receivers:
tcplog:
# Replace the below port <54525> and IP (0.0.0.0) with your specific values
listen_address: "0.0.0.0:54525"
exporters:
chronicle/chronicle_w_labels:
compression: gzip
# Adjust the creds location below according the placement of the credentials file you downloaded
creds: '{ json file for creds }'
# Replace <customer_id> below with your actual ID that you copied
customer_id: <customer_id>
endpoint: malachiteingestion-pa.googleapis.com
# You can apply ingestion labels below as preferred
ingestion_labels:
log_type: SYSLOG
namespace: testNamespace
raw_log_field: body
service:
pipelines:
logs/source0__chronicle_w_labels-0:
receivers:
- tcplog
exporters:
- chronicle/chronicle_w_labels
[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-09-04。"],[[["\u003cp\u003eThis parser extracts and maps fields from OPNsense firewall logs (syslog and CSV formats) to the Google Security Operations Unified Data Model (UDM).\u003c/p\u003e\n"],["\u003cp\u003eThe parser uses grok and CSV parsing to process "filterlog" application logs, accommodating various log formats and network protocols like TCP, UDP, and ICMP.\u003c/p\u003e\n"],["\u003cp\u003eBindplane Agent is used to forward Syslog data from the OPNsense firewall to Google Security Operations, where a configuration must be done to listen for incoming logs, and a customer ID and authentication file is required to authenticate with the service.\u003c/p\u003e\n"],["\u003cp\u003eThe UDM mapping table details how specific log fields from OPNsense are transformed into UDM fields, such as \u003ccode\u003esecurity_result.rule_id\u003c/code\u003e, \u003ccode\u003enetwork.ip_protocol\u003c/code\u003e, \u003ccode\u003eprincipal.ip\u003c/code\u003e, and others, with their respective logic.\u003c/p\u003e\n"],["\u003cp\u003eBefore getting started, a Google SecOps instance and privileged access to the OPNsense web interface are required, as well as downloading an Ingestion Authentication File and getting the customer ID from the profile in the SecOps console.\u003c/p\u003e\n"]]],[],null,["# Collect OPNsense firewall logs\n==============================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis parser extracts fields from OPNsense firewall logs (syslog and CSV formats) and maps them to the UDM. It uses grok and CSV parsing for \"filterlog\" application logs, handling different log formats and network protocols (TCP, UDP, ICMP, etc.) to populate UDM fields like principal, target, network, and security_result. It also adds metadata like vendor and product name, and determines the event type based on the presence of principal and target information.\n\nBefore you begin\n----------------\n\n- Ensure that you have a Google Security Operations instance.\n- Ensure that you have privileged access to the OPNsense web interface.\n\nGet Google SecOps ingestion authentication file\n-----------------------------------------------\n\n1. Sign in to the Google SecOps console.\n2. Go to **SIEM Settings** \\\u003e **Collection Agents**.\n3. Download the **Ingestion Authentication File**.\n\nGet Google SecOps customer ID\n-----------------------------\n\n1. Sign in to the Google SecOps console.\n2. Go to **SIEM Settings** \\\u003e **Profile**.\n3. Copy and save the **Customer ID** from the **Organization Details** section.\n\nInstall Bindplane Agent\n-----------------------\n\n1. For **Windows installation** , run the following script: \n `msiexec /i \"https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi\" /quiet`\n2. For **Linux installation** , run the following script: \n `sudo sh -c \"$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)\" install_unix.sh`\n3. Additional installation options can be found in this [installation guide](/chronicle/docs/ingestion/use-bindplane-agent#install_the_bindplane_agent).\n\nConfigure Bindplane Agent to ingest Syslog and send to Google SecOps\n--------------------------------------------------------------------\n\n1. Access the machine where Bindplane Agent is installed.\n2. Edit the `config.yaml` file as follows:\n\n receivers:\n tcplog:\n # Replace the below port \u003c54525\u003e and IP (0.0.0.0) with your specific values\n listen_address: \"0.0.0.0:54525\" \n\n exporters:\n chronicle/chronicle_w_labels:\n compression: gzip\n # Adjust the creds location below according the placement of the credentials file you downloaded\n creds: '{ json file for creds }'\n # Replace \u003ccustomer_id\u003e below with your actual ID that you copied\n customer_id: \u003ccustomer_id\u003e\n endpoint: malachiteingestion-pa.googleapis.com\n # You can apply ingestion labels below as preferred\n ingestion_labels:\n log_type: SYSLOG\n namespace: testNamespace\n raw_log_field: body\n service:\n pipelines:\n logs/source0__chronicle_w_labels-0:\n receivers:\n - tcplog\n exporters:\n - chronicle/chronicle_w_labels\n\n3. Restart Bindplane Agent to apply the changes using the following command:\n `sudo systemctl bindplane restart`\n\nAdd Syslog server configuration to OPNsense\n-------------------------------------------\n\n1. Sign in to the OPNsense web interface.\n2. Go to **System** \\\u003e **Settings** \\\u003e **Logging**.\n3. In the **Remote Logging** section, enable **Send logs to remote syslog server** by checking the box.\n4. In the **Remote Syslog Servers** field, enter the **IP address** of the syslog server, including the **PORT** (for example, 10.10.10.10:54525).\n5. Select **Local0** as the **syslog facility**.\n6. Set Syslog Level as **Alert**.\n\n | **Note:** The Informational or Debug levels are typically used for more detailed log information.\n7. Click **Save** to apply the changes.\n\nUDM Mapping Table\n-----------------\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
