找到 config.yaml 文件。通常,它位于 Linux 上的 /etc/bindplane-agent/ 目录中或 Windows 上的安装目录中。
使用文本编辑器(例如 nano、vi 或记事本)打开该文件。
按如下方式修改 config.yaml 文件:
receivers:udplog:# Replace with your specific IP and portlisten_address:"0.0.0.0:514"exporters:chronicle/chronicle_w_labels:compression:gzip# Path to the ingestion authentication filecreds:'/path/to/your/ingestion-auth.json'# Your Chronicle customer IDcustomer_id:'your_customer_id'endpoint:malachiteingestion-pa.googleapis.comingestion_labels:log_type:SYSLOGnamespace:radware_wafraw_log_field:bodyservice:pipelines:logs/source0__chronicle_w_labels-0:receivers:-udplogexporters:-chronicle/chronicle_w_labels
[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-09-04。"],[[["\u003cp\u003eThis guide explains how to collect Radware Web Application Firewall (WAF) logs and ingest them into Google Security Operations (SecOps) using a forwarder.\u003c/p\u003e\n"],["\u003cp\u003eThe process involves installing and configuring the Bindplane Agent, which will be used to collect and forward syslog data to Google SecOps.\u003c/p\u003e\n"],["\u003cp\u003eConfiguration of both the AppWall standalone and the integrated AppWall in Alteon, utilizing Vision Reporter to send logs to the Bindplane Agent, is detailed, including a preference for Vision Reporter over syslog for HTTP request data.\u003c/p\u003e\n"],["\u003cp\u003eThe parser is able to extract fields from Radware firewall syslog messages using grok patterns and map these fields to the Unified Data Model (UDM), and also populate security result fields and categorize events.\u003c/p\u003e\n"],["\u003cp\u003eBefore setup, you need to ensure that you have a Google Security Operations instance, the correct operating system, open firewall ports, and access to both the Radware WAF and Vision Reporter.\u003c/p\u003e\n"]]],[],null,["# Collect Radware WAF logs\n========================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis document explains how to collect the Radware Web Application Firewall (WAF) logs by using a Google Security Operations forwarder.\nThe parser extracts fields from Radware firewall syslog messages using grok patterns, and maps them to the UDM. It handles various log formats, populates security result fields based on attack details, and categorizes events based on `attack_id`, enriching the data for Google SecOps ingestion.\n\nBefore you begin\n----------------\n\n- Ensure that you have a Google Security Operations instance.\n- Ensure that you are using Windows 2016 or later, or a Linux host with `systemd`.\n- If running behind a proxy, ensure firewall [ports](/chronicle/docs/ingestion/use-bindplane-agent#verify_the_firewall_configuration) are open.\n- Ensure that Radware Vision Reporter is installed and configured on AppWall.\n- Ensure that you have privileged access to Radware WAF portal.\n\nGet Google SecOps ingestion authentication file\n-----------------------------------------------\n\n1. Sign in to the Google SecOps console.\n2. Go to **SIEM Settings \\\u003e Collection Agents**.\n3. Download the **Ingestion Authentication File**. Save the file securely on the system where Bindplane Agent will be installed.\n\nGet Google SecOps customer ID\n-----------------------------\n\n1. Sign in to the Google SecOps console.\n2. Go to **SIEM Settings \\\u003e Profile**.\n3. Copy and save the **Customer ID** from the **Organization Details** section.\n\nInstall Bindplane Agent\n-----------------------\n\n### Windows installation\n\n1. Open the **Command Prompt** or **PowerShell** as an administrator.\n2. Run the following command:\n\n msiexec /i \"https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi\" /quiet\n\n### Linux installation\n\n1. Open a terminal with root or sudo privileges.\n2. Run the following command:\n\n sudo sh -c \"$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)\" install_unix.sh\n\n### Additional installation resources\n\n- For additional installation options, consult this [installation guide](/chronicle/docs/ingestion/use-bindplane-agent#install_the_bindplane_agent).\n\nConfigure Bindplane Agent to ingest Syslog and send to Google SecOps\n--------------------------------------------------------------------\n\n1. Access the configuration file:\n\n - Locate the `config.yaml` file. Typically, it's in the `/etc/bindplane-agent/` directory on Linux or in the installation directory on Windows.\n - Open the file using a text editor (for example, `nano`, `vi`, or Notepad).\n2. Edit the `config.yaml` file as follows:\n\n receivers:\n udplog:\n # Replace with your specific IP and port\n listen_address: \"0.0.0.0:514\"\n\n exporters:\n chronicle/chronicle_w_labels:\n compression: gzip\n # Path to the ingestion authentication file\n creds: '/path/to/your/ingestion-auth.json'\n # Your Chronicle customer ID\n customer_id: 'your_customer_id'\n endpoint: malachiteingestion-pa.googleapis.com\n ingestion_labels:\n log_type: SYSLOG\n namespace: radware_waf\n raw_log_field: body\n\n service:\n pipelines:\n logs/source0__chronicle_w_labels-0:\n receivers:\n - udplog\n exporters:\n - chronicle/chronicle_w_labels\n\n- Replace the port and IP address as required in your infrastructure.\n- Replace `\u003ccustomer_id\u003e` with the actual customer ID.\n- Update `/path/to/ingestion-authentication-file.json` to the path where the authentication file was saved in the [Get Google SecOps ingestion authentication file](/chronicle/docs/ingestion/default-parsers/radware-waf#get-auth-file) section.\n\nRestart Bindplane Agent to apply the changes\n--------------------------------------------\n\n- To restart the Bindplane Agent in Linux, run the following command:\n\n sudo systemctl restart bindplane-agent\n\n- To restart the Bindplane Agent in Windows, you can either use the **Services** console or enter the following command:\n\n net stop BindPlaneAgent && net start BindPlaneAgent\n\nConfigure Radware AppWall WAF\n-----------------------------\n\n| **Note:** External logging configuration using syslog doesn't include original HTTP request data in the syslog event details. To include the original HTTP request in event, Google recommends that you configure external logging using Vision Reporter rather than syslog.\n\nTo complete the tasks, do the following three configurations:\n\n- Configure the AppWall standalone using Vision Reporter.\n- Configure the integrated AppWall in Alteon using Vision Reporter (include HTTP request data in event details).\n- Configure Vision Reporter to Send Logs to Bindplane Agent.\n\n### Configure AppWall Standalone using Vision Reporter\n\n1. Sign in to [Radware WAF](https://portal.radwarecloud.com/login) console using administrator credentials.\n2. Go to **Configuration \\\u003e Services \\\u003e Vision Support \\\u003e Vision Reporter** .\n - Enable logging by **selecting** the **Send events to Vision Reporter** checkbox.\n - **Vision Reporter address** : enter the **IP address** of the Vision Reporter.\n - **Port**: enter the port number.\n - **Protocol** : select **UDP** or **TCP**.\n - To include **HTTP response data** , select the **Send replies to Vision Reporter** checkbox.\n3. Click **Save**.\n\n### Configure Integrated AppWall in Alteon using Vision Reporter (preferred for HTTP Request Data Logging)\n\n1. Sign in to Radware WAF console using administrator credentials.\n2. Go to **Configuration \\\u003e Security \\\u003e Web Security \\\u003e Vision Reporter** .\n - Enable logging by **selecting** the **Send events to Vision Reporter** checkbox.\n - Select the **Send events to Vision reporter** checkbox.\n - **Vision Reporter IP address**: enter the IP address of the Vision Reporter.\n - **Port**: enter a high port number.\n - **Security** : select **UDP** or **TCP**.\n3. Click **Save**.\n\n### Configure Vision Reporter to send logs to Bindplane Agent\n\n1. Sign in to Radware Vision Reporter administrator console.\n2. Go to **Configuration \\\u003e SIEM \\& External Logging**.\n3. Click **+ Add New SIEM Destination** .\n - **Destination Name** : enter **Google SecOps Forwarder**.\n - **Log Export Type** : select **Syslog** (RFC 5424 format) for structured logging.\n - **Remote Syslog Server IP** enter the Bindplane Agent's IP address.\n - **Port**: enter a port that the Bindplane Agent listens on (for example, 514 for UDP, 601 for TCP).\n - **Protocol** : select **UDP** or **TCP** depending on the Bindplane configuration.\n4. Click **Save**.\n\nUDM Mapping Table\n-----------------\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
