Collect Zix Email Encryption logs

Supported in:

Google secops SIEM

This document explains how to ingest Zix Email Encryption logs to Google Security Operations using the Bindplane agent.

Zix Email Encryption (now OpenText ZixEncrypt) is an email encryption and DLP platform for secure email communications and compliance. It generates SMTP transaction logs and encryption event logs on the ZixGateway appliance.

Before you begin

Make sure you have the following prerequisites:

A Google SecOps instance
Windows Server 2016 or later, or Linux host with systemd
Network connectivity between the Bindplane agent and the Zix Email Encryption appliance
If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements
Privileged access to the Zix Email Encryption appliance (ZixGateway) with administrator permissions
Access to Zix Email Encryption log files (SMTP transaction logs, encryption event logs)

Get Google SecOps ingestion authentication file

Sign in to the Google SecOps console.
Go to SIEM Settings > Collection Agents.
Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.

Note: This JSON file contains credentials for authenticating the Bindplane agent to Google SecOps.

Get Google SecOps customer ID

Sign in to the Google SecOps console.
Go to SIEM Settings > Profile.
Copy and save the Customer ID from the Organization Details section.

Note: The customer ID is required for configuring the Bindplane agent exporter.

Install the Bindplane agent

Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.

Windows installation

Open Command Prompt or PowerShell as an administrator.

Run the following command:

msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet

Wait for the installation to complete.
Verify the installation by running:
```
sc query observiq-otel-collector
```
The service should show as RUNNING.

Linux installation

Open a terminal with root or sudo privileges.

Run the following command:

sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh

Wait for the installation to complete.
Verify the installation by running:
```
sudo systemctl status observiq-otel-collector
```
The service should show as active (running).

Additional installation resources

For additional installation options and troubleshooting, see Bindplane agent installation guide.

Configure Bindplane agent to ingest syslog and send to Google SecOps

Locate the configuration file

Linux:

sudo nano /etc/bindplane-agent/config.yaml

Windows:

notepad "C:\Program Files\observIQ OpenTelemetry Collector\config.yaml"

Edit the configuration file

Replace the entire contents of config.yaml with the following configuration:

receivers:
    filelog:
        include:
            - /var/log/zix/*.log
            - /opt/zix/logs/*.log
        start_at: beginning

exporters:
    chronicle/zix_email:
        compression: gzip
        creds_file_path: '/etc/bindplane-agent/ingestion-auth.json'
        customer_id: '<customer_id>'
        endpoint: malachiteingestion-pa.googleapis.com
        log_type: ZIX_EMAIL_ENCRYPTION
        raw_log_field: body
        ingestion_labels:
            env: production

service:
    pipelines:
        logs/zix_to_chronicle:
            receivers:
                - filelog
            exporters:
                - chronicle/zix_email

Configuration parameters

Replace the following placeholders:

Receiver configuration:
- filelog: The receiver type for collecting log files from disk
- include: List of file paths or glob patterns to monitor:
  - Linux: /var/log/zix/*.log or /opt/zix/logs/*.log
  - Windows: C:\Program Files\Zix\logs\*.log
  - Adjust the path to match your ZixGateway log file location
- start_at: Set to beginning to read existing log files from the start, or end to only read new entries
Exporter configuration:
- zix_email: Descriptive name for the exporter
- creds_file_path: Full path to ingestion authentication file:
  - Linux: /etc/bindplane-agent/ingestion-auth.json
  - Windows: C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json
- <customer_id>: Customer ID from the previous step
- endpoint: Regional endpoint URL:
  - US: malachiteingestion-pa.googleapis.com
  - Europe: europe-malachiteingestion-pa.googleapis.com
  - Asia: asia-southeast1-malachiteingestion-pa.googleapis.com
  - See Regional Endpoints for complete list
- ZIX_EMAIL_ENCRYPTION: Log type exactly as it appears in Chronicle
- ingestion_labels: Optional labels in YAML format (for example, env: production)
Pipeline configuration:
- zix_to_chronicle: Descriptive name for the pipeline

Save the configuration file

After editing, save the file:
- Linux: Press Ctrl+O, then Enter, then Ctrl+X
- Windows: Click File > Save

Restart the Bindplane agent to apply the changes

To restart the Bindplane agent in Linux, run the following command:

sudo systemctl restart observiq-otel-collector

Verify the service is running:

sudo systemctl status observiq-otel-collector

Check logs for errors:

sudo journalctl -u observiq-otel-collector -f

To restart the Bindplane agent in Windows, choose one of the following options:
- Command Prompt or PowerShell as administrator:
```
  net stop observiq-otel-collector && net start observiq-otel-collector
```
- Services console:
  1. Press Win+R, type services.msc, and press Enter.
  2. Locate observIQ OpenTelemetry Collector.
  3. Right-click and select Restart.
  4. Verify the service is running:
```
  sc query observiq-otel-collector
```
  5. Check logs for errors:
```
  type "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"
```

Configure Zix Email Encryption log collection

The Bindplane agent collects log files directly from the ZixGateway appliance file system.

Verify log file locations

Sign in to the ZixGateway management console.
Go to Monitoring > Logs.
Verify the log file directory:
- Linux: /var/log/zix/ or /opt/zix/logs/
- Windows: C:\Program Files\Zix\logs\
Note: Consult the ZixGateway Administration Guide for your specific log directory path. Ensure the Bindplane agent has read access to the log directory.
Confirm that SMTP transaction logs and encryption event logs are being written to the expected location.
Update the include paths in the Bindplane agent config.yaml if the log directory differs from the defaults.

UDM mapping table

Log Field	UDM Mapping	Logic
intermediary	intermediary	Merged from intermediary
relay_host	intermediary.hostname	Value copied directly from relay_host
relay_ip	intermediary.ip	Merged from relay_ip
relay_port	intermediary.port	Value from relay_port converted to integer
message_details	metadata.description	Value copied directly from message_details in smtp, smtpd, cleanup, or error blocks
principal_hostname, sender_email	metadata.event_type	Set to "EMAIL_TRANSACTION" if principal_hostname and sender_email not empty, else "NETWORK_CONNECTION" if principal_hostname and (target_host or target_ip) not empty, else "STATUS_UPDATE" if principal_hostname not empty and (target_host or target_ip) empty, else "GENERIC_EVENT"
	metadata.product_name	Set to "Zix Email Encryption"
	metadata.vendor_name	Set to "Zix"
message	network.application_protocol	Set to "SMTP" if message matches smtp or smtpd
sender_email	network.email.from	Value copied directly if sender_email matches email regex
subject	network.email.subject	Merged from subject
recipient_email	network.email.to	Merged from recipient_email if matches email regex
data_size	network.received_bytes	Value from data_size converted to uinteger
tls_cipher	network.tls.cipher	Value copied directly from tls_cipher
cert_data	network.tls.client.certificate.issuer	Value copied directly from cert_data
daemon	principal.application	Value copied directly from daemon
principal_hostname	principal.hostname	Value copied directly from principal_hostname
file	principal.process.file.full_path	Value copied directly from file
pid	principal.process.pid	Value copied directly from pid
	principal.resource.type	Set to "CLEANUP_MESSAGE_ID" if daemon is cleanup
sender_email	principal.user.user_display_name	Value copied directly if sender_email does not match email regex
user_id	principal.user.userid	Value from user_id if not empty, else from user_id in else block
security_result	security_result	Merged from security_result
security_action	security_result.action	Merged from security_action
failure_reason	security_result.description	Value copied directly from failure_reason
security_summary	security_result.summary	Value copied directly from security_summary
file	target.file.full_path	Value copied directly from file
target_host	target.hostname	Value copied directly from target_host
target_ip	target.ip	Merged from target_ip
target_port	target.port	Value from target_port converted to integer
message_id	target.resource.name	Value copied directly from message_id
recipient_email	target.user.user_display_name	Value copied directly if recipient_email does not match email regex

Need more help? Get answers from Community members and Google SecOps professionals.