This document describes how you can collect the NetApp ONTAP logs through Syslog. The parser extracts fields from syslog messages using regular expressions. It then maps the extracted fields to the corresponding UDM (Unified Data Model) fields, effectively converting raw log data into a structured format for security analysis.
Before you begin
Ensure that you have a Google Security Operations instance.
Ensure that you are using Windows 2016 or later, or a Linux host with systemd.
If running behind a proxy, ensure firewall ports are open.
Ensure that you have administrative access to NetApp ONTAP cluster.
Ensure that ONTAP can communicate with the Syslog server (Bindplane).
Get Google SecOps ingestion authentication file
Sign in to the Google SecOps console.
Go to SIEM Settings > Collection Agents.
Download the Ingestion Authentication File. Save the file securely on the
system where Bindplane Agent will be installed.
Get Google SecOps customer ID
Sign in to the Google SecOps console.
Go to SIEM Settings > Profile.
Copy and save the Customer ID from the Organization Details section.
Install Bindplane Agent
Windows installation
Open the Command Prompt or PowerShell as an administrator.
Configure BindPlane Agent to ingest Syslog and send to Google SecOps
Access the configuration file:
Locate the config.yaml file. Typically, it's in the /etc/bindplane-agent/ directory on Linux or in the installation directory on Windows.
Open the file using a text editor (for example, nano, vi, or Notepad).
Edit the config.yaml file as follows:
receivers:udplog:# Replace the below port <54525> and IP <0.0.0.0> with your specific valueslisten_address:"0.0.0.0:54525"exporters:chronicle/chronicle_w_labels:compression:gzip# Adjust the creds location below according the placement of the credentials file you downloadedcreds:'{jsonfileforcreds}'# Replace <customer_id> below with your actual ID that you copiedcustomer_id:<customer_id>
endpoint:malachiteingestion-pa.googleapis.com# You can apply ingestion labels below as preferredingestion_labels:log_type:SYSLOGnamespace:netapp_ontapraw_log_field:bodyservice:pipelines:logs/source0__chronicle_w_labels-0:receivers:-udplogexporters:-chronicle/chronicle_w_labels
Replace the port and IP address as required in your infrastructure.
Replace <customer_id> with the actual customer ID.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis guide explains how to collect NetApp ONTAP logs via Syslog and integrate them with Google Security Operations (SecOps) for security analysis.\u003c/p\u003e\n"],["\u003cp\u003eThe process involves installing and configuring the Bindplane Agent to ingest Syslog data, and setting up a Syslog destination within the ONTAP cluster.\u003c/p\u003e\n"],["\u003cp\u003eCollected logs are parsed, and fields are extracted using regular expressions before being mapped to Unified Data Model (UDM) fields for structured security analysis.\u003c/p\u003e\n"],["\u003cp\u003eSpecific steps include downloading an ingestion authentication file and customer ID from the SecOps console, alongside instructions to install the agent on Windows or Linux.\u003c/p\u003e\n"],["\u003cp\u003eThe guide also provides instructions on setting up event filters within ONTAP to capture various types of logs, including authentication events and security-related fields.\u003c/p\u003e\n"]]],[],null,["# Collect NetApp ONTAP logs\n=========================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis document describes how you can collect the NetApp ONTAP logs through Syslog. The parser extracts fields from syslog messages using regular expressions. It then maps the extracted fields to the corresponding UDM (Unified Data Model) fields, effectively converting raw log data into a structured format for security analysis.\n\nBefore you begin\n----------------\n\n- Ensure that you have a Google Security Operations instance.\n- Ensure that you are using Windows 2016 or later, or a Linux host with `systemd`.\n- If running behind a proxy, ensure firewall [ports](/chronicle/docs/ingestion/use-bindplane-agent#verify_the_firewall_configuration) are open.\n- Ensure that you have administrative access to NetApp ONTAP cluster.\n- Ensure that ONTAP can communicate with the Syslog server (Bindplane).\n\nGet Google SecOps ingestion authentication file\n-----------------------------------------------\n\n1. Sign in to the Google SecOps console.\n2. Go to **SIEM Settings \\\u003e Collection Agents**.\n3. Download the **Ingestion Authentication File**. Save the file securely on the system where Bindplane Agent will be installed.\n\nGet Google SecOps customer ID\n-----------------------------\n\n1. Sign in to the Google SecOps console.\n2. Go to **SIEM Settings \\\u003e Profile**.\n3. Copy and save the **Customer ID** from the **Organization Details** section.\n\nInstall Bindplane Agent\n-----------------------\n\n### Windows installation\n\n1. Open the **Command Prompt** or **PowerShell** as an administrator.\n2. Run the following command:\n\n msiexec /i \"https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi\" /quiet\n\n### Linux Installation\n\n1. Open a terminal with root or sudo privileges.\n2. Run the following command:\n\n sudo sh -c \"$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)\" install_unix.sh\n\n### Additional Installation Resources\n\n- For additional installation options, consult this [installation guide](/chronicle/docs/ingestion/use-bindplane-agent#install_the_bindplane_agent).\n\nConfigure BindPlane Agent to ingest Syslog and send to Google SecOps\n--------------------------------------------------------------------\n\n1. Access the configuration file:\n\n - Locate the `config.yaml` file. Typically, it's in the `/etc/bindplane-agent/` directory on Linux or in the installation directory on Windows.\n - Open the file using a text editor (for example, `nano`, `vi`, or Notepad).\n2. Edit the `config.yaml` file as follows:\n\n receivers:\n udplog:\n # Replace the below port \u003c54525\u003e and IP \u003c0.0.0.0\u003e with your specific values\n listen_address: \"0.0.0.0:54525\" \n\n exporters:\n chronicle/chronicle_w_labels:\n compression: gzip\n # Adjust the creds location below according the placement of the credentials file you downloaded\n creds: '{ json file for creds }'\n # Replace \u003ccustomer_id\u003e below with your actual ID that you copied\n customer_id: \u003ccustomer_id\u003e\n endpoint: malachiteingestion-pa.googleapis.com\n # You can apply ingestion labels below as preferred\n ingestion_labels:\n log_type: SYSLOG\n namespace: netapp_ontap\n raw_log_field: body\n service:\n pipelines:\n logs/source0__chronicle_w_labels-0:\n receivers:\n - udplog\n exporters:\n - chronicle/chronicle_w_labels\n\n3. Replace the port and IP address as required in your infrastructure.\n\n4. Replace `\u003ccustomer_id\u003e` with the actual customer ID.\n\n5. Update `/path/to/ingestion-authentication-file.json` to the path where the authentication file was saved in the\n [Get Google SecOps ingestion authentication file](/chronicle/docs/ingestion/default-parsers/netapp-ontap#get-auth-file) section.\n\nRestart Bindplane Agent to apply the changes\n--------------------------------------------\n\n- In Linux, to restart the Bindplane Agent, run the following command:\n\n sudo systemctl restart bindplane-agent\n\n- In Windows, to restart the Bindplane Agent, you can either use the **Services** console or enter the following command:\n\n net stop BindPlaneAgent && net start BindPlaneAgent\n\nConfigure a Syslog Destination in ONTAP\n---------------------------------------\n\n1. Access the ONTAP Cluster using SSH, and replace `\u003contap-cluster-ip\u003e` with the management IP of your ONTAP cluster:\n\n ssh admin@\u003contap-cluster-ip\u003e\n\n2. Check **existing** event **filters and notifications**:\n\n event filter show\n event notification show\n\n3. Create a **Syslog Destination** , replace `\u003csyslog-server-ip\u003e` and `\u003csyslog-server-port\u003e` with your Syslog server details (Bindplane):\n\n event notification destination create -name syslog-ems -syslog \u003csyslog-server-ip\u003e -syslog-port \u003csyslog-server-port\u003e -syslog-transport udp-unencrypted\n\n4. Other options for -syslog-transport:\n\n - udp-unencrypted (default)\n - tcp-unencrypted\n - tcp-encrypted (for TLS).\n5. **Verify** the Syslog **Destination**:\n\n event notification destination show\n\nConfigure Existing Event Filters\n--------------------------------\n\n- Link **default filters** to the Syslog destination:\n\n event notification create -filter-name no-info-debug-events -destinations syslog-ems\n event notification create -filter-name default-trap-events -destinations syslog-ems\n\nOptional: Create and configure custom filters\n---------------------------------------------\n\n1. Authentication Events Filter (Logins/Logouts): Captures logs where description matches \"Logging in\" or \"Logging out\":\n\n event filter create -filter-name auth_events\n event filter rule add -filter-name auth_events -type include -message-name *login* -severity info\n event filter rule add -filter-name auth_events -type include -message-name *logout* -severity info\n\n2. Security Detection Fields Filter: Captures logs related to nmsdk_language, nmsdk_platform, nmsdk_version, and netapp_version:\n\n event filter create -filter-name security_fields\n event filter rule add -filter-name security_fields -type include -message-name *nmsdk_language* -severity info\n event filter rule add -filter-name security_fields -type include -message-name *nmsdk_platform* -severity info\n event filter rule add -filter-name security_fields -type include -message-name *nmsdk_version* -severity info\n event filter rule add -filter-name security_fields -type include -message-name *netapp_version* -severity info\n\n3. Severity-Based Logs Filter: Captures logs where severity is informational:\n\n event filter create -filter-name severity_info\n event filter rule add -filter-name severity_info -type include -message-name * -severity info\n\n4. Network Activity Filter: Captures logs with src_ip and src_port:\n\n event filter create -filter-name network_activity\n event filter rule add -filter-name network_activity -type include -message-name *src_ip* -severity info\n event filter rule add -filter-name network_activity -type include -message-name *src_port* -severity info\n\n5. URL Target Logs Filter: Captures logs with URL information:\n\n event filter create -filter-name url_target\n event filter rule add -filter-name url_target -type include -message-name *url* -severity info\n\n6. Apply Each Filter to the Syslog Destination:\n\n event notification create -filter-name auth_events -destinations syslog-ems\n event notification create -filter-name security_fields -destinations syslog-ems\n event notification create -filter-name severity_info -destinations syslog-ems\n event notification create -filter-name network_activity -destinations syslog-ems\n event notification create -filter-name url_target -destinations syslog-ems\n\n7. Verify Notifications:\n\n event notification show\n\nUDM Mapping Table\n-----------------\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]