Installation of Bindplane Agent (observiq otel collector) on an RHEL Server
Go to root user
Example:
bindplanefwd@bindplane:~$ sudo su
root@bindplane:/home/bindplanefwd#
Step 1: Using below command install/update the apt-get
Example:
root@bindplane:/home/bindplanefwd# apt-get install
Step 2: Using below command install/update the rpm
Example:
root@bindplane:/home/bindplanefwd# apt-get install rpm
Step 3: Using ‘wget’ command download the Bindplane Agent (observiq otel collector) using https:
Example:
root@bindplane:/home/bindplanefwd# wget https://github.com/observIQ/bindplane-agent/releases/download/v1.64.0/observiq-otel-collector_v1.64.0_linux_amd64.rpm
Step 4: Now using below command to install the Bindplane Agent (observiq otel collector)
Example:
root@bindplane:/home/bindplanefwd# rpm -i observiq-otel-collector_v1.64.0_linux_amd64.rpm
Through Forwarder:
1. Before You Begin
Step 1:
Verify the Firewall Configuration
a. To install the Bindplane Agent (observiq otel collector), need the following requirements:
- Ubuntu 20 or later
- Internet connectivity
b. In the Firewall, the following Custom Port and Protocol must be allowed from the Servers to the Forwarder.
Custom Port: 11655
Protocol: TCP
c. In the Firewall, the following Hosts must be allowed from the Forwarder to Chronicle.
Connection Type | Destination | Port |
TCP | malachiteingestion-pa.googleapis.com | 443 |
TCP | asia-northeast1-malachiteingestion-pa.googleapis.com | 443 |
TCP | asia-south1-malachiteingestion-pa.googleapis.com | 443 |
TCP | asia-southeast1-malachiteingestion-pa.googleapis.com | 443 |
TCP | australia-southeast1-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-west2-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-west3-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-west6-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-west12-malachiteingestion-pa.googleapis.com | 443 |
TCP | me-central1-malachiteingestion-pa.googleapis.com | 443 |
TCP | me-central2-malachiteingestion-pa.googleapis.com | 443 |
TCP | me-west1-malachiteingestion-pa.googleapis.com | 443 |
TCP | northamerica-northeast2-malachiteingestion-pa.googleapis.com | 443 |
TCP | accounts.google.com | 443 |
TCP | oauth2.googleapis.com | 443 |
Step 2:
Add the below Collector to the Forwarder Config File,
- syslog:
common:
enabled: true
data_type: NIX_SYSTEM
data_hint:
batch_n_seconds: 10
batch_n_bytes: 1048576
tcp_address: 0.0.0.0:11655
udp_address: 0.0.0.0:11655
2. Configuring config.yaml file
Step 1: To locate the ‘config.yaml’ file follow the below commands,
bindplanefwd@bindplane:~$ sudo su
root@bindplane:/home/bindplanefwd#
root@bindplane:/home/bindplanefwd# cd /opt
root@bindplane:/opt#
root@bindplane:/opt# cd observiq-otel-collector/
root@bindplane:/opt/observiq-otel-collector#
root@bindplane:/opt/observiq-otel-collector# gedit config.yaml
Now Copy the Query below and paste it into the config.yaml file.
receivers:
filelog/linux:
include:
- /var/log/messages
- /var/log/lastlog
- /var/log/btmp
- /var/log/wtmp
- /var/log/secure
- /var/log/cron
- /var/log/maillog
- /var/log/boot
start_at: end
poll_interval: 5s
exporters:
chronicleforwarder/linux:
export_type: syslog
raw_log_field: body
syslog:
endpoint: Forwarder IP:11655
transport: tcp
service:
pipelines:
logs/linux:
receivers:
- filelog/linux
exporters: [chronicleforwarder/linux]
Step 2: After Saving the config.yaml file Start the observIQ otel collector.
root@bindplane:/opt/observiq-otel-collector# systemctl start observiq-otel-collector
Step 3: Now using below command to enable the observIQ otel collector Service which is in disabled state.
root@bindplane:/opt/observiq-otel-collector# systemctl enable --now observiq-otel-collector
Step 4. Now, verify that the RHEL Logs are being ingested to the Forwarder and then to Chronicle.
Directly to Chronicle:
1. Before You Begin
Step 1:
Verify the Firewall Configuration
a. To install the Bindplane Agent (observiq otel collector), need the following requirements:
- Ubuntu 20 or later
- Internet connectivity
- Google SecOps ingestion authentication file
- Google SecOps Customer ID
b. In the Firewall, the following Hosts must be allowed from the Server to Chronicle.
Connection Type | Destination | Port |
TCP | malachiteingestion-pa.googleapis.com | 443 |
TCP | asia-northeast1-malachiteingestion-pa.googleapis.com | 443 |
TCP | asia-south1-malachiteingestion-pa.googleapis.com | 443 |
TCP | asia-southeast1-malachiteingestion-pa.googleapis.com | 443 |
TCP | australia-southeast1-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-west2-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-west3-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-west6-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-west12-malachiteingestion-pa.googleapis.com | 443 |
TCP | me-central1-malachiteingestion-pa.googleapis.com | 443 |
TCP | me-central2-malachiteingestion-pa.googleapis.com | 443 |
TCP | me-west1-malachiteingestion-pa.googleapis.com | 443 |
TCP | northamerica-northeast2-malachiteingestion-pa.googleapis.com | 443 |
TCP | accounts.google.com | 443 |
TCP | oauth2.googleapis.com | 443 |
Step 2:
a. Google SecOps ingestion authentication file, this is used to add the required fields in the Creds Section in the Bindplane Query,
To download the authentication file, follow these steps:
- Open the Google SecOps Chronicle.
- Go to SIEM Settings > Collection Agent.
- Download the Google SecOps ingestion authentication file.
b. Google SecOps Customer ID,
To find the customer ID, follow these steps:
- Open the Google SecOps Chronicle.
- Go to SIEM Settings > Profile.
- Copy the Customer ID from the Organization Details section.
2. Configuring config.yaml file
Step 1: To locate the ‘config.yaml’ file follow the below commands,
bindplanefwd@bindplane:~$ sudo su
root@bindplane:/home/bindplanefwd#
root@bindplane:/home/bindplanefwd# cd /opt
root@bindplane:/opt#
root@bindplane:/opt# cd observiq-otel-collector/
root@bindplane:/opt/observiq-otel-collector#
root@bindplane:/opt/observiq-otel-collector# gedit config.yaml
Now Copy the Query below and paste it into the config.yaml file.
receivers:
filelog/linux:
include:
- /var/log/messages
- /var/log/lastlog
- /var/log/btmp
- /var/log/wtmp
- /var/log/secure
- /var/log/cron
- /var/log/maillog
- /var/log/boot
start_at: end
poll_interval: 5s
exporters:
chronicle/linux:
endpoint: malachiteingestion-pa.googleapis.com
creds: '{
"type": "service_account",
"project_id": "malachite-projectname",
"private_key_id": "abcdefghijklmnopqrstuvwxyz123456789",
"private_key": "-----BEGIN PRIVATE KEY-----\nhgjgkgkgkgkgkgkgfg78yhjkDGh\n-----END PRIVATE KEY-----\n",
"client_email": "account@malachite-projectname.iam.gserviceaccount.com",
"client_id": "123456789123456789",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/account%40malachite-projectname.iam.gserviceaccount.com",
"universe_domain": "googleapis.com"
}'
log_type: 'NIX_SYSTEM'
override_log_type: false
raw_log_field: body
customer_id: 'dddddddd-dddd-dddd-dddd-dddddddddddd'
service:
pipelines:
logs/linux:
receivers:
- filelog/linux
exporters: [chronicle/linux]
Step 2. Now refer to Step 2 (a & b) in ‘Before You Begin’ sub-section under ‘Directly to Chronicle’ section.
Google SecOps ingestion authentication file, copy the data from the authentication file and replace it in the exporters (which are highlighted).
Step 3. Google SecOps Customer ID, copy the Customer ID and paste it into the ‘customer_id’ under exporters.
Step 4. After Saving the ‘config.yaml’ file Start the observIQ otel collector.
root@bindplane:/opt/observiq-otel-collector# systemctl start observiq-otel-collector
Step 5. Now using below command to enable the observIQ otel collector Service which is in disabled state.
root@bindplane:/opt/observiq-otel-collector# systemctl enable --now observiq-otel-collector
Step 6. Now, verify that the RHEL Server Logs are being ingested into Chronicle.
Comments
0 comments
Please sign in to leave a comment.