This parser extracts fields from Aruba switch syslog messages using grok patterns and maps them to the UDM model. It handles various fields, including timestamps, hostnames, application names, process IDs, event IDs, and descriptions, populating the relevant UDM fields. The event type is set based on the presence of principal information.
Before you begin
Ensure that you have a Google Security Operations instance.
Ensure that you have a Windows 2016 or later or a Linux host with systemd.
If running behind a proxy, ensure firewall ports are open.
Ensure that you privileged access to the Aruba switch.
Get Google SecOps ingestion authentication file
Sign in to the Google SecOps console.
Go to SIEM Settings>Collection Agents.
Download the Ingestion Authentication File.
Get Google SecOps customer ID
Sign in to the Google SecOps console.
Go to SIEM Settings>Profile.
Copy and save the Customer ID from the Organization Details section.
Install Bindplane Agent
For Windows installation, run the following script: msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet
For Linux installation, run the following script: sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh
Additional installation options can be found in this installation guide.
Configure Bindplane Agent to ingest Syslog and send to Google SecOps
Access the machine where Bindplane is installed.
Edit the config.yaml file as follows:
receivers:
tcplog:
# Replace the below port <54525> and IP <0.0.0.0> with your specific values
listen_address: "0.0.0.0:54525"
exporters:
chronicle/chronicle_w_labels:
compression: gzip
# Adjust the creds location below according the placement of the credentials file you downloaded
creds: '{ json file for creds }'
# Replace <customer_id> below with your actual ID that you copied
customer_id: <customer_id>
endpoint: malachiteingestion-pa.googleapis.com
# You can apply ingestion labels below as preferred
ingestion_labels:
log_type: SYSLOG
namespace: aruba_switch
raw_log_field: body
service:
pipelines:
logs/source0__chronicle_w_labels-0:
receivers:
- tcplog
exporters:
- chronicle/chronicle_w_labels
Restart the Bindplane Agent to apply the changes:
sudosystemctlrestartbindplane
Configure Syslog on the Aruba Switch
Connect to the Aruba switch through the Console:
sshadmin@<switch-ip>
Connect to the Aruba switch through a Web Interface:
Go to the Aruba switch web GUI.
Authenticate with the switch's administrator credentials.
Enable Syslog using the CLI configuration:
Enter global configuration mode:
configureterminal
Specify the external syslog server:
logging<bindplane-ip>:<bindplane-port>
Replace <bindplane-ip> and <bindplane-port> with the address of your Bindplane agent.
Optional: Set the logging severity level:
loggingseverity<level>
Optional: Add a custom log source identifier (tag):
loggingfacilitylocal5
Save the configuration:
writememory
Enable Syslog using Web Interface Configuration:
Log in to the Aruba switch web interface.
Go to System>Logs>Syslog.
Add syslog server parameters:
Enter the Bindplane IP address.
Enter the Bindplane Port.
Set the Severity Level to control the verbosity of logs.
Click Save.
UDM Mapping Table
Log Field
UDM Mapping
Logic
app
principal.application
The value of the app field from the raw log is directly assigned to principal.application.
description
security_result.description
The value of the description field from the raw log is directly assigned to security_result.description.
event_id
additional.fields.key
The string "event_id" is assigned to additional.fields.key.
event_id
additional.fields.value.string_value
The value of the event_id field from the raw log is directly assigned to additional.fields.value.string_value.
host
principal.asset.hostname
The value of the host field from the raw log is directly assigned to principal.asset.hostname.
host
principal.hostname
The value of the host field from the raw log is directly assigned to principal.hostname.
pid
principal.process.pid
The value of the pid field from the raw log is directly assigned to principal.process.pid.
ts
metadata.event_timestamp
The value of the ts field from the raw log is converted to a timestamp and assigned to metadata.event_timestamp. The timestamp is also used for the top-level timestamp field in the UDM. The metadata.event_type is set to "STATUS_UPDATE" because the principal_mid_present variable is set to "true" in the parser when the host field is present in the raw log. The string "ARUBA_SWITCH" is assigned to metadata.product_name within the parser. The string "ARUBA SWITCH" is assigned to metadata.vendor_name within the parser. The parser attempts to extract and parse the user agent from the raw log using client.userAgent.rawUserAgent. If successful, the parsed user agent is assigned to network.http.parsed_user_agent. However, since the raw logs provided do not contain this field, this UDM field will likely be empty. The parser attempts to extract the raw user agent from the raw log using client.userAgent.rawUserAgent. If successful, the raw user agent is assigned to network.http.user_agent. However, since the raw logs provided do not contain this field, this UDM field will likely be empty.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis guide provides instructions on how to collect and ingest Aruba switch syslog messages into Google SecOps using the Bindplane Agent.\u003c/p\u003e\n"],["\u003cp\u003eThe process involves installing and configuring the Bindplane Agent on a Windows or Linux host to receive syslog data from the Aruba switch.\u003c/p\u003e\n"],["\u003cp\u003eYou must obtain a Google SecOps ingestion authentication file and customer ID to configure the Bindplane Agent for data transfer.\u003c/p\u003e\n"],["\u003cp\u003eThe Aruba switch must be configured to send syslog messages to the Bindplane Agent's IP address and port, which can be done through the command-line interface (CLI) or the web interface.\u003c/p\u003e\n"],["\u003cp\u003eThe parser extracts fields from the Aruba switch syslog messages and maps them to the Unified Data Model (UDM), assigning fields such as hostname, application, and description to their respective UDM counterparts.\u003c/p\u003e\n"]]],[],null,["# Collect Aruba switch logs\n=========================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis parser extracts fields from Aruba switch syslog messages using grok patterns and maps them to the UDM model. It handles various fields, including timestamps, hostnames, application names, process IDs, event IDs, and descriptions, populating the relevant UDM fields. The event type is set based on the presence of principal information.\n\nBefore you begin\n----------------\n\n- Ensure that you have a Google Security Operations instance.\n- Ensure that you have a Windows 2016 or later or a Linux host with systemd.\n- If running behind a proxy, ensure firewall [ports](/chronicle/docs/ingestion/use-bindplane-agent#verify_the_firewall_configuration) are open.\n- Ensure that you privileged access to the Aruba switch.\n\nGet Google SecOps ingestion authentication file\n-----------------------------------------------\n\n1. Sign in to the Google SecOps console.\n2. Go to **SIEM Settings** \\\u003e **Collection Agents**.\n3. Download the **Ingestion Authentication File**.\n\nGet Google SecOps customer ID\n-----------------------------\n\n1. Sign in to the Google SecOps console.\n2. Go to **SIEM Settings** \\\u003e **Profile**.\n3. Copy and save the **Customer ID** from the **Organization Details** section.\n\nInstall Bindplane Agent\n-----------------------\n\n1. For **Windows installation** , run the following script: \n `msiexec /i \"https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi\" /quiet`\n2. For **Linux installation** , run the following script: \n `sudo sh -c \"$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)\" install_unix.sh`\n3. Additional installation options can be found in this [installation guide](/chronicle/docs/ingestion/use-bindplane-agent#install_the_bindplane_agent).\n\nConfigure Bindplane Agent to ingest Syslog and send to Google SecOps\n--------------------------------------------------------------------\n\n1. Access the machine where Bindplane is installed.\n2. Edit the `config.yaml` file as follows:\n\n receivers:\n tcplog:\n # Replace the below port \u003c54525\u003e and IP \u003c0.0.0.0\u003e with your specific values\n listen_address: \"0.0.0.0:54525\" \n\n exporters:\n chronicle/chronicle_w_labels:\n compression: gzip\n # Adjust the creds location below according the placement of the credentials file you downloaded\n creds: '{ json file for creds }'\n # Replace \u003ccustomer_id\u003e below with your actual ID that you copied\n customer_id: \u003ccustomer_id\u003e\n endpoint: malachiteingestion-pa.googleapis.com\n # You can apply ingestion labels below as preferred\n ingestion_labels:\n log_type: SYSLOG\n namespace: aruba_switch\n raw_log_field: body\n service:\n pipelines:\n logs/source0__chronicle_w_labels-0:\n receivers:\n - tcplog\n exporters:\n - chronicle/chronicle_w_labels\n\n3. Restart the Bindplane Agent to apply the changes:\n\n sudo systemctl restart bindplane\n\nConfigure Syslog on the Aruba Switch\n------------------------------------\n\n1. Connect to the **Aruba** switch through the **Console**:\n\n ssh admin@\u003cswitch-ip\u003e\n\n2. Connect to the **Aruba** switch through a **Web Interface**:\n\n - Go to the Aruba switch web GUI.\n - Authenticate with the switch's administrator credentials.\n3. Enable **Syslog** using the **CLI** configuration:\n\n - Enter global configuration mode:\n\n configure terminal\n\n - Specify the external syslog server:\n\n logging \u003cbindplane-ip\u003e:\u003cbindplane-port\u003e\n\n - Replace `\u003cbindplane-ip\u003e` and `\u003cbindplane-port\u003e` with the address of your Bindplane agent.\n\n4. Optional: Set the logging **severity level**:\n\n logging severity \u003clevel\u003e\n\n | **Note:** Severity levels range from 0 (emergency) to 7 (debug).\n5. Optional: Add a **custom** log source **identifier** (tag):\n\n logging facility local5\n\n6. Save the configuration:\n\n write memory\n\n7. Enable **Syslog** using Web Interface Configuration:\n\n - Log in to the Aruba switch web interface.\n - Go to **System** \\\u003e **Logs** \\\u003e **Syslog**.\n - Add syslog server parameters:\n - Enter the **Bindplane IP** address.\n - Enter the **Bindplane Port**.\n - Set the **Severity Level** to control the verbosity of logs.\n - Click **Save**.\n\nUDM Mapping Table\n-----------------\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
