找到 config.yaml 文件。通常,它位于 Linux 上的 /etc/bindplane-agent/ 目录中或 Windows 上的安装目录中。
使用文本编辑器(例如 nano、vi 或记事本)打开该文件。
按如下方式修改 config.yaml 文件:
receivers:udplog:# Replace the port and IP address as requiredlisten_address:"0.0.0.0:514"exporters:chronicle/chronicle_w_labels:compression:gzip# Adjust the path to the credentials file you downloaded in Step 1creds_file_path:'/path/to/ingestion-authentication-file.json'# Replace with your actual customer ID from Step 2customer_id:<customer_id>
endpoint:malachiteingestion-pa.googleapis.com# Add optional ingestion labels for better organizationlog_type:'BARRACUDA_CLOUDGEN_FIREWALL'raw_log_field:bodyingestion_labels:service:pipelines:logs/source0__chronicle_w_labels-0:receivers:-udplogexporters:-chronicle/chronicle_w_labels
[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-09-04。"],[],[],null,["# Collect Barracuda CloudGen Firewall logs\n========================================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis document explains how to ingest Barracuda CloudGen Firewall logs to\nGoogle Security Operations using Bindplane.\n\nBefore you begin\n----------------\n\nMake sure you have the following prerequisites:\n\n- Google SecOps instance\n- Windows 2016 or later, or a Linux host with `systemd`\n- If running behind a proxy, firewall [ports](/chronicle/docs/ingestion/use-bindplane-agent#verify_the_firewall_configuration) are open\n- Barracuda CloudGen Firewall running firmware **8.3 or later**\n- Privileged access to the Barracuda Firewall\n\nGet Google SecOps ingestion authentication file\n-----------------------------------------------\n\n1. Sign in to the Google SecOps console.\n2. Go to **SIEM Settings \\\u003e Collection Agents**.\n3. Download the **Ingestion Authentication File**. Save the file securely on the system where Bindplane will be installed.\n\nGet Google SecOps customer ID\n-----------------------------\n\n1. Sign in to the Google SecOps console.\n2. Go to **SIEM Settings \\\u003e Profile**.\n3. Copy and save the **Customer ID** from the **Organization Details** section.\n\nInstall the Bindplane agent\n---------------------------\n\nInstall the Bindplane agent on your Windows or Linux operating system according to the following instructions.\n\n### Windows installation\n\n1. Open the **Command Prompt** or **PowerShell** as an administrator.\n2. Run the following command:\n\n msiexec /i \"https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi\" /quiet\n\n### Linux installation\n\n1. Open a terminal with root or sudo privileges.\n2. Run the following command:\n\n sudo sh -c \"$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)\" install_unix.sh\n\n### Additional installation resources\n\nFor additional installation options, consult the [installation guide](/chronicle/docs/ingestion/use-bindplane-agent#install_the_bindplane_agent).\n\nConfigure the Bindplane agent to ingest Syslog and send to Google SecOps\n------------------------------------------------------------------------\n\n1. Access the configuration file:\n - Locate the `config.yaml` file. Typically, it's in the `/etc/bindplane-agent/` directory on Linux or in the installation directory on Windows.\n - Open the file using a text editor (for example, `nano`, `vi`, or Notepad).\n2. Edit the `config.yaml` file as follows:\n\n receivers:\n udplog:\n # Replace the port and IP address as required\n listen_address: \"0.0.0.0:514\"\n\n exporters:\n chronicle/chronicle_w_labels:\n compression: gzip\n # Adjust the path to the credentials file you downloaded in Step 1\n creds_file_path: '/path/to/ingestion-authentication-file.json'\n # Replace with your actual customer ID from Step 2\n customer_id: \u003ccustomer_id\u003e\n endpoint: malachiteingestion-pa.googleapis.com\n # Add optional ingestion labels for better organization\n log_type: 'BARRACUDA_CLOUDGEN_FIREWALL'\n raw_log_field: body\n ingestion_labels:\n\n service:\n pipelines:\n logs/source0__chronicle_w_labels-0:\n receivers:\n - udplog\n exporters:\n - chronicle/chronicle_w_labels\n\n - Replace the port and IP address as required in your infrastructure.\n - Replace `\u003ccustomer_id\u003e` with the actual customer ID.\n - Update `/path/to/ingestion-authentication-file.json` to the path where the authentication file was saved in the [Get Google SecOps ingestion authentication file](/chronicle/docs/ingestion/default-parsers/barracuda-cloudgen-firewall#get-auth-file) section.\n\nRestart the Bindplane agent to apply the changes\n------------------------------------------------\n\n- To restart the Bindplane agent in **Linux**, run the following command:\n\n sudo systemctl restart bindplane-agent\n\n- To restart the Bindplane agent in **Windows** , you can either use the\n **Services** console or enter the following command:\n\n net stop BindPlaneAgent && net start BindPlaneAgent\n\nEnable Syslog for Barracuda CloudGen Firewall\n---------------------------------------------\n\n1. Sign in to the **Barracuda Firewall Control Center** at the box level.\n2. Go to **Configuration \\\u003e Full Configuration \\\u003e Box \\\u003e Infrastructure Services \\\u003e Syslog Streaming**.\n3. Click the **Lock** icon to enable editing.\n4. Switch **Enable Syslog Streaming** to **Yes**.\n5. Click **Send Changes \\\u003e Activate**.\n\nConfigure Logdata Filters for Barracuda CloudGen Firewall\n---------------------------------------------------------\n\n1. Go to **Configuration \\\u003e Full Configuration \\\u003e Box \\\u003e Infrastructure Services \\\u003e Syslog Streaming**.\n2. Select **Logdata Filters**.\n3. Click the **Configuration Mode** menu and select **Switch to Advanced View**.\n4. Click the **Lock** icon to enable editing.\n5. Click add **Add** to add a new entry.\n6. Provide a unique name in the **Filters** dialog.\n7. Click **OK**.\n8. In the **Affected Box Logdata** section, select **logs sent via syslog**.\n9. Click add **Add** next to **Data Selection**.\n10. Provide a unique name for the **group**.\n11. Click **OK**.\n12. Select the following items from the **Data Selection** or your specific categories for logging:\n - `Auth-All`\n - `Config-All`\n - `Control-All`\n - `Event-All`\n - `Firewall-All`\n - `Network-All`\n - `Settings-All`\n - `SSH-All`\n - `System-All`\n13. Select the following items from **Message Types** or your specific severity for logging:\n - `Panic`\n - `Security`\n - `Fatal`\n - `Error`\n - `Warning`\n - `Notice`\n14. Click **OK**.\n15. Click **Send Changes \\\u003e Activate**.\n\nConfigure Logstream Destination for Barracuda CloudGen Firewall\n---------------------------------------------------------------\n\n1. Go to **Configuration \\\u003e Full Configuration \\\u003e Box \\\u003e Infrastructure Services \\\u003e Syslog Streaming**.\n2. Select **Logstream Destinations**.\n3. Click the **Configuration Mode** menu and select **Switch to Advanced View**.\n4. Click the **Lock** icon to enable editing.\n5. Click the add **Add** to add a new entry.\n6. Provide a unique name for the **destination**.\n7. Click **OK**.\n8. Select the newly created **Logstream Destination**.\n9. Click **Explicit IP**.\n10. Provide the following configuration details:\n - **Destination IP Address**: Enter the Bindplane agent IP address.\n - **Destination Port**: Enter the Bindplane agent port number.\n - **Transmission Mode** : Select **UDP**.\n11. Click **OK**.\n12. Click **Send Changes \\\u003e Activate**.\n\nConfigure Logdata Streams for Barracuda CloudGen Firewall\n---------------------------------------------------------\n\n1. Go to **Configuration \\\u003e Full Configuration \\\u003e Box \\\u003e Infrastructure Services \\\u003e Syslog Streaming**.\n2. Select **Logdata Streams**.\n3. Click the **Configuration Mode** menu and select **Switch to Advanced View**.\n4. Click the **Lock** icon to enable editing.\n5. Click the add **Add** to add a new entry.\n6. Provide a unique name for the **configuration**.\n7. Click **OK**.\n8. Set **Active Streams** to **Yes**.\n9. Set **Log Destinations** to the destination created earlier.\n10. Set **Log Filters** to the filter created earlier.\n11. Click **OK**.\n12. Click **Send Changes \\\u003e Activate**.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
