receivers:
tcplog:
# Replace the below port <54525> and IP <0.0.0.0> with your specific values
listen_address: "0.0.0.0:54525"
exporters:
chronicle/chronicle_w_labels:
compression: gzip
# Adjust the creds location below according the placement of the credentials file you downloaded
creds: '{ json file for creds }'
# Replace <customer_id> below with your actual ID that you copied
customer_id: <customer_id>
endpoint: malachiteingestion-pa.googleapis.com
# You can apply ingestion labels below as preferred
ingestion_labels:
log_type: SYSLOG
namespace: BMC_HELIX_DISCOVERY
raw_log_field: body
service:
pipelines:
logs/source0__chronicle_w_labels-0:
receivers:
- tcplog
exporters:
- chronicle/chronicle_w_labels
重启 Bindplane 代理以应用更改:
sudosystemctlrestartbindplane
从 BMC Helix Discovery 导出 Syslog
以 root 用户身份访问 BMC Discovery 实例。
修改 syslog 配置文件:etc/rsyslog.conf
在顶部添加以下条目:# Send everything to the remote syslog server。
将 IP 地址替换为您的 syslog 服务器的 IP 地址:
# Send everything to the remote syslog server
*.* @192.168.1.100
[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-09-04。"],[[["\u003cp\u003eThis guide explains how to collect logs from BMC Helix Discovery and send them to Google SecOps using the Bindplane Agent, focusing on login/logout events and status updates.\u003c/p\u003e\n"],["\u003cp\u003eThe process involves downloading an ingestion authentication file and customer ID from the Google SecOps console, followed by installing and configuring the Bindplane Agent to receive syslog messages.\u003c/p\u003e\n"],["\u003cp\u003eSyslog messages from BMC Helix Discovery need to be configured to forward to the Bindplane Agent's designated IP address and port, which involves modifying the \u003ccode\u003ersyslog.conf\u003c/code\u003e file on the BMC Discovery instance.\u003c/p\u003e\n"],["\u003cp\u003eThe parser for BMC Helix Discovery logs extracts key fields like timestamps, usernames, and source IPs, and maps them to the Unified Data Model (UDM), categorizing events based on \u003ccode\u003eproduct_event_type\u003c/code\u003e and log descriptions.\u003c/p\u003e\n"],["\u003cp\u003eThis is a pre-GA feature, meaning it might have limited support, and changes to it may not be compatible with other pre-GA versions, as noted in the Google Security Operations Service Specific Terms.\u003c/p\u003e\n"]]],[],null,["# Collect BMC Helix Discovery logs\n================================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis parser extracts fields from BMC Helix Discovery syslog messages using grok patterns. It focuses on login/logout events and status updates. It maps extracted fields like timestamps, usernames, source IPs, and descriptions to the UDM. Events are categorized based on the extracted `product_event_type` and log details.\n\nBefore you begin\n----------------\n\n- Ensure that you have a Google Security Operations instance.\n- Ensure that you are using Windows 2016 or later, or a Linux host with systemd.\n- If running behind a proxy, ensure firewall [ports](/chronicle/docs/ingestion/use-bindplane-agent#verify_the_firewall_configuration) are open.\n- Ensure that you have privileged access to the BeyondTrust instance.\n\nGet Google SecOps ingestion authentication file\n-----------------------------------------------\n\n1. Sign in to the Google SecOps console.\n2. Go to **SIEM Settings \\\u003e Collection Agents**.\n3. Download the **Ingestion Authentication File**.\n\nGet Google SecOps customer ID\n-----------------------------\n\n1. Sign in to the Google SecOps console.\n2. Go to **SIEM Settings \\\u003e Profile**.\n3. Copy and save the **Customer ID** from the **Organization Details** section.\n\nInstall Bindplane Agent\n-----------------------\n\n1. For **Windows installation** , run the following script: \n `msiexec /i \"https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi\" /quiet`\n2. For **Linux installation** , run the following script: \n `sudo sh -c \"$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)\" install_unix.sh`\n3. Additional installation options can be found in this [installation guide](/chronicle/docs/ingestion/use-bindplane-agent#install_the_bindplane_agent).\n\nConfigure Bindplane Agent to ingest Syslog and send to Google SecOps\n--------------------------------------------------------------------\n\n1. Access the machine where Bindplane is installed.\n2. Edit the `config.yaml` file as follows:\n\n receivers:\n tcplog:\n # Replace the below port \u003c54525\u003e and IP \u003c0.0.0.0\u003e with your specific values\n listen_address: \"0.0.0.0:54525\" \n\n exporters:\n chronicle/chronicle_w_labels:\n compression: gzip\n # Adjust the creds location below according the placement of the credentials file you downloaded\n creds: '{ json file for creds }'\n # Replace \u003ccustomer_id\u003e below with your actual ID that you copied\n customer_id: \u003ccustomer_id\u003e\n endpoint: malachiteingestion-pa.googleapis.com\n # You can apply ingestion labels below as preferred\n ingestion_labels:\n log_type: SYSLOG\n namespace: BMC_HELIX_DISCOVERY\n raw_log_field: body\n service:\n pipelines:\n logs/source0__chronicle_w_labels-0:\n receivers:\n - tcplog\n exporters:\n - chronicle/chronicle_w_labels\n\n3. Restart the Bindplane Agent to apply the changes:\n\n sudo systemctl restart bindplane\n\nExport Syslog from BMC Helix Discovery\n--------------------------------------\n\n1. Access the BMC Discovery instance as a **root user**.\n2. Edit the **syslog configuration** file: `etc/rsyslog.conf`\n3. Add the following entry at the top: `# Send everything to the remote syslog server`.\n4. Replace the IP address with that of your syslog server:\n\n # Send everything to the remote syslog server\n\n *.* @192.168.1.100\n\n5. Restart the syslog service on the appliance:\n\n sudo /usr/bin/systemctl restart rsyslog.service\n\n6. Test the forwarding configuration.\n\n7. Use the logger utility to send a syslog message:\n\n logger this is a test of remote logging\n\n8. Verify this has been logged:\n\n su -\n Password:\n\n tail -n5 /var/log/messages\n Jan 17 11:42:10 localhost seclab: this is a test of remote logging\n\n9. Sign in to Google SecOps and check that the same messages appear.\n\nUDM Mapping Table\n-----------------\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
