Collect OPNsense firewall logs

This parser extracts fields from OPNsense firewall logs (syslog and CSV formats) and maps them to the UDM. It uses grok and CSV parsing for "filterlog" application logs, handling different log formats and network protocols (TCP, UDP, ICMP, etc.) to populate UDM fields like principal, target, network, and security_result. It also adds metadata like vendor and product name, and determines the event type based on the presence of principal and target information.

Before you begin

• Ensure that you have a Google Security Operations instance.
• Ensure that you have privileged access to the OPNsense web interface.

Get Google SecOps ingestion authentication file

1. Sign in to the Google SecOps console.
2. Go to SIEM Settings > Collection Agents.
3. Download the Ingestion Authentication File.

Get Google SecOps customer ID

1. Sign in to the Google SecOps console.
2. Go to SIEM Settings > Profile.
3. Copy and save the Customer ID from the Organization Details section.

Install BindPlane Agent

1. For Windows installation, run the following script:
   msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet
2. For Linux installation, run the following script:
   sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh
3. Additional installation options can be found in this installation guide.

Configure BindPlane Agent to ingest Syslog and send to Google SecOps

1. Access the machine where BindPlane is installed.

2. Edit the config.yaml file as follows:

   receivers:
     tcplog:
       # Replace the below port <54525> and IP (0.0.0.0) with your specific values
       listen_address: "0.0.0.0:54525" 
   
   exporters:
       chronicle/chronicle_w_labels:
           compression: gzip
           # Adjust the creds location below according the placement of the credentials file you downloaded
           creds: '{ json file for creds }'
           # Replace <customer_id> below with your actual ID that you copied
           customer_id: <customer_id>
           endpoint: malachiteingestion-pa.googleapis.com
           # You can apply ingestion labels below as preferred
           ingestion_labels:
           log_type: SYSLOG
           namespace: testNamespace
           raw_log_field: body
   service:
       pipelines:
           logs/source0__chronicle_w_labels-0:
               receivers:
                   - tcplog
               exporters:
                   - chronicle/chronicle_w_labels
   

3. Restart BindPlane Agent to apply the changes using the following command: sudo systemctl bindplane restart

Add Syslog server configuration to OPNsense

1. Sign in to the OPNsense web interface.
2. Go to System > Settings > Logging.
3. In the Remote Logging section, enable Send logs to remote syslog server by checking the box.
4. In the Remote Syslog Servers field, enter the IP address of the syslog server, including the PORT (for example, 10.10.10.10:54525).
5. Select Local0 as the syslog facility.

6. Set Syslog Level as Alert.

7. Click Save to apply the changes.

UDM Mapping Table

Changes

2023-11-22

• Newly created parser.