Collect Dell OpenManage logs
This document explains how to ingest Dell OpenManage logs to Google Security Operations using the Bindplane agent.
Dell OpenManage Enterprise is a systems management console that generates syslog messages for audit events, configuration changes, and device compliance. The parser extracts key-value pairs from raw logs using grok patterns and maps them to the Unified Data Model (UDM).
Before you begin
Make sure you have the following prerequisites:
- A Google SecOps instance
- Windows Server 2016 or later, or Linux host with
systemd - Network connectivity between the Bindplane agent and the Dell OpenManage Enterprise server
- If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements
- Privileged access to Dell OpenManage Enterprise
Get Google SecOps ingestion authentication file
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Collection Agents.
- Download the Ingestion Authentication File.
Save the file securely on the system where the Bindplane he agent will be installed.
Get Google SecOps customer ID
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Profile.
Copy and save the Customer ID from the Organization Details section.
Install the Bindplane agent
Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.
Windows installation
- Open Command Prompt or PowerShell as an administrator.
Run the following command:
msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quietWait for the installation to complete.
Verify the installation by running:
sc query observiq-otel-collectorThe service should show as RUNNING.
Linux installation
- Open a terminal with root or sudo privileges.
Run the following command:
sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.shWait for the installation to complete.
Verify the installation by running:
sudo systemctl status observiq-otel-collectorThe service should show as active (running).
Additional installation resources
For additional installation options and troubleshooting, see the Bindplane agent installation guide.
Configure the Bindplane agent to ingest syslog and send to Google SecOps
Locate the configuration file
Linux:
sudo nano /etc/bindplane-agent/config.yamlWindows:
notepad "C:\Program Files\observIQ OpenTelemetry Collector\config.yaml"
Edit the configuration file
Replace the entire contents of
config.yamlwith the following configuration:receivers: udplog: listen_address: "0.0.0.0:514" exporters: chronicle/dell_openmanage: compression: gzip creds_file_path: '/etc/bindplane-agent/ingestion-auth.json' customer_id: '<customer_id>' endpoint: malachiteingestion-pa.googleapis.com log_type: DELL_OPENMANAGE raw_log_field: body service: pipelines: logs/dell_openmanage_to_chronicle: receivers: - udplog exporters: - chronicle/dell_openmanage
Configuration parameters
Replace the following placeholders:
Receiver configuration:
listen_address: IP address and port to listen on:0.0.0.0to listen on all interfaces (recommended)- Port
514is the standard syslog port (requires root on Linux; use1514for non-root)
Exporter configuration:
creds_file_path: Full path to ingestion authentication file:- Linux:
/etc/bindplane-agent/ingestion-auth.json - Windows:
C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json
- Linux:
customer_id: Customer ID copied from the Google SecOps consoleendpoint: Regional endpoint URL:- US:
malachiteingestion-pa.googleapis.com - Europe:
europe-malachiteingestion-pa.googleapis.com - Asia:
asia-southeast1-malachiteingestion-pa.googleapis.com - See Regional Endpoints for complete list
- US:
Save the configuration file
- After editing, save the file:
- Linux: Press
Ctrl+O, thenEnter, thenCtrl+X - Windows: Click File > Save
- Linux: Press
Restart the Bindplane agent to apply the changes
To restart the Bindplane agent in Linux, run the following command:
sudo systemctl restart observiq-otel-collectorVerify the service is running:
sudo systemctl status observiq-otel-collectorCheck logs for errors:
sudo journalctl -u observiq-otel-collector -f
To restart the Bindplane agent in Windows, choose one of the following options:
Command Prompt or PowerShell as administrator:
net stop observiq-otel-collector && net start observiq-otel-collectorServices console:
- Press
Win+R, typeservices.msc, and press Enter. - Locate observIQ OpenTelemetry Collector.
- Right-click and select Restart.
Verify the service is running:
sc query observiq-otel-collectorCheck logs for errors:
type "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"
- Press
Configure syslog for Dell OpenManage Enterprise
- Sign in to the Dell OpenManage Enterprise web console.
- Go to Application Settings > Alerts > Syslog Configuration.
- Enable syslog forwarding.
- Provide the following details:
- Server: Enter the IP address or hostname of the Bindplane agent.
- Port: Enter the port number (for example,
514).
- Click Apply.
Configure alert policies (optional)
- Go to Alerts > Alert Policies > Create.
- Provide the following configuration details:
- In the Create Alert Policy dialog, enter a meaningful Name and Description for the policy.
- Verify the Enable Policy checkbox is selected.
- Click Next.
- Category: Expand Application and select all the categories and subcategories of the appliance logs.
- Click Next.
- Severity: Select the All checkbox.
- Click Next.
- Actions: Select Syslog.
- Click Enable and enter the Bindplane agent IP address.
- Click Next.
- Click Finish.
Supported Dell OpenManage sample logs
SYSLOG + KV
<156>2022-02-06T05:00:33.181319+00:00 internal-log-relay-01 EEMI Audit event from device with { IP } 192.168.100.100 { HostName } workstation-prod-01 { Severity } Warning { MessageID } CDEV9000 { Message } This device and several others has become non compliant after running compliance task: Alpha. { Recommended Action } Update the device or component firmware using a catalog or update package.SYSLOG + KV + internal fields
<158>2022-01-15T15:59:55.576332+00:00 internal-log-relay-01 EEMI Configuration event from device with { IP } null { HostName } null { Severity } Info { MessageID } CSEC0053 { Message } Description:Local user dummy_user deleted. User Name:admin_account Received from address:172.16.254.1 { Recommended Action } Instrumentation didn't provide any recommended action for this event.Protocol/diagnostic header
Client-ATV-Sharing-Version**: `1.2`
UDM mapping table
| Log field | UDM mapping | Logic |
|---|---|---|
| data.HostName | read_only_udm.principal.hostname | The value of HostName from the raw log is directly mapped to read_only_udm.principal.hostname. |
| data.IP | read_only_udm.target.ip | The value of IP from the raw log is directly mapped to read_only_udm.target.ip. |
| data.Message | read_only_udm.metadata.description | The value of Message from the raw log is directly mapped to read_only_udm.metadata.description. |
| data.MessageID | read_only_udm.additional.fields.value.string_value | The value of MessageID from the raw log is directly mapped to read_only_udm.additional.fields.value.string_value. |
| data.Recommended Action | read_only_udm.additional.fields.value.string_value | The value of Recommended Action from the raw log is directly mapped to read_only_udm.additional.fields.value.string_value. |
| data.Severity | read_only_udm.security_result.severity | The value of Severity from the raw log is mapped to read_only_udm.security_result.severity after being converted to uppercase. |
| data.timestamp.nanos | read_only_udm.metadata.event_timestamp.nanos | The value of timestamp.nanos from the raw log is directly mapped to read_only_udm.metadata.event_timestamp.nanos. |
| data.timestamp.seconds | read_only_udm.metadata.event_timestamp.seconds | The value of timestamp.seconds from the raw log is directly mapped to read_only_udm.metadata.event_timestamp.seconds. |
| read_only_udm.metadata.event_type | This field is determined based on the content of the Message field from the raw log. |
|
| read_only_udm.metadata.log_type | This field is hardcoded to DELL_OPENMANAGE in the parser code. |
|
| read_only_udm.metadata.product_name | This field is hardcoded to DELL_OPENMANAGE in the parser code. |
|
| read_only_udm.metadata.vendor_name | This field is hardcoded to DELL in the parser code. |
|
| read_only_udm.additional.fields.key | This field name is hardcoded in the parser code. The value of this field is MessageID or Recommended_Action. |
Need more help? Get answers from Community members and Google SecOps professionals.