Collect Micro Focus NetIQ Access Manager logs

This document explains how to collect Micro Focus NetIQ Access Manager logs to Google Security Operations using Bindplane. Micro Focus NetIQ Access Manager is an identity and access management (IAM) solution designed to secure applications and data by providing centralized authentication, authorization, and single sign-on (SSO) capabilities.

Before you begin

• Ensure that you have a Google Security Operations instance.
• Ensure that you are using Windows 2016 or later, or a Linux host with systemd.
• If running behind a proxy, ensure firewall ports are open.
• Ensure that you have privileged access to NetIQ Access Manager.

Get Google SecOps ingestion authentication file

1. Sign in to the Google SecOps console.
2. Go to SIEM Settings > Collection Agents.
3. Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.

Get Google SecOps customer ID

1. Sign in to the Google SecOps console.
2. Go to SIEM Settings > Profile.
3. Copy and save the Customer ID from the Organization Details section.

Install the Bindplane agent

Windows installation

1. Open the Command Prompt or PowerShell as an administrator.

2. Run the following command:

   msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet
   

Linux installation

1. Open a terminal with root or sudo privileges.

2. Run the following command:

   sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh
   

Additional installation resources

• For additional installation options, consult this installation guide.

Configure the Bindplane agent to ingest Syslog and send to Google SecOps

1. Access the configuration file:

   1. Locate the config.yaml file. Typically, it's in the /etc/bindplane-agent/ directory on Linux or in the installation directory on Windows.
   2. Open the file using a text editor (for example, nano, vi, or Notepad).

2. Edit the config.yaml file as follows:

   receivers:
       tcplog:
           # Replace the port and IP address as required
           listen_address: "0.0.0.0:5252"
   
   exporters:
       chronicle/chronicle_w_labels:
           compression: gzip
           # Adjust the path to the credentials file you downloaded in Step 1
           creds: '/path/to/ingestion-authentication-file.json'
           # Replace with your actual customer ID from Step 2
           customer_id: <customer_id>
           endpoint: malachiteingestion-pa.googleapis.com
           # Add optional ingestion labels for better organization
           ingestion_labels:
               log_type: SYSLOG
               namespace: netiq_access
               raw_log_field: body
   
   service:
       pipelines:
           logs/source0__chronicle_w_labels-0:
               receivers:
                   - tcplog
               exporters:
                   - chronicle/chronicle_w_labels
   

3. Replace the port and IP address as required in your infrastructure.

4. Replace <customer_id> with the actual customer ID.

5. Update /path/to/ingestion-authentication-file.json to the path where the authentication file was saved in the Get Google SecOps ingestion authentication file section.

Restart the Bindplane agent to apply the changes

• To restart the Bindplane agent in Linux, run the following command:

  sudo systemctl restart bindplane-agent
  

• To restart the Bindplane agent in Windows, you can either use the Services console or enter the following command:

  net stop BindPlaneAgent && net start BindPlaneAgent
  

Configure Identity Server audit events in NetIQ Access Manager

1. Sign in to the NetIQ administration console.
2. Select Devices > Identity server > Servers > Edit > Auditing and logging.
3. For Audit logging, select Enabled.
4. To audit all events, select Select All.
5. Click Apply > OK.
6. Click Servers > Update servers.

Configure Access Gateway audit events in NetIQ Access Manager

1. Sign in to the NetIQ administration console.
2. Go to Devices > Access gateways > Edit > Auditing.
3. Click Select All.
4. Click OK > OK.
5. On the Access gateways page, click Update.

Configure Logging Server in NetIQ Access Manager

1. Sign in to the NetIQ administration console.
2. Click Auditing.

3. Specify the following details:

   • Audit messages using syslog: select this option to send audit events to the audit server.
   • Stop service on audit server failure: leave blank.
   • Server listening address: enter Bindplane IP Address.
   • Port: specify the syslog port used to connect to Bindplane.
   • Format: select CSV.
   • Management console audit events: select All.

4. If syslog is selected for auditing, do the following:

   1. In nam.conf, change the SYSLOG_DAEMON value to rsyslog. This changes the default syslog daemon to rsyslog.

   2. To edit the Auditlogging.cfg file and set both SERVERIP and SERVERPORT macros as empty, run the following:

      LOGDEST=syslog
      FORMAT=JSON
      SERVERIP=
      SERVERPORT=
      

5. To configure UDP, run the following:

     #$ModLoad imtcp # load TCP listener
     $InputTCPServerRun 1290
     $template ForwardFormat,"<%PRI%>%TIMESTAMP:::date-rfc3164% %HOSTNAME% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%\n"
     $ModLoad imudp
     local0.* @FORWARDERIP:PORT_NUMBER;ForwardFormat
   

6. Restart the rsyslog service.

Changes

2024-12-12

• Newly created parser.

Need more help? Get answers from Community members and Google SecOps professionals.