This parser extracts fields from BMC Helix Discovery syslog messages using grok patterns. It focuses on login/logout events and status updates. It maps extracted fields like timestamps, usernames, source IPs, and descriptions to the UDM. Events are categorized based on the extracted product_event_type and log details.
Before you begin
Ensure that you have a Google Security Operations instance.
Ensure that you are using Windows 2016 or later, or a Linux host with systemd.
If running behind a proxy, ensure firewall ports are open.
Ensure that you have privileged access to the BeyondTrust instance.
Get Google SecOps ingestion authentication file
Sign in to the Google SecOps console.
Go to SIEM Settings > Collection Agents.
Download the Ingestion Authentication File.
Get Google SecOps customer ID
Sign in to the Google SecOps console.
Go to SIEM Settings > Profile.
Copy and save the Customer ID from the Organization Details section.
Install Bindplane Agent
For Windows installation, run the following script: msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet
For Linux installation, run the following script: sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh
Additional installation options can be found in this installation guide.
Configure Bindplane Agent to ingest Syslog and send to Google SecOps
Access the machine where Bindplane is installed.
Edit the config.yaml file as follows:
receivers:
tcplog:
# Replace the below port <54525> and IP <0.0.0.0> with your specific values
listen_address: "0.0.0.0:54525"
exporters:
chronicle/chronicle_w_labels:
compression: gzip
# Adjust the creds location below according the placement of the credentials file you downloaded
creds: '{ json file for creds }'
# Replace <customer_id> below with your actual ID that you copied
customer_id: <customer_id>
endpoint: malachiteingestion-pa.googleapis.com
# You can apply ingestion labels below as preferred
ingestion_labels:
log_type: SYSLOG
namespace: BMC_HELIX_DISCOVERY
raw_log_field: body
service:
pipelines:
logs/source0__chronicle_w_labels-0:
receivers:
- tcplog
exporters:
- chronicle/chronicle_w_labels
Restart the Bindplane Agent to apply the changes:
sudosystemctlrestartbindplane
Export Syslog from BMC Helix Discovery
Access the BMC Discovery instance as a root user.
Edit the syslog configuration file: etc/rsyslog.conf
Add the following entry at the top: # Send everything to the remote syslog server.
Replace the IP address with that of your syslog server:
# Send everything to the remote syslog server
*.* @192.168.1.100
Sign in to Google SecOps and check that the same messages appear.
UDM Mapping Table
Log Field
UDM Mapping
Logic
data
metadata.description
The description of the event, extracted from the log message.
data
metadata.product_event_type
The raw event type, extracted from the log message.
data
principal.ip
The source IP address, extracted from the description field in the log message.
data
security_result.summary
A summary of the event, extracted from the log message.
data
target.user.userid
The username, extracted from the log message. An empty object is created by the parser. Copied from the top-level timestamp field in the raw log. Determined by the parser based on product_event_type and desc fields. If product_event_type is "logon" or desc contains "logged on", it's set to "USER_LOGIN". If product_event_type is "logoff" or desc contains "logged off", it's set to "USER_LOGOUT". Otherwise, if src_ip is present, it's set to "STATUS_UPDATE". Defaults to "GENERIC_EVENT". Hardcoded to "BMC_HELIX_DISCOVERY". Hardcoded to "BMC_HELIX_DISCOVERY". Hardcoded to "BMC_HELIX_DISCOVERY".
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis guide explains how to collect logs from BMC Helix Discovery and send them to Google SecOps using the Bindplane Agent, focusing on login/logout events and status updates.\u003c/p\u003e\n"],["\u003cp\u003eThe process involves downloading an ingestion authentication file and customer ID from the Google SecOps console, followed by installing and configuring the Bindplane Agent to receive syslog messages.\u003c/p\u003e\n"],["\u003cp\u003eSyslog messages from BMC Helix Discovery need to be configured to forward to the Bindplane Agent's designated IP address and port, which involves modifying the \u003ccode\u003ersyslog.conf\u003c/code\u003e file on the BMC Discovery instance.\u003c/p\u003e\n"],["\u003cp\u003eThe parser for BMC Helix Discovery logs extracts key fields like timestamps, usernames, and source IPs, and maps them to the Unified Data Model (UDM), categorizing events based on \u003ccode\u003eproduct_event_type\u003c/code\u003e and log descriptions.\u003c/p\u003e\n"],["\u003cp\u003eThis is a pre-GA feature, meaning it might have limited support, and changes to it may not be compatible with other pre-GA versions, as noted in the Google Security Operations Service Specific Terms.\u003c/p\u003e\n"]]],[],null,["# Collect BMC Helix Discovery logs\n================================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis parser extracts fields from BMC Helix Discovery syslog messages using grok patterns. It focuses on login/logout events and status updates. It maps extracted fields like timestamps, usernames, source IPs, and descriptions to the UDM. Events are categorized based on the extracted `product_event_type` and log details.\n\nBefore you begin\n----------------\n\n- Ensure that you have a Google Security Operations instance.\n- Ensure that you are using Windows 2016 or later, or a Linux host with systemd.\n- If running behind a proxy, ensure firewall [ports](/chronicle/docs/ingestion/use-bindplane-agent#verify_the_firewall_configuration) are open.\n- Ensure that you have privileged access to the BeyondTrust instance.\n\nGet Google SecOps ingestion authentication file\n-----------------------------------------------\n\n1. Sign in to the Google SecOps console.\n2. Go to **SIEM Settings \\\u003e Collection Agents**.\n3. Download the **Ingestion Authentication File**.\n\nGet Google SecOps customer ID\n-----------------------------\n\n1. Sign in to the Google SecOps console.\n2. Go to **SIEM Settings \\\u003e Profile**.\n3. Copy and save the **Customer ID** from the **Organization Details** section.\n\nInstall Bindplane Agent\n-----------------------\n\n1. For **Windows installation** , run the following script: \n `msiexec /i \"https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi\" /quiet`\n2. For **Linux installation** , run the following script: \n `sudo sh -c \"$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)\" install_unix.sh`\n3. Additional installation options can be found in this [installation guide](/chronicle/docs/ingestion/use-bindplane-agent#install_the_bindplane_agent).\n\nConfigure Bindplane Agent to ingest Syslog and send to Google SecOps\n--------------------------------------------------------------------\n\n1. Access the machine where Bindplane is installed.\n2. Edit the `config.yaml` file as follows:\n\n receivers:\n tcplog:\n # Replace the below port \u003c54525\u003e and IP \u003c0.0.0.0\u003e with your specific values\n listen_address: \"0.0.0.0:54525\" \n\n exporters:\n chronicle/chronicle_w_labels:\n compression: gzip\n # Adjust the creds location below according the placement of the credentials file you downloaded\n creds: '{ json file for creds }'\n # Replace \u003ccustomer_id\u003e below with your actual ID that you copied\n customer_id: \u003ccustomer_id\u003e\n endpoint: malachiteingestion-pa.googleapis.com\n # You can apply ingestion labels below as preferred\n ingestion_labels:\n log_type: SYSLOG\n namespace: BMC_HELIX_DISCOVERY\n raw_log_field: body\n service:\n pipelines:\n logs/source0__chronicle_w_labels-0:\n receivers:\n - tcplog\n exporters:\n - chronicle/chronicle_w_labels\n\n3. Restart the Bindplane Agent to apply the changes:\n\n sudo systemctl restart bindplane\n\nExport Syslog from BMC Helix Discovery\n--------------------------------------\n\n1. Access the BMC Discovery instance as a **root user**.\n2. Edit the **syslog configuration** file: `etc/rsyslog.conf`\n3. Add the following entry at the top: `# Send everything to the remote syslog server`.\n4. Replace the IP address with that of your syslog server:\n\n # Send everything to the remote syslog server\n\n *.* @192.168.1.100\n\n5. Restart the syslog service on the appliance:\n\n sudo /usr/bin/systemctl restart rsyslog.service\n\n6. Test the forwarding configuration.\n\n7. Use the logger utility to send a syslog message:\n\n logger this is a test of remote logging\n\n8. Verify this has been logged:\n\n su -\n Password:\n\n tail -n5 /var/log/messages\n Jan 17 11:42:10 localhost seclab: this is a test of remote logging\n\n9. Sign in to Google SecOps and check that the same messages appear.\n\nUDM Mapping Table\n-----------------\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
