Skip to main content
Question

Best practice for ingesting on-prem AD logs into Google SecOps ?

  • April 29, 2026
  • 1 reply
  • 18 views
melissagr
Forum|alt.badge.img+3

Hi everyone,

I’m working on a POC to ingest on-prem Active Directory logs into Google SecOps.

Our current architecture is based on a central Azure VM running a Bindplane agent (Linux), which already collects logs via syslog (firewalls, M365, etc.).

For AD logs, since they are not natively sent via syslog, I’m evaluating options like Windows Event Forwarding (WEF) from the Domain Controller to a collector VM.

Given that our current collector is Linux-based, I’m trying to understand the best practice here:

Is it recommended to introduce a Windows-based collector (for WEF / Windows Event Logs) alongside the existing Linux pipeline?
Or is there a way to integrate AD logs efficiently into a Linux-based ingestion architecture without losing data quality?

Any feedback or real-world architecture examples would be greatly appreciated.

Thanks

    1 reply

    dnehoda
    Staff
    Forum|alt.badge.img+16
    • dnehoda
    • Staff
    • April 29, 2026

    Hello, 

     

    The linux OS should not be a problem for the ingestion of wndows logs. 

     

    The best bet for you is to either install a bindplane agent on the on prem AD server or use WEF / WEC. 

    But you need an intermidiary server for the WEC. 

     

    Stick with your Linux VM for the high-volume Syslog traffic, but deploy a single Windows Event Collector (WEC). Use a Group Policy Object (GPO) to tell your DCs to "push" logs to that WEC. Install the Bindplane agent on that Windows WEC to ship the final product to Google.

    Terms & ConditionsAccessibility statement
    Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

    © 2025 Google. All rights reserved.