Skip to main content

Hi all,

I find BindPlane Agent and BindPlane OP a great solution to manage log collection process.

I have an issue with the auditd log: the agent sent the data without any information about the host that generated the log. So, inside the Google SecOps SIEM, I cannot understand which server sent that log.

I use the file receiver to read the /var/log/audit/audit.log file and the chronicle exporter to send it to the SIEM.

Had anyone the same issue?

Thank you all.

Best, 

Matteo

You will want to edit your Auditd config file to include the hostname. You should be able to do that by adding the following line to /etc/audit/auditd.conf then restart the auditd service:

 

name_format = hostname

 

ref: https://man7.org/linux/man-pages/man5/auditd.conf.5.html#:~:text=a%20space%20check.-,name_format,-This%20option%20controls

Hi @ottimo we just embedded our Bindplane and Data Pipeline Management webinar. Check it out here. Hopefully it helps with some of your other uses cases as you leverage these features. 

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.