Collect Symantec VIP Enterprise Gateway logs

Supported in:

Google secops SIEM

This document explains how to ingest Symantec VIP Enterprise Gateway logs to Google Security Operations using the Bindplane agent.

Symantec VIP (Validation and ID Protection) Enterprise Gateway is a multi-factor authentication solution that generates syslog messages for authentication events, credential validation, LDAP synchronization, and health check activity. The parser extracts fields from JSON-formatted and syslog-formatted logs and maps them to the Unified Data Model (UDM).

Before you begin

Make sure you have the following prerequisites:

A Google SecOps instance
Windows Server 2016 or later, or Linux host with systemd
Network connectivity between the Bindplane agent and the Symantec VIP Gateway
If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements
Administrative access to the Symantec VIP Gateway web UI

Get Google SecOps ingestion authentication file

Sign in to the Google SecOps console.
Go to SIEM Settings > Collection Agents.
Download the Ingestion Authentication File.
Save the file securely on the system where Bindplane will be installed.

Note: This JSON file contains credentials for authenticating the Bindplane agent to Google SecOps.

Get Google SecOps customer ID

Sign in to the Google SecOps console.
Go to SIEM Settings > Profile.
Copy and save the Customer ID from the Organization Details section.

Note: The customer ID is required for configuring the Bindplane agent exporter.

Install the Bindplane agent

Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.

Windows installation

Open Command Prompt or PowerShell as an administrator.

Run the following command:

msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet

Wait for the installation to complete.
Verify the installation by running:
```
sc query observiq-otel-collector
```
The service should show as RUNNING.

Linux installation

Open a terminal with root or sudo privileges.

Run the following command:

sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh

Wait for the installation to complete.
Verify the installation by running:
```
sudo systemctl status observiq-otel-collector
```
The service should show as active (running).

Additional installation resources

For additional installation options and troubleshooting, see the Bindplane agent installation guide.

Configure the Bindplane agent to ingest syslog and send to Google SecOps

Locate the configuration file

Linux:

sudo nano /opt/observiq-otel-collector/config.yaml

Windows:

notepad "C:\Program Files\observIQ OpenTelemetry Collector\config.yaml"

Edit the configuration file

Replace the entire contents of config.yaml with the following configuration:

receivers:
    udplog:
        listen_address: "0.0.0.0:514"

exporters:
    chronicle/symantec_vip:
        compression: gzip
        creds_file_path: '/etc/bindplane-agent/ingestion-auth.json'
        customer_id: '<customer_id>'
        endpoint: malachiteingestion-pa.googleapis.com
        log_type: SYMANTEC_VIP
        raw_log_field: body

service:
    pipelines:
        logs/symantec_vip_to_chronicle:
            receivers:
                - udplog
            exporters:
                - chronicle/symantec_vip

Configuration parameters

Replace the following placeholders:

Receiver configuration:
- listen_address: IP address and port to listen on:
  - 0.0.0.0 to listen on all interfaces (recommended)
  - Port 514 is the standard syslog port (requires root on Linux; use 1514 for non-root)
Exporter configuration:
- creds_file_path: Full path to ingestion authentication file:
  - Linux: /etc/bindplane-agent/ingestion-auth.json
  - Windows: C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json
- customer_id: Customer ID copied from the Google SecOps console
- endpoint: Regional endpoint URL:
  - US: malachiteingestion-pa.googleapis.com
  - Europe: europe-malachiteingestion-pa.googleapis.com
  - Asia: asia-southeast1-malachiteingestion-pa.googleapis.com
  - See Regional Endpoints for complete list

Save the configuration file

After editing, save the file:
- Linux: Press Ctrl+O, then Enter, then Ctrl+X
- Windows: Click File > Save

Restart the Bindplane agent to apply the changes

To restart the Bindplane agent in Linux, run the following command:

sudo systemctl restart observiq-otel-collector

Verify the service is running:

sudo systemctl status observiq-otel-collector

Check logs for errors:

sudo journalctl -u observiq-otel-collector -f

To restart the Bindplane agent in Windows, choose one of the following options:
- Command Prompt or PowerShell as administrator:
```
net stop observiq-otel-collector && net start observiq-otel-collector
```
- Services console:
  1. Press Win+R, type services.msc, and press Enter.
  2. Locate observIQ OpenTelemetry Collector.
  3. Right-click and select Restart.
  4. Verify the service is running:
```
sc query observiq-otel-collector
```
  5. Check logs for errors:
```
type "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"
```

Configure syslog in Symantec VIP Enterprise Gateway

Sign in to the Symantec VIP Gateway web UI.
Go to Logs > Syslog Configuration.
If configuring Syslog for the first time, select Yes when prompted. If already configured, click Edit.
Provide the following configuration details:
- Syslog Facility: Select LOG_LOCAL0.
- Syslog Host: Enter the Bindplane agent IP address.
- Syslog Port: Enter the Bindplane agent port number (for example, 514 for UDP).
Click Save.
Go to Settings > Console Settings.
Provide the following configuration details:
- Logging Level: Select Info.
- Enable Syslog: Select Yes.
Click Submit.
Go to Settings > Health Check Settings.
Select Yes to enable the Health Check Service.
Provide the following configuration details:
- Logging Level: Select Info.
- Enable Syslog: Select Yes.
Click Submit.
Go to User Store > LDAP Directory Synchronization.
Edit the following configuration details:
- Log Level: Select Info.
- Enable Syslog: Select Yes.
Click Submit.

UDM mapping table

Log field	UDM mapping	Logic
application	read_only_udm.principal.application	Value taken from `application` field extracted by json filter.
command	read_only_udm.target.process.command_line	Value taken from `command` field extracted by grok pattern.
credentialType		This field is not directly mapped to the UDM. It is used to derive the value of read_only_udm.extensions.auth.mechanism.
data		This field is not directly mapped to the UDM. It is parsed to extract other fields.
data2		This field is not directly mapped to the UDM. It is parsed to extract other fields.
datetime	read_only_udm.metadata.event_timestamp.seconds read_only_udm.metadata.event_timestamp.nanos	Seconds and nanoseconds since epoch extracted from the `datetime` field.
desc	read_only_udm.metadata.description	Value taken from `desc` field extracted by json filter.
description	read_only_udm.security_result.description	Value taken from `description` field extracted by json filter.
filename	read_only_udm.target.process.file.full_path	Value taken from `filename` field extracted by grok pattern.
hostname	read_only_udm.principal.hostname	Value taken from `hostname` field extracted by json filter.
host_name	read_only_udm.intermediary.hostname	Value taken from `host_name` field extracted by json filter.
log_level		This field is not directly mapped to the UDM. It is used to derive the value of read_only_udm.security_result.severity.
log_type	read_only_udm.metadata.product_event_type	Value taken from `log_type` field extracted by json filter.
msg		This field is not directly mapped to the UDM. It is parsed to extract other fields.
operation	read_only_udm.security_result.summary	Value taken from `operation` field extracted by grok pattern.
processid	read_only_udm.target.process.pid	Value taken from `processid` field extracted by grok pattern.
product	read_only_udm.metadata.product_name	Value taken from `product` field extracted by json filter.
reason	read_only_udm.metadata.description	Value taken from `reason` field extracted by grok pattern.
request_id	read_only_udm.target.resource.id	Value taken from `request_id` field extracted by grok pattern.
src_ip	read_only_udm.principal.ip	Value taken from `src_ip` field extracted by grok pattern.
status	read_only_udm.metadata.description	Value taken from `status` field extracted by grok pattern.
summary	read_only_udm.security_result.summary	Value taken from `summary` field extracted by json filter.
timestamp.nanos	read_only_udm.metadata.event_timestamp.nanos	Nanoseconds from the original log timestamp.
timestamp.seconds	read_only_udm.metadata.event_timestamp.seconds	Seconds from the original log timestamp.
time		This field is not directly mapped to the UDM. It is used to derive the values of read_only_udm.metadata.event_timestamp.seconds and read_only_udm.metadata.event_timestamp.nanos.
user	read_only_udm.target.user.userid	Value taken from `user` field extracted by json filter or grok pattern.
vendor	read_only_udm.metadata.vendor_name	Value taken from `vendor` field extracted by json filter.
	read_only_udm.extensions.auth.mechanism	Determined by the `credentialType` field. If `credentialType` is `SMS_OTP` or `STANDARD_OTP`, then `OTP` is used. If `credentialType` matches the regular expression `PASSWORD`, then `USERNAME_PASSWORD` is used.
	read_only_udm.extensions.auth.type	If the `reason` field matches the regular expression `LDAP`, then `SSO` is used. Otherwise, `AUTHTYPE_UNSPECIFIED` is used.
	read_only_udm.metadata.event_type	Determined by the presence of certain fields. If `user` or `processid` is not empty, then `USER_LOGIN` is used. If `user` is empty and `src_ip` is not empty or `0.0.0.0`, then `STATUS_UPDATE` is used. Otherwise, `GENERIC_EVENT` is used.
	read_only_udm.metadata.log_type	Hardcoded to `SYMANTEC_VIP`.
	read_only_udm.security_result.action	Determined by the `status` field. If `status` is `Authentication Success`, `GRANTED`, `Authentication Completed`, `After Services Authenticate call`, or `CHALLENGED`, then `ALLOW` is used. If `status` is `DENIED`, `Acces-Reject`, `Unknown Error`, `Service Unavailable`, or `FAILED`, then `BLOCK` is used. If `status` is `PUSH request sent for user` or `Trying to fetch attribute`, then `QUARANTINE` is used.
	read_only_udm.security_result.severity	Determined by the `log_level` field. If `log_level` is `DEBUG`, `INFO`, or `AUDIT`, then `INFORMATIONAL` is used. If `log_level` is `ERROR`, then `ERROR` is used. If `log_level` is `WARNING`, then `MEDIUM` is used.

Need more help? Get answers from Community members and Google SecOps professionals.