Collect Nyansa Voyance / VMware Edge Network Intelligence logs

Supported in:

Google secops SIEM

This document explains how to ingest Nyansa Voyance (VMware Edge Network Intelligence) logs to Google Security Operations using Bindplane.

Nyansa Voyance, now known as VMware Edge Network Intelligence (ENI), is a network analytics and IoT security platform that provides visibility into client access, network services, IoT devices, and enterprise applications. The platform collects data from wireless controllers, switches, and network devices to analyze user experience, application performance, and device behavior across wired and wireless networks.

Before you begin

Make sure you have the following prerequisites:

A Google SecOps instance
Windows Server 2016 or later, or Linux host with systemd
Network connectivity between the Bindplane agent and your Nyansa Voyance / VMware Edge Network Intelligence instance
If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements
Access to the VMware SD-WAN Orchestrator portal with Enterprise Admin privileges
Nyansa Voyance GraphQL API v2 access token
Java 1.8 or above installed on a Linux or macOS system to run the Nyansa SIEM syslog agent
At least 2GB of free memory for the Java Virtual Machine (JVM)

Get Google SecOps ingestion authentication file

Sign in to the Google SecOps console.
Go to SIEM Settings > Collection Agents.
Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.

Note: This JSON file contains credentials for authenticating the Bindplane agent to Google SecOps.

Get Google SecOps customer ID

Sign in to the Google SecOps console.
Go to SIEM Settings > Profile.
Copy and save the Customer ID from the Organization Details section.

Note: The customer ID is required for configuring the Bindplane agent exporter.

Install the Bindplane agent

Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.

Windows installation

Open Command Prompt or PowerShell as an administrator.

Run the following command:

msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet

Wait for the installation to complete.
Verify the installation by running:
```
sc query observiq-otel-collector
```
The service should show as RUNNING.

Linux installation

Open a terminal with root or sudo privileges.

Run the following command:

sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh

Wait for the installation to complete.
Verify the installation by running:
```
sudo systemctl status observiq-otel-collector
```
The service should show as active (running).

Additional installation resources

For additional installation options and troubleshooting, see Bindplane agent installation guide.

Configure Bindplane agent to ingest syslog and send to Google SecOps

Locate the configuration file

Linux:

sudo nano /etc/bindplane-agent/config.yaml

Windows:

notepad "C:\Program Files\observIQ OpenTelemetry Collector\config.yaml"

Edit the configuration file

Replace the entire contents of config.yaml with the following configuration:

receivers:
  udplog:
    listen_address: "0.0.0.0:6514"

exporters:
  chronicle/nyansa_events:
    compression: gzip
    creds_file_path: '/etc/bindplane-agent/ingestion-auth.json'
    customer_id: 'YOUR_CUSTOMER_ID'
    endpoint: malachiteingestion-pa.googleapis.com
    log_type: NYANSA_EVENTS
    raw_log_field: body
    ingestion_labels:
      env: production
      source: nyansa

service:
  pipelines:
    logs/nyansa_to_chronicle:
      receivers:
        - udplog
      exporters:
        - chronicle/nyansa_events

Configuration parameters

Replace the following placeholders:

Receiver configuration:
- listen_address: Set to 0.0.0.0:6514 to listen on all interfaces on port 6514 (or use a different port if needed)
Exporter configuration:
- creds_file_path: Full path to ingestion authentication file:
  - Linux: /etc/bindplane-agent/ingestion-auth.json
  - Windows: C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json
- customer_id: Replace YOUR_CUSTOMER_ID with your Chronicle customer ID from step 3
- endpoint: Regional endpoint URL:
  - US: malachiteingestion-pa.googleapis.com
  - Europe: europe-malachiteingestion-pa.googleapis.com
  - Asia: asia-southeast1-malachiteingestion-pa.googleapis.com
  - See Regional Endpoints for complete list
- log_type: Set to NYANSA_EVENTS
- ingestion_labels: Optional labels in YAML format (customize as needed)

Save the configuration file

After editing, save the file:
- Linux: Press Ctrl+O, then Enter, then Ctrl+X
- Windows: Click File > Save

Restart the Bindplane agent to apply the changes

To restart the Bindplane agent in Linux:

Run the following command:

sudo systemctl restart observiq-otel-collector

Verify the service is running:

sudo systemctl status observiq-otel-collector

Check logs for errors:

sudo journalctl -u observiq-otel-collector -f

To restart the Bindplane agent in Windows:

Choose one of the following options:
- Command Prompt or PowerShell as administrator:
```
net stop observiq-otel-collector && net start observiq-otel-collector
```
- Services console:
  1. Press Win+R, type services.msc, and press Enter.
  2. Locate observIQ OpenTelemetry Collector.
  3. Right-click and select Restart.
Verify the service is running:
```
sc query observiq-otel-collector
```

Check logs for errors:

type "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"

Configure Nyansa Voyance API access

To enable the Nyansa SIEM syslog agent to retrieve events from Voyance, you need to create an API token with appropriate permissions.

Create API token in VMware SD-WAN Orchestrator

Sign in to the VMware SD-WAN Orchestrator portal as an Enterprise Admin user.
Go to Administration > Administrators.
Locate your administrator account in the list.
Click Actions > Modify for your administrator account.
Navigate to the Developer API tab.
Click Generate New Token or Create API Token.
Copy and save the generated API token securely.

Record API endpoint URL

Your Voyance GraphQL API v2 URL follows this format:
- Legacy Nyansa customers: https://yourcompany.nyansa.com/api/v2/graphql
- VMware Edge Network Intelligence: https://your-eni-domain/api/v2/graphql
Replace yourcompany or your-eni-domain with your actual organization domain.

Install and configure Nyansa SIEM syslog agent

The Nyansa SIEM syslog agent is a Java application that polls the Voyance GraphQL API and forwards events to syslog. This agent acts as a bridge between the Voyance API and your Bindplane agent.

Download the Nyansa SIEM syslog agent

Download the latest release from the official GitHub repository:

wget https://github.com/Nyansa/voyance-siem-syslog-agent/archive/refs/tags/v0.9.4.tar.gz

Extract the archive:

tar xf v0.9.4.tar.gz
cd voyance-siem-syslog-agent-0.9.4

Build the package using Maven:
```
mvn clean package
```

Extract the generated package:

tar xf target/VoyanceSiemSyslogAgent-0.9.4-package.tar.gz
cd VoyanceSiemSyslogAgent-0.9.4

Configure the agent properties

Edit the config/config.properties file:
```
nano config/config.properties
```

Configure the following required parameters:

# Voyance GraphQL API v2 URL
voyance.dev.api.url = https://yourcompany.nyansa.com/api/v2/graphql

# Voyance GraphQL API v2 Access Token
voyance.dev.api.token = YOUR_API_TOKEN_HERE

# HTTP Proxy (optional, leave blank if not needed)
http.proxy = 

# API Data Fetches Enabled
# Available options: iotOutlierList_all, iotDeviceStatsList_last3h, iotDeviceStatsList_last24h,
# iotDeviceStatsList_last7d, iotDeviceStatsList_last14d, iotGroupStatsList_last3h,
# iotGroupStatsList_last24h, iotGroupStatsList_last7d, iotGroupStatsList_last14d,
# deviceList_updated, applicationList_last3h, applicationList_last24h, deviceEventList_all
api.fetches.enabled = iotOutlierList_all,iotDeviceStatsList_last24h,deviceEventList_all

voyance.dev.api.url: Enter your Voyance GraphQL API v2 URL
voyance.dev.api.token: Enter the API token created in the previous step
http.proxy: Enter proxy hostname and port if required (for example, proxy.company.com:3128), otherwise leave blank
api.fetches.enabled: Comma-separated list of API fetch IDs to enable (customize based on your needs)

Save the file.

Configure syslog destination

Edit the config/log4j2.xml file:
```
nano config/log4j2.xml
```
Locate the <Properties> section and configure the syslog settings:
```
<Properties>
    
    <Property name="SiemSyslogHost">BINDPLANE_AGENT_IP</Property>
    <Property name="SiemSyslogPort">6514</Property>
    <Property name="SiemSyslogProtocol">UDP</Property>
</Properties>
```
- SiemSyslogHost: Enter the IP address or hostname of the Bindplane agent host
- SiemSyslogPort: Enter 6514 (or the port configured in your Bindplane agent)
- SiemSyslogProtocol: Enter UDP or TCP (must match Bindplane receiver configuration)
Save the file.

Start the Nyansa SIEM syslog agent

Start the agent using the provided script:
```
./VoyanceSiemSyslogAgent.sh start
```
Verify the agent is running:
```
./VoyanceSiemSyslogAgent.sh status
```
Monitor the agent logs for errors:
```
tail -f logs/voyance-agent.log
```

Common agent commands

Start the agent:
```
./VoyanceSiemSyslogAgent.sh start
```
Stop the agent:
```
./VoyanceSiemSyslogAgent.sh stop
```
Restart the agent:
```
./VoyanceSiemSyslogAgent.sh restart
```
Check agent status:
```
./VoyanceSiemSyslogAgent.sh status
```
Reset database and API fetch progress:
```
./VoyanceSiemSyslogAgent.sh db_reset
```
Validate configuration:
```
./VoyanceSiemSyslogAgent.sh validate
```
Show available API fetch IDs:
```
./VoyanceSiemSyslogAgent.sh show_apis
```

Verify log ingestion

Wait a few minutes for the Nyansa SIEM syslog agent to poll the Voyance API and forward events to the Bindplane agent.

Check the Bindplane agent logs to verify syslog messages are being received:

Linux:

sudo journalctl -u observiq-otel-collector -f | grep -i nyansa

Windows:

type "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log" | findstr /i nyansa

Sign in to the Google SecOps console.
Go to SIEM Settings > Feeds and verify the feed status shows as Active.
Search for Nyansa events in the Google SecOps search interface using the ingestion label NYANSA_EVENTS.

Troubleshooting

Nyansa SIEM syslog agent errors

Missing API URL or token: Verify voyance.dev.api.url and voyance.dev.api.token are correctly configured in config/config.properties.
API authentication failures: Verify the API token is valid and has not expired. Generate a new token if needed.
Network connectivity issues: Verify the agent can reach the Voyance API URL. Check firewall rules and proxy settings.
Syslog connection failures: Verify the Bindplane agent IP address and port are correct in config/log4j2.xml. Ensure the Bindplane agent is running and listening on the configured port.

Bindplane agent errors

Configuration syntax errors: Validate YAML syntax in config.yaml. Ensure proper indentation (2 spaces, not tabs).
Authentication failures: Verify the ingestion authentication file path is correct and the file is readable.
Network connectivity issues: Verify the Bindplane agent can reach the Chronicle regional endpoint. Check firewall rules for outbound HTTPS (TCP 443) to the endpoint.
No logs received: Verify the Nyansa SIEM syslog agent is running and configured to send to the correct Bindplane agent IP and port.

UDM mapping table

Log Field	UDM Mapping	Logic
auth_method	extensions.auth.type	Type of authentication (e.g., USER, MACHINE)
host	intermediary.hostname	Hostname of the intermediary device
host	intermediary.ip	IP address of the intermediary device
collected_timestamp	metadata.collected_timestamp	Timestamp when the event was collected
timestamp	metadata.event_timestamp	Timestamp when the event occurred
user_name	metadata.event_type	Type of event (e.g., USER_LOGIN, NETWORK_CONNECTION)
nas_ip	metadata.event_type
event_type	metadata.product_event_type	Product-specific event type
session_id	network.session_id	Unique identifier for the network session
service_name	principal.application	Application name associated with the principal
nas_ip	principal.ip	IP address of the principal
end_host_id	principal.mac	MAC address of the principal
nas_port	principal.port	Port number of the principal
user_name	principal.user.userid	User ID of the principal
auth_method	security_result.detection_fields	Additional detection fields from security analysis
auth_source	security_result.detection_fields
error_code	security_result.detection_fields
request_status	security_result.detection_fields
request_id	security_result.detection_fields
additional.label	security_result.detection_fields
additional.value	security_result.detection_fields
metadata.product_name	metadata.product_name	Product name
metadata.vendor_name	metadata.vendor_name	Vendor name

Need more help? Get answers from Community members and Google SecOps professionals.