Collect NGINX logs

This NGINX parser handles JSON and syslog formatted logs. It extracts fields from various log formats and normalizes them into the UDM format. The parser enriches the event with metadata for server management and network activity, including user logins and HTTP requests. It also handles logic for SSH events and populates UDM fields based on extracted data.

Before you begin

• Ensure that you have a Google Security Operations instance.
• Ensure NGINX is running and generating logs.
• Ensure that you have root access to NGINX host machine.

Get Google SecOps ingestion authentication file

1. Sign in to the Google SecOps console.
2. Go to SIEM Settings > Collection Agents.
3. Download the Ingestion Authentication File.

Get Google SecOps customer ID

1. Sign in to the Google SecOps console.
2. Go to SIEM Settings > Profile.
3. Copy and save the Customer ID from the Organization Details section.

Install BindPlane Agent

1. For Windows installation, run the following script:
   msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet
2. For Linux installation, run the following script:
   sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh
3. Additional installation options can be found in this installation guide.

Configure the BindPlane Agent to ingest Syslog and send to Google SecOps

1. Access the machine where BindPlane is installed.

2. Edit the config.yaml file as follows:

   receivers:
     tcplog:
       # Replace the below port <54525> and IP <0.0.0.0> with your specific values
       listen_address: "0.0.0.0:54525" 
   
   exporters:
       chronicle/chronicle_w_labels:
           compression: gzip
           # Adjust the creds location below according the placement of the credentials file you downloaded
           creds: '{ json file for creds }'
           # Replace <customer_id> below with your actual ID that you copied
           customer_id: <customer_id>
           endpoint: malachiteingestion-pa.googleapis.com
           # You can apply ingestion labels below as preferred
           ingestion_labels:
           log_type: SYSLOG
           namespace: auditd
           raw_log_field: body
   service:
       pipelines:
           logs/source0__chronicle_w_labels-0:
               receivers:
                   - tcplog
               exporters:
                   - chronicle/chronicle_w_labels
   

3. Restart the BindPlane Agent to apply the changes:

   sudo systemctl restart bindplane
   

Identify NGINX log files location

NGINX logs are stored in: * Access logs: /var/log/nginx/access.log * Error logs: /var/log/nginx/error.log 1. Access the NGINX host using administrative credentials. 1. Run the following command and look for the log file paths on your NGINX host:

  sudo cat /etc/nginx/nginx.conf | grep log

Configure NGINX to Forward Logs to Bindplane

1. Open the NGINX configuration file (for example, /etc/nginx/nginx.conf):

   sudo vi /etc/nginx/nginx.conf
   

2. Edit the configuration, replacing <BINDPLANE_SERVER> and <BINDPLANE_PORT> with your values:

   http {
       access_log syslog:server=<BINDPLANE_SERVER>:<BINDPLANE_PORT>,facility=local7,tag=nginx_access;
       error_log syslog:server=<BINDPLANE_SERVER>:<BINDPLANE_PORT>,facility=local7,tag=nginx_error;
   }
   

3. Restart NGINX to apply the changes:

   sudo systemctl reload nginx
   

UDM Mapping Table

Changes

2022-09-10

• Created a default parser and deleted the customer-specific parser.
• Initial parser release.