Collect VMware Workspace ONE UEM logs

Supported in:

This parser extracts logs from VMware Workspace ONE UEM (formerly known as VMware AirWatch) in Syslog, CEF, or key-value pair formats. It normalizes fields such as usernames, timestamps, and event details, mapping them to the UDM. The parser handles various Workspace ONE UEM event types, populating principal, target, and other UDM fields based on specific event data and logic for different log formats.

Before you begin

  • Ensure that you have a Google Security Operations instance.
  • Ensure that you have privileged access to the VMware Workspace ONE console.
  • Ensure that you have a Windows or Linux host with systemd.
  • If running behind a proxy, ensure that the firewall ports are open.

Get Google SecOps ingestion authentication file

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Collection Agents.
  3. Download the Ingestion Authentication File.

Get Google SecOps customer ID

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Profile.
  3. Copy and Save the customer ID from the Organization Details section.

Install BindPlane Agent

  1. For Windows installation, run the following script:
    msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet
  2. For Linux installation, run the following script:
    sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh
  3. Additional installation options can be found in this installation guide.

Configure BindPlane Agent to ingest Syslog and send to Google SecOps

  1. Access the machine where BindPlane is installed.

  2. Edit the config.yaml file as follows:

    receivers:
  tcplog:
    # Replace the below port <54525> and IP (0.0.0.0) with your specific values
    listen_address: "0.0.0.0:54525" 

exporters:
    chronicle/chronicle_w_labels:
        compression: gzip
        # Adjust the creds location below according the placement of the credentials file you downloaded
        creds: '{ json file for creds }'
        # Replace <customer_id> below with your actual ID that you copied
        customer_id: <customer_id>
        endpoint: malachiteingestion-pa.googleapis.com
        # You can apply ingestion labels below as preferred
        ingestion_labels:
        log_type: SYSLOG
        namespace: 
        raw_log_field: body
service:
    pipelines:
        logs/source0__chronicle_w_labels-0:
            receivers:
                - tcplog
            exporters:
                - chronicle/chronicle_w_labels

  3. Restart BindPlane Agent to apply the changes using the following command: sudo systemctl bindplane restart

Configuring syslog in VMware Workspace ONE UEM

  1. Sign in to the Workspace ONE UEM Console:
  2. Go to Settings > System > Advanced > Syslog.
  3. Check the option to Enable Syslog.
  4. Specify values for the following input parameters:
    • IP Address/Hostname: enter the address of your BindPlane Agent.
    • Port: enter the designated port (default: 514).
    • Protocol: select UDP or TCP depending on your BindPlane agent configuration.
    • Select Log Types: select the logs you want to send to Google SecOps - Device Management Logs, Console Activity Logs, Compliance Logs, Event Logs
    • Set the log level (for example, Info, Warning, Error).
  5. Click Save to apply settings

UDM Mapping Table

Log Field UDM Mapping Logic
AdminAccount principal.user.userid The AdminAccount from the raw log is mapped to the principal.user.userid field.
Application target.application The Application field from the raw log is mapped to the target.application field.
ApplicationUUID additional.fields The ApplicationUUID field from the raw log is added as a key-value pair to the additional.fields array in the UDM. The key is "ApplicationUUID".
BytesReceived network.received_bytes The BytesReceived field from the raw log is mapped to the network.received_bytes field.
Device target.hostname The Device field from the raw log is mapped to the target.hostname field.
FriendlyName target.hostname The FriendlyName field from the raw log is mapped to the target.hostname field when Device is not available.
GroupManagementData security_result.description The GroupManagementData field from the raw log is mapped to the security_result.description field.
Hmac additional.fields The Hmac field from the raw log is added as a key-value pair to the additional.fields array in the UDM. The key is "Hmac".
LoginSessionID network.session_id The LoginSessionID field from the raw log is mapped to the network.session_id field.
LogDescription metadata.description The LogDescription field from the raw log is mapped to the metadata.description field.
MessageText metadata.description The MessageText field from the raw log is mapped to the metadata.description field.
OriginatingOrganizationGroup principal.user.group_identifiers The OriginatingOrganizationGroup field from the raw log is mapped to the principal.user.group_identifiers field.
OwnershipType additional.fields The OwnershipType field from the raw log is added as a key-value pair to the additional.fields array in the UDM. The key is "OwnershipType".
Profile target.resource.name The Profile field from the raw log is mapped to the target.resource.name field when ProfileName is not available.
ProfileName target.resource.name The ProfileName field from the raw log is mapped to the target.resource.name field.
Request Url target.url The Request Url field from the raw log is mapped to the target.url field.
SmartGroupName target.group.group_display_name The SmartGroupName field from the raw log is mapped to the target.group.group_display_name field.
Tags additional.fields The Tags field from the raw log is added as a key-value pair to the additional.fields array in the UDM. The key is "Tags".
User target.user.userid The User field from the raw log is mapped to the target.user.userid field. The Event Category from the raw log is added as a key-value pair to the additional.fields array in the UDM. The key is "Event Category". The Event Module from the raw log is added as a key-value pair to the additional.fields array in the UDM. The key is "Event Module". The Event Source from the raw log is added as a key-value pair to the additional.fields array in the UDM. The key is "Event Source". Set to "SSO" by the parser for specific events. Derived from the raw log's timestamp. The parser extracts the date and time from the raw log and converts it to a UDM timestamp. Determined by the parser based on the event_name and other fields. See parser code for the mapping logic. Set to "AIRWATCH" by the parser. The event_name from the raw log is mapped to the metadata.product_event_type field. Set to "AirWatch" by the parser. Set to "VMWare" by the parser. The domain from the raw log is mapped to the principal.administrative_domain field. The hostname is extracted from the device_name field in the raw log or mapped from the Device or FriendlyName fields. The sys_ip from the raw log is mapped to the principal.ip field. Extracted from the raw log for certain event types. Extracted from the raw log for certain event types. The user_name from the raw log is mapped to the principal.user.userid field. Extracted from the raw log for certain event types. Set by the parser for specific events. Set by the parser for specific events. The event_category from the raw log is mapped to the security_result.category_details field. Extracted from the raw log for certain event types. Extracted from the raw log for certain event types. The domain from the raw log is mapped to the target.administrative_domain field. Constructed by combining DeviceSerialNumber and DeviceUdid from the raw log for the "DeleteDeviceRequested" event. Extracted from the raw log for certain event types. Extracted from the raw log for certain event types. The sys_ip or other IP addresses from the raw log are mapped to the target.ip field. Extracted from the raw log for certain event types. Extracted from the raw log for certain event types. Set by the parser for specific events. Extracted from the raw log for certain event types. Extracted from the raw log for certain event types. Extracted from the raw log for certain event types.

Changes

2024-11-15

  • Enhancement:
  • Added Grok patterns for new types of logs.

2024-10-17

  • Enhancement:
  • Added support for new types of logs.

2024-10-07

  • Enhancement:
  • Added support for new type of logs.

2024-09-23

  • Enhancement:
  • Added support to parse unparsed logs.

2024-06-25

  • Enhancement:
  • Fixed the Grok pattern to map "username" to "principal.user.user_display_name".
  • Mapped "device_type" to "additional.fields".
  • Added the Grok patterns for new type of logs.

2023-09-05

  • Bug Fix:
  • Added a Grok pattern to parse dropped logs.

2023-05-05

  • Bug Fix:
  • Modified Grok pattern to parse dropped logs.

2023-04-26

  • Bug Fix:
  • Added support for different type of syslog formatted logs.

2022-12-27

  • Bug Fix:
  • Added support for different type of Syslog Format logs.
  • Added specific conditional checks to handle multiple 'event_name'.

2022-09-02

  • Enhancement:
  • Wrote grok to parse the unparsed ccf format logs.

2022-06-29

  • Enhancement:
  • Parsed log with event_name as "MergeGroupCompletedEvent"
  • mapped "GroupManagementData" to "security_result.description".
  • mapped "EventSource", "EventModule" to "event.idm.read_only_udm.additional.fields".
  • mapped "cat" to "security_result.category_details".
  • modified "event.idm.read_only_udm.metadata.event_type" from "GENERIC_EVENT" to "USER_UNCATEGORIZED" in case either of "principal.user.userid" or "target.user.userid" is present.

2022-06-20

  • Enhancement:
  • Event Category mapped to _udm.additional.fields(event_category)
  • Added event type GENERIC_EVENT for SecurityInformation, SecurityInformationConfirmed(event_name) to handle unparse log