找到 config.yaml 文件。通常,它位于 Linux 上的 /etc/bindplane-agent/ 目录中或 Windows 上的安装目录中。
使用文本编辑器(例如 nano、vi 或记事本)打开该文件。
按如下方式修改 config.yaml 文件:
receivers:udplog:# Replace the port and IP address as requiredlisten_address:"0.0.0.0:514"exporters:chronicle/chronicle_w_labels:compression:gzip# Adjust the path to the credentials file you downloaded in Step 1creds:'/path/to/ingestion-authentication-file.json'# Replace with your actual customer ID from Step 2customer_id:<customer_id>
endpoint:malachiteingestion-pa.googleapis.com# Add optional ingestion labels for better organizationingestion_labels:log_type:SYSLOGnamespace:sophos_centralraw_log_field:bodyservice:pipelines:logs/source0__chronicle_w_labels-0:receivers:-udplogexporters:-chronicle/chronicle_w_labels
根据 type 字段和解析器中的其他逻辑确定。可能的值包括:FILE_OPEN、SCAN_HOST、SETTING_MODIFICATION、STATUS_HEARTBEAT、SETTING_CREATION、NETWORK_CONNECTION、SCAN_PROCESS、SCAN_UNCATEGORIZED、USER_CREATION、USER_UNCATEGORIZED、STATUS_UPDATE。
metadata.log_type
设置为 SOPHOS_CENTRAL。
metadata.product_event_type
直接从 type 字段映射。
metadata.product_name
设置为 Sophos Central。
metadata.vendor_name
设置为 Sophos。
network.direction
对于指示出站网络连接的特定 type 值,设置为 OUTBOUND。
network.ip_protocol
对于指示 TCP 网络连接的特定 type 值,设置为 TCP。
security_result.action
根据使用 grok 模式从 name 字段中提取的 action 字段确定。可能的值包括:ALLOW、BLOCK、ALLOW_WITH_MODIFICATION、UNKNOWN_ACTION。
[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-09-04。"],[[["\u003cp\u003eThis guide outlines how to collect Sophos Central logs and send them to Google Security Operations (SecOps) using the Bindplane agent, transforming JSON logs into the Unified Data Model (UDM).\u003c/p\u003e\n"],["\u003cp\u003eThe Bindplane agent is configured to receive Syslog data, which is then exported to Google SecOps, requiring the user to set up a configuration file with their customer ID and authentication credentials.\u003c/p\u003e\n"],["\u003cp\u003eTo facilitate log collection, a separate Python script needs to be downloaded, configured with Sophos Central API access details, and set up to run continuously, either using Windows Task Scheduler or macOS Cron Jobs.\u003c/p\u003e\n"],["\u003cp\u003eThe collected Sophos Central logs are mapped to UDM fields, extracting nested JSON structures and categorizing events, enriching them with event-specific details, actions, and data extracted through grok patterns.\u003c/p\u003e\n"],["\u003cp\u003eThe guide includes instructions for installing the Bindplane agent on both Windows and Linux, as well as comprehensive instructions for configuring and automating the log collection script.\u003c/p\u003e\n"]]],[],null,["# Collect Sophos Central logs\n===========================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis document explains how to collect Sophos Central logs by using Bindplane. The parser transforms JSON logs into a unified data model (UDM). It extracts fields from nested JSON structures, maps them to UDM fields, and performs event categorization based on the **type** field, enriching the data with specific details and actions for different Sophos Central event types.\n\nBefore you begin\n----------------\n\n- Ensure that you have a Google Security Operations instance.\n- Ensure that you are using Windows 2016 or later, or a Linux host with `systemd`.\n- Ensure that you have an additional Windows or Linux machine, capable of continuously running Python.\n- If running behind a proxy, ensure firewall [ports](/chronicle/docs/ingestion/use-bindplane-agent#verify_the_firewall_configuration) are open.\n- Ensure that you have privileged access to Sophos XG Firewall.\n\nGet Google SecOps ingestion authentication file\n-----------------------------------------------\n\n1. Sign in to the Google SecOps console.\n2. Go to **SIEM Settings \\\u003e Collection Agents**.\n3. Download the **Ingestion Authentication File**. Save the file securely on the system where Bindplane will be installed.\n\nGet Google SecOps customer ID\n-----------------------------\n\n1. Sign in to the Google SecOps console.\n2. Go to **SIEM Settings \\\u003e Profile**.\n3. Copy and save the **Customer ID** from the **Organization Details** section.\n\nInstall the Bindplane agent\n---------------------------\n\n### Windows installation\n\n1. Open the **Command Prompt** or **PowerShell** as an administrator.\n2. Run the following command:\n\n msiexec /i \"https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi\" /quiet\n\n### Linux installation\n\n1. Open a terminal with root or sudo privileges.\n2. Run the following command:\n\n sudo sh -c \"$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)\" install_unix.sh\n\n### Additional installation resources\n\n- For additional installation options, consult this [installation guide](/chronicle/docs/ingestion/use-bindplane-agent#install_the_bindplane_agent).\n\nConfigure the Bindplane agent to ingest Syslog and send to Google SecOps\n------------------------------------------------------------------------\n\n1. Access the configuration file:\n\n 1. Locate the `config.yaml` file. Typically, it's in the `/etc/bindplane-agent/` directory on Linux or in the installation directory on Windows.\n 2. Open the file using a text editor (for example, `nano`, `vi`, or Notepad).\n2. Edit the `config.yaml` file as follows:\n\n receivers:\n udplog:\n # Replace the port and IP address as required\n listen_address: \"0.0.0.0:514\"\n\n exporters:\n chronicle/chronicle_w_labels:\n compression: gzip\n # Adjust the path to the credentials file you downloaded in Step 1\n creds: '/path/to/ingestion-authentication-file.json'\n # Replace with your actual customer ID from Step 2\n customer_id: \u003ccustomer_id\u003e\n endpoint: malachiteingestion-pa.googleapis.com\n # Add optional ingestion labels for better organization\n ingestion_labels:\n log_type: SYSLOG\n namespace: sophos_central\n raw_log_field: body\n\n service:\n pipelines:\n logs/source0__chronicle_w_labels-0:\n receivers:\n - udplog\n exporters:\n - chronicle/chronicle_w_labels\n\n3. Replace the port and IP address as required in your infrastructure.\n\n4. Replace `\u003ccustomer_id\u003e` with the actual customer ID.\n\n5. Update `/path/to/ingestion-authentication-file.json` to the path where the authentication file was saved in the\n [Get Google SecOps ingestion authentication file](/chronicle/docs/ingestion/default-parsers/sophos-central#get-auth-file) section.\n\nRestart the Bindplane agent to apply the changes\n------------------------------------------------\n\n- To restart the Bindplane agent in Linux, run the following command:\n\n sudo systemctl restart bindplane-agent\n\n- To restart the Bindplane agent in Windows, you can either use the **Services** console or enter the following command:\n\n net stop BindPlaneAgent && net start BindPlaneAgent\n\nConfigure Sophos Central API access\n-----------------------------------\n\n1. Sign in to **Sophos Central Admin**.\n2. Select **Global Settings \\\u003e API Token Management**.\n3. Click **Add Token** to create a new token.\n4. Enter a token name and click **Save** . The **API Token Summary** for the provided token is displayed.\n5. In the **API Token Summary** section, click **Copy** to copy the API access URL and headers.\n\nInstall Python on the additional machine\n----------------------------------------\n\n1. Open the web browser and go to the [Python website](https://www.python.org).\n2. Click **Download Python** for your operating system (Windows or Mac).\n3. Install Python.\n\n - On Windows:\n 1. Run the installer.\n 2. Check the box that says **Add Python to PATH**.\n 3. Click **Install Now**.\n - On Mac:\n\n 1. Python may already be installed, if not you can install the latest version using the terminal.\n 2. Open **Terminal** and type the following command:\n\n python --version\n\nDownload the Sophos integration script\n--------------------------------------\n\n1. Go to the GitHub page for [Sophos Central SIEM Integration GitHub Repository](https://github.com/sophos/Sophos-Central-SIEM-Integration).\n2. Click the green **Code button \\\u003e Download ZIP**.\n3. Extract the ZIP file.\n\nSet up the script configuration\n-------------------------------\n\n1. **Find** and **Open** the `config.ini` file with a text editor.\n2. Edit the configuration file:\n - **API Token**: enter the API Key copied earlier from Sophos Central.\n - **Syslog Server Details**: enter the details of your syslog server.\n - **Host**: enter the Bindplane IP address.\n - **Port**: enter the Bindplane port number.\n - Protocol: enter UDP (you can also use **TCP** or **TLS** depending on your setup).\n3. **Save** the file.\n\nRun the script\n--------------\n\n1. Go to the script folder.\n\n - On Windows:\n\n 1. Press the **Windows** key and type `cmd`.\n 2. Click **Command Prompt**.\n 3. Go to the script folder:\n\n cd C:\\Users\\YourName\\Downloads\\Sophos-Central-SIEM-Integration\n\n - On macOS:\n\n 1. Go to **Applications \\\u003e Utilities**.\n 2. Open **Terminal**.\n 3. Go to the script folder:\n\n cd /Users/YourName/Downloads/Sophos-Central-SIEM-Integration\n\n2. **Run the script:**\n\n - Type the following command to start the script:\n\n python siem.py\n\n| **Note:** The script will start fetching logs from Sophos Central and forwarding them to your syslog server in JSON format.\n\nAutomate the script to run continuously on Windows (using Task Scheduler):\n--------------------------------------------------------------------------\n\n1. Open the Task Scheduler by typing **Task Scheduler** in the Start menu.\n2. Click **Create Task**.\n3. In the **General** tab:\n - Name your task; for example, `Sophos Central Log Export`.\n4. In the **Triggers** tab:\n - Click **New** and set the task to run **Daily** or **At startup** (depending on your preference).\n5. In the **Actions** tab:\n - Click **New** and select **Start a program**.\n - Browse for the `python.exe` executable (usually found at `C:\\PythonXX\\python.exe`).\n - In the **Add arguments** field, type the path to the script; for example, `C:\\Users\\YourName\\Downloads\\Sophos-Central-SIEM-Integration\\siem.py`.\n6. Click **OK** to save the task.\n\nAutomate the script to run continuously on Mac (using Cron Jobs):\n-----------------------------------------------------------------\n\n1. Open the Terminal.\n2. Type `crontab -e` and press **Enter**.\n3. Add a new line at the end of the file:\n\n * * * * * /usr/bin/python /Users/YourName/Downloads/Sophos-Central-SIEM-Integration/siem.py\n\n | **Note:** This will run the script **every minute**. Adjust the time based on your needs.\n4. **Save** and exit the editor.\n\nUDM Mapping Table\n-----------------\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
