OpenTelemetry Deep Dive: Hands-On with the OTel Collector & Bindplane - Join the live workshop on March 19th at 11 AM ET!Sign Up Now

Google SecOps with Bindplane Quick Start

The fastest way to configure Bindplane with Google SecOps and start ingesting telemetry right away.

Sign up for Bindplane Cloud. We recommend using Bindplane Cloud to get started. It's the fastest and easiest way to build out your telemetry pipelines. It includes a free tier for proof-of-concepts and development projects.

If you want to see self-hosted options, view the solutions, here.

note

The initial license will be the “Free” edition. This has full functionality, but is limited to a maximum of 10 collectors. To change license levels, contact support@observiq.com, or post a question in the Bindplane Community Slack.

Bindplane Architecture Diagram

Bindplane Cloud with Google SecOps Network Diagram

Configure your Bindplane Organization

Give your Organization a name.

Bindplane Cloud Org Creation

After you sign in for the first time, you can check in the Organization, Project, and License level in the upper right menu.

Bindplane Cloud Org View

Configure the SecOps Destination

Create a Configuration with a Destination for sending data to your Google SecOps instance.

Destinations can be created within Configurations for Agents. You'll learn how to create one in the Library, so that it can be used by multiple Configurations.

Go to Library in the UI. Click Add Destination, and select Google SecOps.

Bindplane Library View
Add SecOps Destination

You can use two different APIs within Google SecOps. This guide will showcase the default gRPC API.

You can set the appropriate region, by following the “Read More About Regional Endpoints” link and finding the endpoint appropriate for your area.

Configure SecOps Destination

Customer ID

You can find your SecOps Customer ID under Settings > Profile > Organization Details in the SecOps Interface.

SecOps Profile

JSON Authentication

JSON Authentication is the recommended Authentication Method for sending data to SecOps.

You can download a JSON file from the SecOps Interface under Settings > Collection Agents > Ingestion Authentication File.

SecOps JSON Config

Copy and paste the JSON contents into the Credentials field and set the Customer ID. These are the two required settings to send data to Google SecOps.

Save the configuration, and name the Destination Configuration.

Save Config

It's now saved to the Library and can be used for any of your Configurations.

Configure Linux auditd Log Collection

Now, you'll configure collection of auditd logs on a Linux machine.

note

Deploy/have access to a Linux system with auditd. Here's a list of supported operating systems. We recommend deploying on a GCE instance with CentOS, CentOS Stream 9.

Install a Collector

First, deploy the BDOT Collector on your Linux machine. Navigate to Agents > Platform Linux, and select Agent Type of 1.x.

Install Collector

The next step will have a one-line install script. Run this on your Linux machine wait to see the OTel Collector appear in the list.

Install Collector Script
Install Collector Output

Configure the Linux auditd Logs Source

Create a new Configuration.

Configure audit logs

Add the "File" Source.

Configure audit logs source

Add the default file path for auditd.

text
1/var/log/audit/audit.log

Set Parse Format: None. This is because parsing is done in Google SecOps and is not required beforehand.

Set the Start At to beginning.

Configure audit beginning

Add the Google SecOps Destination that was created earlier and Save the Configuration.

Configure audit secops destination

The configuration will not have any collectors attached right away. To add a collector, click the Add Agent at the bottom of the Configuration and Start Rollout to deploy it.

Configure rollout

View the Configuration File

You can view the OpenTelemetry Collector pipeline configuration by clicking View Configuration File.

This pipeline may be useful for troubleshooting, or as a reference. This is the configuration that is rolled out to the collectors via the OpAMP protocol.

Config file view
yaml
1# This configuration is managed by Bindplane.
2# Configuration: linux-auditd-secops:1
3receivers:
4  filelog/source@_01JH89S7FGQE45F1SWFTGKN81N:
5    delete_after_read: false
6    encoding: utf-8
7    fingerprint_size: 1kb
8    force_flush_period: 500ms
9    include:
10      - /var/log/audit/audit.log
11    include_file_name: true
12    include_file_name_resolved: false
13    include_file_path: false
14    include_file_path_resolved: false
15    max_concurrent_files: 1024
16    max_log_size: 1MiB
17    operators:
18      - field: attributes.log_type
19      type: add
20      value: file
21    poll_interval: 200ms
22    retry_on_failure:
23      enabled: false
24    start_at: beginning
25    storage: file_storage/source@_01JH89S7FGQE45F1SWFTGKN81N
26
27processors:
28  resourcedetection/source@_01JH89S7FGQE45F1SWFTGKN81N:
29    detectors:
30      - system
31    system:
32      hostname_sources:
33        - os
34
35exporters:
36  chronicle/SecOps:
37  compression: gzip
38  creds: (sensitive)
39  customer_id: b536658e-469e-44a5-b764-d5ab15b72ce0
40  endpoint: malachiteingestion-pa.googleapis.com
41  log_type: NIX_SYSTEM
42  namespace: null
43  raw_log_field: body
44  retry_on_failure:
45    enabled: true
46    initial_interval: Ss
47    max_elapsed_time: 300s
48    max_interval: 30s
49  sending_queue:
50    enabled: true
51    num_consumers: 10
52    queue_size: 5000
53    storage: file_storage/SecOps
54  timeout: 5s
55
56extensions:
57  file_storage/SecOps:
58    compaction:
59      directory: ${0IQ_OTEL_COLLECTOR_HOME}/storage
60      on_rebound: true
61    directory: ${0I1Q_OTEL_COLLECTOR_HOME}/storage
62  file_storage/source@_01JH89S7FGQE45F1SWFTGKN81N:
63    compaction:
64      directory: ${0IQ_OTEL_COLLECTOR_HOME}/storage
65      on_rebound: true
66    directory: ${0I1Q_OTEL_COLLECTOR_HOME}/storage
67
68# ...

Configure SecOps Standardization Processor

The auditd logs are now flowing to Google SecOps via the collector. You can see it in the processor view where Bindplane shows a snapshot of the telemetry via the OpAMP connection.

Processor

Follow the Recommendation with View, where it will show an example SecOps Standardization processor configuration.

Set these values in the SecOps Standardization Processor configuration:

  • Log type: AUDITD
  • Namepace: linux-app-audit
  • Ingestion Labels KV: application training
Processor Config 1

This will add the following Attributes field. Note that these fields could also be added manually with the Add Fields processor. The SecOps Standardization makes this easy to do.

Processor Config 2

Silent Host Monitoring

View the Silent Host Monitoring how-to guide to learn more.

Configure Windows Events Log Collection

The same configuration will work for Windows Events as a Source.

Make sure to check Raw Logs, under Advanced in the Windows Event Source

Windows Events