Bindplane is an OpenTelemetry-native telemetry pipeline designed to collect, refine, and export metrics, logs, and traces from any source to any destination. With Bindplane you can reduce costs and simplify telemetry collector management at scale.
Bindplane uses the Bindplane Distro for OpenTelemetry (BDOT) Collector to standardize telemetry management with Open Agent Management Protocol (OpAMP).
Bindplane can be deployed in two different ways:
- Bindplane Cloud - Hosted and managed by Bindplane in Google Cloud
- Self-Hosted Bindplane - Deploy Bindplane On Prem in your own infrastructure
Google SecOps with Bindplane (SaaS) Requirements
Network Requirements
Bindplane Cloud exposes a domain and IP Address for using OpAMP to communicate between the collector and server, Admin UI, CLI, and API.
- Domain: app.bindplane.com TCP :443
- IP Address: 34.120.255.184
Authentication support is done via Auth0 and requires connectivity when using the Admin UI. View this list of IPs to allowlist for Auth0.
- Auth0: auth0.bindplane.com TCP :443
Bindplane Collector Network Requirements
The Bindplane Distro for OpenTelemetry (BDOT) Collector uses OpAMP to connect to Bindplane Cloud. This connection is established on the collector-side. You will only need to open an outbound port for the collector to communicate with Bindplane Cloud.
- Domain: app.bindplane.com TCP :443
Google SecOps with Bindplane (SaaS)
Signup process:
Signup at - https://app.bindplane.com/signup
To Access Bindplane UI - https://app.bindplane.com
Initial Login will prompt for creating Organization Name and accept EULA.
Using The Hamburger menu on Top right, we can create additional projects, Invite users and toggle between Dark/Light Mode
Initial Configuration (UI & Menus)
Overview: This page summarizes overall Deployment, Monitoring Dashboard, Agent/Data Summary and Top 5 configurations.
Agents: This page provides Agent Deployment / Management Options.
Configurations: This page provided the ability to view, configure and deploy configurations.
Library: This page provides all configuration options to view, create or update. Templates can be pre-build, saved and reused for further deployments.
Installing first collector
1. Navigate to the Agents tab and select the Install Your First Agent button inside the Agents table.
Collector Installation wizard will help install a collector. The initial step is to select the platform for your collector’s deployment. When you've completed the form click the Next button.
2. In this example we are installing our first collection on Windows, so we are selecting Windows as platform.
3. Run the command on each windows host using PowerShell (Run as Administrator)
Note: Refer to advance configuration document on deploying multiple agents for enterprise or deployment of Windows Event Collector.
4. Once the collector is installed successfully you will be able to see the collector table below the script.
5. If the collector was not installed successfully or you are not seeing the collector installation status
Note: Follow Netenrich Bindplane Troubleshooting guide for additional collector troubleshooting.
6. To set up a collector configuration, navigate to the Configurations tab and click Create Configuration.
7. The wizard will walk through the steps required for creating configuration.
Naming conventions:
- must be 63 characters or less
- must begin and end with an alphanumeric character ([a-z0-9A-Z])
- can contain dashes ( - ), underscores ( _ ), dots ( . ), and alphanumerics in between
8. Provide Configuration Name
9. Select Agent Type
10. Select Platform and Description(optional)
11. Select Next
12. Click Add a Source (Current support sources are listed)
13. Select Windows Events.
14. Provide Short Description
15. Under Logs
- Select System, Application and Security Events (or based on the requirements)
16. Expand Advanced and
17. Select Check box Raw Logs
Note: For SecOps this is a mandatory step as SecOps expects raw logs
18. Under Advanced, you can also select Custom Channels for Windows.
Provide Custom channel information (for e.g Microsoft-Windows-PowerShell/Operational,
Microsoft-Windows-DNSServer/Audit)
19. Select Save
20. Select Next
21. The next step is adding Destination
Note: Based on the Licensing model you will be able to send to different destinations. The Scope of this Document is Google SecOps, so we will configure Google SecOps as Destination.
22. Setting up a Destination for Google SecOps involves additional steps
23. For Google SecOps Forwarder:
a. Please follow the steps listed in 1a
1a) Google SecOps Forwarder:
Note: Ensure Google SecOps Forwarder is configured and running.
Select Add Destination: Google SecOps Forwarder
Key Configuration Fields:
| Export Type (Dropdown) | Method of Export (Syslog or file) |
| Syslog endpoint | Google SecOps Forwarder endpoint for syslog and port number |
| Transport Protocol (Drop down) | Transport protocol to use (TCP, UDP) |
Advanced Configuration:
| Syslog Timeout | Syslog timeout setting |
| Enable TLS | TLS for secure transmission(syslog) |
| TLS Certificate File | Path for certificate File(for TLS) |
| TLS Private Key File | Path for private Key (for TLS) |
Note: Advance configurations are documented in NE Bindplane Advance configuration guide.
Select Save.
24. For Google SecOps (Direct ingestion)
a. Please follow steps listed in 1b
1b) Google SecOps (Direct ingestion)
Google SecOps (direct ingestion) supports two protocols
- gRPC (legacy Ingestion API)
- https (dataplane API (recent)
Key Configuration Fields(gRPC):
| Name | Name for SecOps Destination(can be reused for additional deployments) |
| Protocol (Dropdown) |
|
| Endpoint |
Regional Endpoints to send logs For e.g malachiteingestion-pa.googleapis.com |
| Authentication Method (Dropdown) |
Method used for authenticating to Google Cloud:
(Credentials file can be or JSON credentials can be downloaded from Google SecOps (SIEM Setting --> Collection Agents -->Ingestion Authentication File)) |
| Failback Log Type | Type of log to be sent to Google SecOps |
| Customer ID |
Customer ID used for sending logs (Customer ID can be found under Google SecOps (SIEM Setting -->Profile -->Customer ID))
|
Additional endpoint information:
https://cloud.google.com/chronicle/docs/reference/ingestion-api#regional_endpoints
Advanced Configuration:
| Namespace | User-configured environment namespace |
| Enable Retry on Failure | Initial, Max Interval and Max Elapsed time |
| Enable Sending Queue | Number of Consumers and Queue size |
| Enable Persistent Queuing | Buffer telemetry data to disk before sending, to ensure data is not lost in case of network outages or collector restarts. |
Once the configuration is completed you will be able to see Windows Demo Configuration under the configuration page.
25. Add Agents – Select Add Agent (or multiple agents)
26. Select Start Rollout
Once the rollout is completed you will be able to see Live preview of logs from source being sent to Destination.
Note: Follow Netenrich Bindplane Troubleshooting guide for additional Rollout errors and troubleshooting.
Most of the error indicates the issue either with Source or Destination as part of the Error code (for e.g the example shows issue with SecOps Direct Ingestion)
Example Deployment Error showing issue with SecOps Destination:
Update Configuration to v2 for advanced routing.
Under the configuration Select Settings icon and Select Upgrade to v2
Note: Once Upgraded you will not be able to revert. So, recommend duplicating the configuration and test upgrading to v2 before moving it to production.
Comments
0 comments
Please sign in to leave a comment.