Collect Trellix Network Security (formerly FireEye NX) logs

Supported in:

This guide explains how you can ingest Trellix Network Security (formerly known as FireEye NX) logs to Google Security Operations using the Bindplane.

Trellix Network Security is a network threat protection solution that detects and blocks advanced, targeted, and other evasive attacks hiding in web traffic. It uses a combination of signature-based and signatureless analysis engines—including Multi-Vector Virtual Execution (MVX)—to identify and stop zero-day exploits, malware callbacks, and other advanced threats in real time.

Before you begin

Make sure you have the following prerequisites:

  • A Google SecOps instance.
  • A host running Windows Server 2016 or later, or a Linux host with systemd.
  • Network connectivity between the Bindplane agent and the Trellix NX appliance.
  • If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements.
  • Privileged access to the Trellix Network Security (NX) management console or Central Management System (CMS) appliance.

Get Google SecOps ingestion authentication file

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Collection Agents.
  3. Download the Ingestion Authentication File.
  4. Save the file securely on the system where the Bindplane agent will be installed.

Get Google SecOps customer ID

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Profile.
  3. Copy and save the Customer ID from the Organization Details section.

Install the Bindplane agent

Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.

Windows installation

  1. Open the Command Prompt or PowerShell as an administrator.

  2. Run the following command:

    msiexec /i "[https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi](https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi)" /quiet

  3. Wait for the installation to complete.

  4. Verify the installation by running:

    sc query observiq-otel-collector

The service should show as RUNNING.

Linux installation

  1. Open a terminal with root or sudo privileges.

  2. Run the following command:

    sudo sh -c "$(curl -fsSlL [https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh](https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh))" install_unix.sh

  3. Wait for the installation to complete.

  4. Verify the installation by running:

    sudo systemctl status observiq-otel-collector

The service should show as active (running).

Additional installation resources

For additional installation options and troubleshooting, see the Bindplane agent installation guide.

Configure the Bindplane agent to ingest syslog and send to Google SecOps

Locate the configuration file

  • Linux: /etc/bindplane-agent/config.yaml
  • Windows: C:\Program Files\observIQ OpenTelemetry Collector\config.yaml

Edit the configuration file

  • Replace the entire contents of config.yaml with the following configuration:

    receivers:
udplog:
   listen_address: "0.0.0.0:514"

exporters:
chronicle/fireeye_nx:
   compression: gzip
   creds_file_path: '/etc/bindplane-agent/ingestion-auth.json'
   customer_id: '<CUSTOMER_ID>'
   endpoint: malachiteingestion-pa.googleapis.com
   log_type: FIREEYE_NX
   raw_log_field: body
   ingestion_labels:

service:
pipelines:
   logs/fireeye_nx_to_chronicle:
      receivers:
      - udplog
      exporters:
      - chronicle/fireeye_nx

Configuration parameters

Replace the following placeholders:

  • Receiver configuration:
    • listen_address: IP address and port to listen on.
      • 0.0.0.0 to listen on all interfaces.
      • Port 514 is standard (requires root). Use 1514 or higher for non-root users.
  • Exporter configuration:
    • creds_file_path: Full path to the ingestion authentication file.
    • <CUSTOMER_ID>: Your Customer ID from the Google SecOps console.
    • endpoint: Regional endpoint URL (e.g., malachiteingestion-pa.googleapis.com). See Regional Endpoints for the complete list.

Save the configuration file

After editing, save the file: * Linux: Press Ctrl+O, then Enter, then Ctrl+X. * Windows: Click File > Save.

Restart the Bindplane agent to apply the changes

To restart the Bindplane agent in Linux:

  1. Run the following command:

    sudo systemctl restart observiq-otel-collector

  2. Verify the service is running:

    sudo systemctl status observiq-otel-collector

  3. Check logs for errors:

    sudo journalctl -u observiq-otel-collector -f

To restart the Bindplane agent in Windows:

  1. Choose one of the following options:

    • Command Prompt or PowerShell as administrator:
    net stop observiq-otel-collector && net start observiq-otel-collector
    • Services console:
      1. Press Win+R, type services.msc, and press Enter.
      2. Locate observIQ OpenTelemetry Collector.
      3. Right-click and select Restart.

  2. Verify the service is running:

    sc query observiq-otel-collector

  3. Check logs for errors:

    type "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"

Configure syslog forwarding on Trellix Network Security

  1. Sign in to the Trellix Network Security console with an administrator account.
  2. Go to Settings > Notifications.
  3. Click the rsyslog tab.
  4. Check the Event type check box to enable rsyslog notifications.
  5. In the Rsyslog Settings area, select CEF as the Default format.
  6. In the Rsyslog Server Listing section, click Add Rsyslog Server.
  7. Provide the following configuration details:
    • Enabled: Check the checkbox.
    • IP Address: Enter the IP address of the Bindplane agent host.
    • Port: Enter the agent port (e.g., 514).
    • Protocol: Select UDP or TCP (matching your agent configuration).
    • Event Types: Select the event types to forward (select all for comprehensive logging).
  8. Click Update to save.

UDM mapping table

Log Field UDM Mapping Logic
alert.dst.ip target.ip, target.asset.ip Direct mapping.
alert.dst.mac target.mac, target.asset.mac Direct mapping.
alert.dst.port target.port Direct mapping.
alert.name metadata.product_event_type Direct mapping.
alert.occurred metadata.event_timestamp Direct mapping.
alert.src.ip principal.ip, principal.asset.ip Direct mapping.
alert.src.port principal.port Direct mapping.
log_id metadata.product_log_id Direct mapping.
response_code network.http.response_code Direct mapping.
user_id principal.user.userid Direct mapping.
N/A metadata.event_type Set based on presence of IP, hostname, or user ID (e.g., SCAN_UNCATEGORIZED, STATUS_UPDATE).
N/A metadata.log_type Set to FIREEYE_NX.
N/A metadata.vendor_name Set to FireEye.
N/A security_result.action ALLOW if "notified", BLOCK if "blocked".
N/A is_alert Set to true.

Need more help? Get answers from Community members and Google SecOps professionals.