By January 2027, Google Security Operations will be deprecating the SecOps legacy forwarder and transitioning to OpenTelemetry (OTel) collectors with the Bindplane server as the official data ingestion method for the platform. This change is designed to provide our customers with a more robust, scalable, and manageable solution for collecting and ingesting log data, reflecting a new vendor approach that delivers better security controls. Please check out a quick guide the product team put together to help you navigate these new changes.
Quick SecOps Migration Guidelines
Moving from the SecOps (Chronicle’s) legacy forwarder to Bindplane is a pretty straightforward process. It offers a streamlined installation experience on Windows, deploying a native Windows service rather than the Docker container required by the legacy forwarder. Bindplane is built on the OpenTelemetry (OTel) Collector, a standardized, open-source framework for collecting and exporting telemetry data. This foundation makes it a powerful and flexible tool for your data ingestion needs. A Google-built OTel collector, which will support all the functionality of the Bindplane OTel collector, is scheduled to be available in January 2026.
Here are the high-level steps for your migration:
- Plan your implementation: Before you begin, you may want to take a look at your current data sources and forwarder configurations. Identify the types of logs you are ingesting and where they are located.
- Understand how Bindplane works:
- Bindplane collector: An OTel-based agent that you can install on your on-premises or cloud environment to start collecting logs.
- Bindplane server: Many Google Security Operations customers choose this option. This is a centralized platform for managing all of your collector deployments and configurations, which can be hosted in the cloud or self-hosted in your environment. This is the recommended and best way to deploy, and it does not cost the customer anything.
- Configure your Google environment: You will need to set up a service account with necessary IAM credentials to allow Bindplane to send data to your Google Security Operations instance.
- Install the Bindplane agent: This agent is extremely lightweight, and can be deployed with ease. You will need to install it on your source machine (Linux, Windows, etc).
- Create your own data pipeline: Using the Bindplane console is optional. However, you can visually build and manage your own data pipeline where you can define sources, processors and destinations (in this case, Google Security Operations) Note: Google Cloud Operations, GCS, and more are potential destinations. Please check out the GCO reference to this: https://cloud.google.com/stackdriver/bindplane)
Top 5 Use Cases Comparison Between Forwarder and Bindplane
| Use Case | SecOps Legacy Forwarder | Bindplane |
| Linux and Windows event log collection | Linux log collection is typically handled by having the forwarder ingest logs from the native Linux logging service, like Syslog or rsyslog. Collecting Windows event logs with the forwarder often involves an intermediary log collection agent, like NXLog, due to the structured nature of Windows Event Logs.. | The Bindplane agent provides a unified and centrally managed approach. For Windows Event Logs, you can easily configure the agent to collect from various channels like Application, System, and Security. For Linux, the agent can be configured to ingest logs from syslog, files, and more, all from a single management console. You can learn more about configuring Bindplane through our guide here |
| Data filtering and transformation | The SecOps forwarder provides basic log filtering capabilities, but no data transformation. Its primary function is to collect and securely forward raw logs to Google Security Operations for parsing and analysis. Filtering is managed through the forwarder's configuration file, which allows you to discard unwanted logs before they are ingested. | Bindplane offers two editions especially for Google: Bindplane (Google Edition) and Bindplane Enterprise (Google Edition). The main difference between Bindplane (Google Edition) and Bindplane Enterprise (Google Edition) is the level of advanced data control and routing capabilities. While the standard Google Edition, available to all Google Security Operations customers, provides core functionality for collecting and shipping data to Google destinations, the Enterprise Edition, exclusive to Enterprise Plus customers, offers more sophisticated features. This includes advanced filtering, PII masking, and data deduplication to help reduce ingestion costs and ensure compliance. The Enterprise Edition also provides a unique, limited capability to route data to one non-Google destination for up to 12 months, which is particularly useful for customers in the process of migrating from a different SIEM. |
| Database log ingestion | A SecOps forwarder ingests database logs by first collecting them from the source database and then forwarding them to Google Security Operations. This process often involves an intermediary log collection agent that can read logs from the database and send them in a compatible format to the forwarder. | Bindplane has a dedicated SQL Query source that allows you to directly connect to and query a wide range of databases, including Postgres, MySQL, Snowflake, SQL Server, and Oracle. This simplifies the process of ingesting audit logs, security events, and other telemetry from your database instances directly into Google Security Operations. Learn more in the SQL Query documentation. |
| Packet capture (PCAP) data | To enable PCAP forwarding, the forwarder's configuration file requires specific settings to define the network interfaces to be monitored and how the captured data should be handled. This typically involves specifying the interface name or a path to a PCAP file or directory of PCAP files if you are processing existing captures. | Bindplane, built on OpenTelemetry, can be configured to listen on a TCP port and ingest raw data streams, which can include PCAP data. This capability allows for more comprehensive network analysis within Google Security Operations, as the agent can be configured to handle raw data and apply necessary transformations. See the TCP source documentation for details. |
| Splunk SPL (HTTP Event Collector) | A SecOps forwarder can be configured to query a Splunk instance using Splunk Processing Language (SPL). It doesn't simply receive data from Splunk's HTTP Event Collector (HEC) as a passive receiver. Instead, it actively runs SPL queries on a configurable time interval to pull specific, filtered data from your Splunk indexes. While the forwarder can execute basic queries, it lacks the ability to handle more advanced commands, functions, and joins that are essential for complex data manipulation and enrichment within Splunk. | The Bindplane agent can act as a Splunk HEC listener. This allows the agent to receive data from the Splunk collection pipeline, process it as needed, and then route the results to Google Security Operations for further analysis. This feature provides a more efficient and targeted approach to data migration and ensures you can leverage your existing investment in Splunk while seamlessly transitioning to a more flexible and scalable security data strategy. Read more details here. |
Ready to make the switch? Start your migration to Bindplane now by reviewing our comprehensive documentation on migrating to Bindplane and the Google SecOps Onboarding guide.