This document explains how to ingest Cisco Wireless Security Management (WiSM)
logs to Google Security Operations using Bindplane. The parser extracts fields from
the syslog messages, maps them to the Unified Data Model (UDM), and categorizes
events based on the cisco_mnemonic field. It handles various event types like
logins, logouts, network connections, and status updates, extracting relevant
information like usernames, IP addresses, MAC addresses, and security details.
Before you begin
Make sure you have the following prerequisites:
Google SecOps instance
A Windows 2016 or later, or a Linux host with systemd
If running behind a proxy, ensure firewall ports are open
Privileged access to Cisco Wireless LAN COntroller (WLC)
Get Google SecOps ingestion authentication file
Sign in to the Google SecOps console.
Go to SIEM Settings > Collection Agents.
Download the Ingestion Authentication File.
Save the file securely on the system where BindPlane will be installed.
Get Google SecOps customer ID
Sign in to the Google SecOps console.
Go to SIEM Settings > Profile.
Copy and save the Customer ID from the Organization Details section.
Install the Bindplane agent
Install the Bindplane agent on your Windows or Linux operating system according
to the following instructions.
Windows installation
Open the Command Prompt or PowerShell as an administrator.
Configure the Bindplane agent to ingest Syslog and send to Google SecOps
Access the configuration file:
Locate the config.yaml file. Typically, it's in the /etc/bindplane-agent/
directory on Linux or in the installation directory on Windows.
Open the file using a text editor (for example, nano, vi, or Notepad).
Edit the config.yaml file as follows:
receivers:udplog:# Replace the port and IP address as requiredlisten_address:"0.0.0.0:514"exporters:chronicle/chronicle_w_labels:compression:gzip# Adjust the path to the credentials file you downloaded in Step 1creds_file_path:'/path/to/ingestion-authentication-file.json'# Replace with your actual customer ID from Step 2customer_id:<customer_id>
endpoint:malachiteingestion-pa.googleapis.com# Add optional ingestion labels for better organizationlog_type:'CISCO_WSM'raw_log_field:bodyingestion_labels:service:pipelines:logs/source0__chronicle_w_labels-0:receivers:-udplogexporters:-chronicle/chronicle_w_labels
Replace the port and IP address as required in your infrastructure.
Replace <customer_id> with the actual customer ID.
Select the File Info checkbox to include information about the source file.
Select the Proc Info checkbox to include process information.
Select the Trace Info checkbox to include trace back information.
Click Apply.
Click Save Configuration.
UDM mapping table
Log Field
UDM Mapping
Logic
cisco_facility
principal.resource.type
Extracted from the cisco_tag field using grok.
cisco_message
metadata.description
The original message from the raw log.
cisco_tag
metadata.product_event_type
The tag from the raw log, containing facility, severity, and mnemonic.
database
security_result.detection_fields.value
When present, the key is set to "Database".
hostname
intermediary.hostname
When present.
intermediary_ip
intermediary.ip
The IP address of the intermediary device.
principal_hostname
principal.hostname
When present.
principal_ip
principal.ip
When present.
principal_mac
principal.mac
When present. Formatted to colon-separated hexadecimal.
principal_port
principal.port
When present. Converted to integer.
principal_process_id
principal.process.pid
When present.
profile
security_result.detection_fields.value
When present, the key is set to "Profile".
reason_message
security_result.summary
When present. Sometimes also used for security_result.description.
target_ip
target.ip
When present.
target_mac
target.mac
When present.
terminal
target.hostname
When present.
tls_local_ip
security_result.detection_fields.value
When present, the key is set to "TLS local".
tls_remote
security_result.detection_fields.value
When present, the key is set to "TLS Remote".
username
principal.user.userid (or target.user.userid in logout events)
When present. Set to "MECHANISM_UNSPECIFIED" in certain cases by parser logic. Set to "MACHINE" for login/logout events by parser logic. Copied from the batch create_time. Determined by parser logic based on cisco_mnemonic and other fields. Set to "CISCO_WSM" by parser logic. Set to "CISCO_WSM" by parser logic. Set to "CISCO_WSM" by parser logic. Set to "BROADCAST" for specific events by parser logic. Set to "UDP" for specific events by parser logic. When present. Set to "ALLOW" or "BLOCK" for specific events by parser logic. Set to "AUTH_VIOLATION" for specific events by parser logic. Set for specific events by parser logic, sometimes using reason_message. Derived from cisco_severity by parser logic. Derived from cisco_severity by parser logic. Set for specific events by parser logic, sometimes using reason_message.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Collect Cisco Wireless Security Management (WiSM) logs\n======================================================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis document explains how to ingest Cisco Wireless Security Management (WiSM)\nlogs to Google Security Operations using Bindplane. The parser extracts fields from\nthe syslog messages, maps them to the Unified Data Model (UDM), and categorizes\nevents based on the `cisco_mnemonic` field. It handles various event types like\nlogins, logouts, network connections, and status updates, extracting relevant\ninformation like usernames, IP addresses, MAC addresses, and security details.\n\nBefore you begin\n----------------\n\nMake sure you have the following prerequisites:\n\n- Google SecOps instance\n- A Windows 2016 or later, or a Linux host with `systemd`\n- If running behind a proxy, ensure firewall [ports](/chronicle/docs/ingestion/use-bindplane-agent#verify_the_firewall_configuration) are open\n- Privileged access to Cisco Wireless LAN COntroller (WLC)\n\nGet Google SecOps ingestion authentication file\n-----------------------------------------------\n\n1. Sign in to the Google SecOps console.\n2. Go to **SIEM Settings \\\u003e Collection Agents**.\n3. Download the **Ingestion Authentication File** .\n - Save the file securely on the system where BindPlane will be installed.\n\nGet Google SecOps customer ID\n-----------------------------\n\n1. Sign in to the Google SecOps console.\n2. Go to **SIEM Settings \\\u003e Profile**.\n3. Copy and save the **Customer ID** from the **Organization Details** section.\n\nInstall the Bindplane agent\n---------------------------\n\nInstall the Bindplane agent on your Windows or Linux operating system according\nto the following instructions.\n\n### Windows installation\n\n1. Open the **Command Prompt** or **PowerShell** as an administrator.\n2. Run the following command:\n\n msiexec /i \"https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi\" /quiet\n\n### Linux installation\n\n1. Open a terminal with root or sudo privileges.\n2. Run the following command:\n\n sudo sh -c \"$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)\" install_unix.sh\n\n### Additional installation resources\n\nFor additional installation options, consult the [installation guide](/chronicle/docs/ingestion/use-bindplane-agent#install_the_bindplane_agent).\n\nConfigure the Bindplane agent to ingest Syslog and send to Google SecOps\n------------------------------------------------------------------------\n\n1. Access the configuration file:\n - Locate the `config.yaml` file. Typically, it's in the `/etc/bindplane-agent/` directory on Linux or in the installation directory on Windows.\n - Open the file using a text editor (for example, `nano`, `vi`, or Notepad).\n2. Edit the `config.yaml` file as follows:\n\n receivers:\n udplog:\n # Replace the port and IP address as required\n listen_address: \"0.0.0.0:514\"\n\n exporters:\n chronicle/chronicle_w_labels:\n compression: gzip\n # Adjust the path to the credentials file you downloaded in Step 1\n creds_file_path: '/path/to/ingestion-authentication-file.json'\n # Replace with your actual customer ID from Step 2\n customer_id: \u003ccustomer_id\u003e\n endpoint: malachiteingestion-pa.googleapis.com\n # Add optional ingestion labels for better organization\n log_type: 'CISCO_WSM'\n raw_log_field: body\n ingestion_labels:\n\n service:\n pipelines:\n logs/source0__chronicle_w_labels-0:\n receivers:\n - udplog\n exporters:\n - chronicle/chronicle_w_labels\n\n - Replace the port and IP address as required in your infrastructure.\n - Replace `\u003ccustomer_id\u003e` with the actual customer ID.\n - Update `/path/to/ingestion-authentication-file.json` to the path where the authentication file was saved in the [Get Google SecOps ingestion authentication file](/chronicle/docs/ingestion/default-parsers/cisco-wsm#get-auth-file) section.\n\nRestart the Bindplane agent to apply the changes\n------------------------------------------------\n\n- To restart the Bindplane agent in **Linux**, run the following command:\n\n sudo systemctl restart bindplane-agent\n\n- To restart the Bindplane agent in **Windows** , you can either use the\n **Services** console or enter the following command:\n\n net stop BindPlaneAgent && net start BindPlaneAgent\n\nConfigure Syslog on Cisco WiSM\n------------------------------\n\n1. Sign in to the **Cisco Wireless LAN Controller** web UI.\n2. Go to **Management \\\u003e Logs \\\u003e Config**.\n3. Enter the Bindplane agent IP address in the **Syslog Server IP Address** field.\n4. Click **Add**.\n5. Provide the following configuration details:\n - **Syslog Severity** : Select **Informational**.\n - **Syslog Facility** : Select **Local Use 0**.\n - **Buffered Log Level** : Select **Informational - Severity level 6**.\n - **Console Log Level** : Select **Informational - Severity level 6**.\n - Select the **File Info** checkbox to include information about the source file.\n - Select the **Proc Info** checkbox to include process information.\n - Select the **Trace Info** checkbox to include trace back information.\n6. Click **Apply**.\n7. Click **Save Configuration**.\n\nUDM mapping table\n-----------------\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
