Collect HPE iLO logs
Supported in:
This document explains how to ingest the HPE iLO (Hewlett Packard Enterprise Integrated Lights-Out) logs to Google Security Operations using Bindplane. The parser code first attempts to parse the raw log message as JSON. If that fails, it uses regular expressions (grok patterns) to extract fields from the message based on common HP iLO log formats.
Before you begin
Ensure that you have the following prerequisites:
- Google SecOps instance
- Windows 2016 or later or Linux host with systemd
- If running behind a proxy, firewall ports are open
- Privileged access to HPE iLO
Get Google SecOps ingestion authentication file
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Collection Agents.
- Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.
Get Google SecOps customer ID
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Profile.
- Copy and save the Customer ID from the Organization Details section.
Install the Bindplane agent
Windows installation
- Open the Command Prompt or PowerShell as an administrator.
Run the following command:
msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet
Linux installation
- Open a terminal with root or sudo privileges.
Run the following command:
sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh
Additional installation resources
For additional installation options, consult the installation guide.
Configure the Bindplane agent to ingest Syslog and send to Google SecOps
Access the configuration file:
- Locate the
config.yamlfile. Typically, it's in the/etc/bindplane-agent/directory on Linux or in the installation directory on Windows. - Open the file using a text editor (for example,
nano,vi, or Notepad).
- Locate the
Edit the
config.yamlfile as follows:receivers: udplog: # Replace the port and IP address as required listen_address: "0.0.0.0:514" exporters: chronicle/chronicle_w_labels: compression: gzip # Adjust the path to the credentials file you downloaded in Step 1 creds: '/path/to/ingestion-authentication-file.json' # Replace with your actual customer ID from Step 2 customer_id: <customer_id> endpoint: malachiteingestion-pa.googleapis.com # Add optional ingestion labels for better organization ingestion_labels: log_type: HPE_ILO raw_log_field: body service: pipelines: logs/source0__chronicle_w_labels-0: receivers: - udplog exporters: - chronicle/chronicle_w_labelsReplace the port and IP address as required in your infrastructure.
Replace
<customer_id>with the actual customer ID.Update
/path/to/ingestion-authentication-file.jsonto the path where the authentication file was saved in the Get Google SecOps ingestion authentication file section.
Restart the Bindplane agent to apply the changes
To restart the Bindplane agent in Linux, run the following command:
sudo systemctl restart bindplane-agentTo restart the Bindplane agent in Windows, you can either use the Services console or enter the following command:
net stop BindPlaneAgent && net start BindPlaneAgent
Configure Syslog in HP iLO
- Sign in to the HPE iLO web UI.
- Go to Management > Remote Syslog tab.
- Click Enable iLO Remote Syslog.
- Provide the following configuration details:
- Remote Syslog Port: Enter the Bindplane port number (for example,
514). - Remote Syslog Server: Enter the Bindplane IP address.
- Remote Syslog Port: Enter the Bindplane port number (for example,
- Click Send Test Syslog and validate it was received in Google SecOps.
- Click Apply.
UDM mapping table
| Log field | UDM mapping | Logic |
|---|---|---|
data |
This field is parsed and mapped to various UDM fields based on its content. | |
data.HOSTNAME |
principal.hostname | Mapped when the first grok pattern in the "message" field matches, or when the "description" field contains "Host". Determines if event_type is STATUS_UPDATE. |
data.HOSTNAME |
network.dns.questions.name | Populated by grok pattern matching "DATA" in "message". Used to populate dns.questions if not empty and doesn't contain "(?i)not found". |
data.HOSTNAME |
target.user.user_display_name | Populated by grok pattern matching "DATA" in "message". |
data.IP |
target.ip | Populated by grok patterns matching "IP" in "message" or "summary". |
data.WORD |
metadata.product_event_type | Populated by grok pattern matching "WORD" in "message". |
data.GREEDYDATA |
security_result.summary | Populated by grok pattern matching "GREEDYDATA" in "message". Used to determine network.application_protocol and event_type based on its content. |
data.TIMESTAMP_ISO8601 |
metadata.event_timestamp | Populated by the date plugin based on various timestamp formats. |
data.MONTHNUM |
Not Mapped | |
data.MONTHDAY |
Not Mapped | |
data.YEAR |
Not Mapped | |
data.TIME |
Not Mapped | |
data.HOST |
principal.hostname | Mapped when the second grok pattern in the "message" field matches. |
data.INT |
Not Mapped | |
data.UserAgent |
network.http.user_agent | Mapped when the description field contains User-Agent. |
data.Connection |
security_result.description | Mapped when the description field contains Connection. |
| N/A | metadata.event_type | Defaults to GENERIC_EVENT. Changes to STATUS_UPDATE if data.HOSTNAME is successfully mapped to principal.hostname, NETWORK_DNS if question is populated, or USER_LOGIN if summary contains Browser login. |
| N/A | metadata.vendor_name | Hardcoded to HP. |
| N/A | metadata.log_type | Set to HPE_ILO. |
| N/A | network.application_protocol | Set to LDAP if summary contains LDAP, or DNS if question is populated. |
| N/A | extensions.auth.type | Set to MACHINE if summary contains Browser login. |
Changes
2023-11-27
Bug fix:
- Set
metadata.event_typetoUSER_LOGINif logs are ofBrowser Logintype. - Set
metadata_event_typetoSTATUS_UPDATEifprincipal.hostnameis present.
Need more help? Get answers from Community members and Google SecOps professionals.