This document explains how to collect the Radware Web Application Firewall (WAF) logs by using a Google Security Operations forwarder.
The parser extracts fields from Radware firewall syslog messages using grok patterns, and maps them to the UDM. It handles various log formats, populates security result fields based on attack details, and categorizes events based on attack_id, enriching the data for Google SecOps ingestion.
Before you begin
Ensure that you have a Google Security Operations instance.
Ensure that you are using Windows 2016 or later, or a Linux host with systemd.
If running behind a proxy, ensure firewall ports are open.
Ensure that Radware Vision Reporter is installed and configured on AppWall.
Ensure that you have privileged access to Radware WAF portal.
Get Google SecOps ingestion authentication file
Sign in to the Google SecOps console.
Go to SIEM Settings > Collection Agents.
Download the Ingestion Authentication File. Save the file securely on the
system where Bindplane Agent will be installed.
Get Google SecOps customer ID
Sign in to the Google SecOps console.
Go to SIEM Settings > Profile.
Copy and save the Customer ID from the Organization Details section.
Install Bindplane Agent
Windows installation
Open the Command Prompt or PowerShell as an administrator.
Configure Bindplane Agent to ingest Syslog and send to Google SecOps
Access the configuration file:
Locate the config.yaml file. Typically, it's in the /etc/bindplane-agent/ directory on Linux or in the installation directory on Windows.
Open the file using a text editor (for example, nano, vi, or Notepad).
Edit the config.yaml file as follows:
receivers:udplog:# Replace with your specific IP and portlisten_address:"0.0.0.0:514"exporters:chronicle/chronicle_w_labels:compression:gzip# Path to the ingestion authentication filecreds:'/path/to/your/ingestion-auth.json'# Your Chronicle customer IDcustomer_id:'your_customer_id'endpoint:malachiteingestion-pa.googleapis.comingestion_labels:log_type:SYSLOGnamespace:radware_wafraw_log_field:bodyservice:pipelines:logs/source0__chronicle_w_labels-0:receivers:-udplogexporters:-chronicle/chronicle_w_labels
Replace the port and IP address as required in your infrastructure.
Replace <customer_id> with the actual customer ID.
Directly mapped, converted to integer. Set to "MACHINE" if username is present and command is not. Copied from the collection_time field of the raw log. Defaults to "NETWORK_CONNECTION". Set to "GENERIC_EVENT" if either src_ip or dst_ip are missing. Set to "USER_LOGIN" if username is present and command is not present. Can be overridden by logic based on attack_id. Set to "RADWARE_FIREWALL". Mapped from the product field. Set to "Radware".
intermediary_ip
event.idm.read_only_udm.intermediary.ip
Directly mapped.
obv_ip
event.idm.read_only_udm.observer.ip
Directly mapped.
product
event.idm.read_only_udm.metadata.product_name
Directly mapped.
protocol_number_src
event.idm.read_only_udm.network.ip_protocol
Parsed using the parse_ip_protocol.include logic.
rule_id
event.idm.read_only_udm.security_result.rule_id
Directly mapped. Derived based on the value of attack_id. Values include "ACL_VIOLATION", "NETWORK_DENIAL_OF_SERVICE", "NETWORK_SUSPICIOUS", "NETWORK_RECON".
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis guide explains how to collect Radware Web Application Firewall (WAF) logs and ingest them into Google Security Operations (SecOps) using a forwarder.\u003c/p\u003e\n"],["\u003cp\u003eThe process involves installing and configuring the Bindplane Agent, which will be used to collect and forward syslog data to Google SecOps.\u003c/p\u003e\n"],["\u003cp\u003eConfiguration of both the AppWall standalone and the integrated AppWall in Alteon, utilizing Vision Reporter to send logs to the Bindplane Agent, is detailed, including a preference for Vision Reporter over syslog for HTTP request data.\u003c/p\u003e\n"],["\u003cp\u003eThe parser is able to extract fields from Radware firewall syslog messages using grok patterns and map these fields to the Unified Data Model (UDM), and also populate security result fields and categorize events.\u003c/p\u003e\n"],["\u003cp\u003eBefore setup, you need to ensure that you have a Google Security Operations instance, the correct operating system, open firewall ports, and access to both the Radware WAF and Vision Reporter.\u003c/p\u003e\n"]]],[],null,["# Collect Radware WAF logs\n========================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis document explains how to collect the Radware Web Application Firewall (WAF) logs by using a Google Security Operations forwarder.\nThe parser extracts fields from Radware firewall syslog messages using grok patterns, and maps them to the UDM. It handles various log formats, populates security result fields based on attack details, and categorizes events based on `attack_id`, enriching the data for Google SecOps ingestion.\n\nBefore you begin\n----------------\n\n- Ensure that you have a Google Security Operations instance.\n- Ensure that you are using Windows 2016 or later, or a Linux host with `systemd`.\n- If running behind a proxy, ensure firewall [ports](/chronicle/docs/ingestion/use-bindplane-agent#verify_the_firewall_configuration) are open.\n- Ensure that Radware Vision Reporter is installed and configured on AppWall.\n- Ensure that you have privileged access to Radware WAF portal.\n\nGet Google SecOps ingestion authentication file\n-----------------------------------------------\n\n1. Sign in to the Google SecOps console.\n2. Go to **SIEM Settings \\\u003e Collection Agents**.\n3. Download the **Ingestion Authentication File**. Save the file securely on the system where Bindplane Agent will be installed.\n\nGet Google SecOps customer ID\n-----------------------------\n\n1. Sign in to the Google SecOps console.\n2. Go to **SIEM Settings \\\u003e Profile**.\n3. Copy and save the **Customer ID** from the **Organization Details** section.\n\nInstall Bindplane Agent\n-----------------------\n\n### Windows installation\n\n1. Open the **Command Prompt** or **PowerShell** as an administrator.\n2. Run the following command:\n\n msiexec /i \"https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi\" /quiet\n\n### Linux installation\n\n1. Open a terminal with root or sudo privileges.\n2. Run the following command:\n\n sudo sh -c \"$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)\" install_unix.sh\n\n### Additional installation resources\n\n- For additional installation options, consult this [installation guide](/chronicle/docs/ingestion/use-bindplane-agent#install_the_bindplane_agent).\n\nConfigure Bindplane Agent to ingest Syslog and send to Google SecOps\n--------------------------------------------------------------------\n\n1. Access the configuration file:\n\n - Locate the `config.yaml` file. Typically, it's in the `/etc/bindplane-agent/` directory on Linux or in the installation directory on Windows.\n - Open the file using a text editor (for example, `nano`, `vi`, or Notepad).\n2. Edit the `config.yaml` file as follows:\n\n receivers:\n udplog:\n # Replace with your specific IP and port\n listen_address: \"0.0.0.0:514\"\n\n exporters:\n chronicle/chronicle_w_labels:\n compression: gzip\n # Path to the ingestion authentication file\n creds: '/path/to/your/ingestion-auth.json'\n # Your Chronicle customer ID\n customer_id: 'your_customer_id'\n endpoint: malachiteingestion-pa.googleapis.com\n ingestion_labels:\n log_type: SYSLOG\n namespace: radware_waf\n raw_log_field: body\n\n service:\n pipelines:\n logs/source0__chronicle_w_labels-0:\n receivers:\n - udplog\n exporters:\n - chronicle/chronicle_w_labels\n\n- Replace the port and IP address as required in your infrastructure.\n- Replace `\u003ccustomer_id\u003e` with the actual customer ID.\n- Update `/path/to/ingestion-authentication-file.json` to the path where the authentication file was saved in the [Get Google SecOps ingestion authentication file](/chronicle/docs/ingestion/default-parsers/radware-waf#get-auth-file) section.\n\nRestart Bindplane Agent to apply the changes\n--------------------------------------------\n\n- To restart the Bindplane Agent in Linux, run the following command:\n\n sudo systemctl restart bindplane-agent\n\n- To restart the Bindplane Agent in Windows, you can either use the **Services** console or enter the following command:\n\n net stop BindPlaneAgent && net start BindPlaneAgent\n\nConfigure Radware AppWall WAF\n-----------------------------\n\n| **Note:** External logging configuration using syslog doesn't include original HTTP request data in the syslog event details. To include the original HTTP request in event, Google recommends that you configure external logging using Vision Reporter rather than syslog.\n\nTo complete the tasks, do the following three configurations:\n\n- Configure the AppWall standalone using Vision Reporter.\n- Configure the integrated AppWall in Alteon using Vision Reporter (include HTTP request data in event details).\n- Configure Vision Reporter to Send Logs to Bindplane Agent.\n\n### Configure AppWall Standalone using Vision Reporter\n\n1. Sign in to [Radware WAF](https://portal.radwarecloud.com/login) console using administrator credentials.\n2. Go to **Configuration \\\u003e Services \\\u003e Vision Support \\\u003e Vision Reporter** .\n - Enable logging by **selecting** the **Send events to Vision Reporter** checkbox.\n - **Vision Reporter address** : enter the **IP address** of the Vision Reporter.\n - **Port**: enter the port number.\n - **Protocol** : select **UDP** or **TCP**.\n - To include **HTTP response data** , select the **Send replies to Vision Reporter** checkbox.\n3. Click **Save**.\n\n### Configure Integrated AppWall in Alteon using Vision Reporter (preferred for HTTP Request Data Logging)\n\n1. Sign in to Radware WAF console using administrator credentials.\n2. Go to **Configuration \\\u003e Security \\\u003e Web Security \\\u003e Vision Reporter** .\n - Enable logging by **selecting** the **Send events to Vision Reporter** checkbox.\n - Select the **Send events to Vision reporter** checkbox.\n - **Vision Reporter IP address**: enter the IP address of the Vision Reporter.\n - **Port**: enter a high port number.\n - **Security** : select **UDP** or **TCP**.\n3. Click **Save**.\n\n### Configure Vision Reporter to send logs to Bindplane Agent\n\n1. Sign in to Radware Vision Reporter administrator console.\n2. Go to **Configuration \\\u003e SIEM \\& External Logging**.\n3. Click **+ Add New SIEM Destination** .\n - **Destination Name** : enter **Google SecOps Forwarder**.\n - **Log Export Type** : select **Syslog** (RFC 5424 format) for structured logging.\n - **Remote Syslog Server IP** enter the Bindplane Agent's IP address.\n - **Port**: enter a port that the Bindplane Agent listens on (for example, 514 for UDP, 601 for TCP).\n - **Protocol** : select **UDP** or **TCP** depending on the Bindplane configuration.\n4. Click **Save**.\n\nUDM Mapping Table\n-----------------\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
