security_result.detection_fields[].key`: "serialNum" `security_result.detection_fields[].value`: `serialNum`	Value taken directly from the `serialNum` field.
`signatureId`	`security_result.detection_fields[].key`: "signatureID" `security_result.detection_fields[].value`: `signatureId`	Value taken directly from the `signatureId` field.
`signatureMsg`	`security_result.detection_fields[].key`: "signatureMsg" `security_result.detection_fields[].value`: `signatureMsg`	Value taken directly from the `signatureMsg` field.
`signaturePriority`	`security_result.severity`: `signaturePriority`	If `signaturePriority` is "low" (case-insensitive), then `LOW`. If `signaturePriority` is "medium" (case-insensitive), then `MEDIUM`. If `signaturePriority` is "high" (case-insensitive), then `HIGH`.
`site`	`principal.hostname`: `site` `applianceName`: `site`	Value taken directly from the `site` field.
`siteId`	`additional.fields[].key`: "siteId" `additional.fields[].value.string_value`: `siteId`	Value taken directly from the `siteId` field.
`siteName`	`principal.hostname`: `siteName` `applianceName`: `siteName`	Value taken directly from the `siteName` field.
`sourceIPv4Address`	`principal.ip`: `sourceIPv4Address`	Value taken directly from the `sourceIPv4Address` field.
`sourceIPv6Address`	`principal.ip`: `sourceIPv6Address`	Value taken directly from the `sourceIPv6Address` field.
`sourcePort`	`principal.port`: `sourcePort`	Value taken directly from the `sourcePort` field and converted to integer.
`sourceTransportPort`	`principal.port`: `sourceTransportPort`	Value taken directly from the `sourceTransportPort` field and converted to integer.
`subFamily`	`security_result.detection_fields[].key`: "subFamily" `security_result.detection_fields[].value`: `subFamily`	Value taken directly from the `subFamily` field.
`tcpConnAborted`	`additional.fields[].key`: "tcpConnAborted" `additional.fields[].value.string_value`: `tcpConnAborted`	Value taken directly from the `tcpConnAborted` field if not empty or "0".
`tcpConnRefused`	`additional.fields[].key`: "tcpConnRefused" `additional.fields[].value.string_value`: `tcpConnRefused`	Value taken directly from the `tcpConnRefused` field if not empty or "0".
`tcpPktsFwd`	`network.sent_packets`: `tcpPktsFwd`	Value taken directly from the `tcpPktsFwd` field and converted to integer.
`tcpPktsRev`	`network.received_packets`: `tcpPktsRev`	Value taken directly from the `tcpPktsRev` field and converted to integer.
`tcpReXmitFwd`	`additional.fields[].key`: "tcpReXmitFwd" `additional.fields[].value.string_value`: `tcpReXmitFwd`	Value taken directly from the `tcpReXmitFwd` field if not empty or "0".
`tcpReXmitRev`	`additional.fields[].key`: "tcpReXmitRev" `additional.fields[].value.string_value`: `tcpReXmitRev`	Value taken directly from the `tcpReXmitRev` field if not empty or "0".
`tcpSAA`	`additional.fields[].key`: "tcpSAA" `additional.fields[].value.string_value`: `tcpSAA`	Value taken directly from the `tcpSAA` field if not empty or "0".
`tcpSSA`	`additional.fields[].key`: "tcpSSA" `additional.fields[].value.string_value`: `tcpSSA`	Value taken directly from the `tcpSSA` field if not empty or "0".
`tcpSessCnt`	`additional.fields[].key`: "tcpSessCnt" `additional.fields[].value.string_value`: `tcpSessCnt`	Value taken directly from the `tcpSessCnt` field.
`tcpSessDur`	`network.session_duration.seconds`: `tcpSessDur`	Value taken directly from the `tcpSessDur` field and converted to integer.
`tcpSynAckReXmit`	`additional.fields[].key`: "tcpSynAckReXmit" `additional.fields[].value.string_value`: `tcpSynAckReXmit`	Value taken directly from the `tcpSynAckReXmit` field if not empty or "0".
`tcpSynReXmit`	`additional.fields[].key`: "tcpSynReXmit" `additional.fields[].value.string_value`: `tcpSynReXmit`	Value taken directly from the `tcpSynReXmit` field if not empty or "0".
`tcpTWHS`	`additional.fields[].key`: "tcpTWHS" `additional.fields[].value.string_value`: `tcpTWHS`	Value taken directly from the `tcpTWHS` field if not empty or "0".
`tenantId`	`principal.resource.attribute.labels[].key`: "tenantId" `principal.resource.attribute.labels[].value`: `tenantId`	Value taken directly from the `tenantId` field.
`tenantName`	`observer.hostname`: `tenantName`	Value taken directly from the `tenantName` field.
`threatType`	`security_result.detection_fields[].key`: "threatType" `security_result.detection_fields[].value`: `threatType`	Value taken directly from the `threatType` field.
`toCountry`	`target.location.country_or_region`: `toCountry`	Value taken directly from the `toCountry` field.
`toZone`	`additional.fields[].key`: "toZone" `additional.fields[].value.string_value`: `toZone`	Value taken directly from the `toZone` field.
`traffType`	`additional.fields[].key`: "traffType" `additional.fields[].value.string_value`: `traffType`	Value taken directly from the `traffType` field.
`ts`	`metadata.event_timestamp`: `ts`	Value taken directly from the `ts` field and converted to timestamp.
`type`	`security_result.action`: `type`	See `action` for logic.
`urlAction`	`security_result.action`: `urlAction`	See `action` for logic.
`urlActionMessage`	`security_result.summary`: `urlActionMessage`	Value taken directly from the `urlActionMessage` field.
`urlCategory`	`principal.resource.attribute.labels[].key`: "urlCategory" `principal.resource.attribute.labels[].value`: `urlCategory`	Value taken directly from the `urlCategory` field.
`urlProfile`	`additional.fields[].key`: "urlProfile" `additional.fields[].value.string_value`: `urlProfile`	Value taken directly from the `urlProfile` field.
`urlReputation`	`security_result.severity_details`: `urlReputation`	Value taken directly from the `urlReputation` field.
`user`	`principal.ip`: `user`	Value taken directly from the `user` field.
`vsnId`	`principal.resource.attribute.labels[].key`: "vsnId" `principal.resource.attribute.labels[].value`: `vsnId`	Value taken directly from the `vsnId` field. Hardcoded value. Hardcoded value.

Changes

2024-06-03

Mapped "idpAction" to "security_result.action".
Mapped "threatType" to "security_result.detection_fields".
Mapped "ipsDirection" to "security_result.detection_fields".
Mapped "ipsProfile" to "security_result.detection_fields".
Mapped "signaturePriority" to "security_result.severity".
Mapped "signatureMsg" to "security_result.detection_fields".
Mapped "signatureId" to "security_result.detection_fields".
Mapped "ipsApplication" to "security_result.detection_fields".
Mapped "classMsg" to "security_result.description".
Mapped "ipsProfileRule" to "security_result.rule_name".
Mapped "ipsProtocol" to "network.ip_protocol".

2023-07-03

Added support for "entitlementlog", "monstatslog", and "tcpappmonlog".

2022-11-04

Newly created parser.

Need more help? Get answers from Community members and Google SecOps professionals.