Skip to main content

I have installed the BindPlane agent on a Windows server to ingest Windows logs and listen on port 514 for firewall logs, then ingest them into Google SecOps SIEM.

The Windows log ingestion is working correctly, but the firewall log ingestion is not.

Can someone check my configuration file?

 

receivers:
windowseventlog/source0__security:
attributes:
log_type: windows_event.security
channel: security
max_reads: 100
poll_interval: 1s
raw: true
start_at: end
udplog/source0_firewall:
add_attributes: true
async:
max_queue_length: 100
processors: 3
readers: 1
listen_address: 0.0.0.0:514
operators:
- field: attributes.log_type
type: add
value: udp


exporters:
chronicle/chronicle_w0_labels:
compression: gzip
creds: ''
customer_id: xyz
endpoint: asia-south1-malachiteingestion-pa.googleapis.com
ingestion_labels:
env: dev
log_type: FORTINET_FIREWALL
namespace: TEST_FORTINET_FIREWALL
raw_log_field: body


chronicle/chronicle_w1_labels:
compression: gzip
creds: ''
customer_id: xyz
endpoint: asia-south1-malachiteingestion-pa.googleapis.com
ingestion_labels:
env: dev
log_type: WINEVTLOG
namespace: TEST_WINDOWS
raw_log_field: body

service:
pipelines:
logs/source0__chronicle_w_labels-0:
receivers:
- windowseventlog/source0__security
exporters:
- chronicle/chronicle_w1_labels
logs/source0_firewall__chronicle_w_labels-0:
receivers:
- udplog/source0_firewall
exporters:
- chronicle/chronicle_w0_labels

Also note, I have checked the listening port using netstat -ano, which shows that port 514 is being listened to by a service related to ObserverIQ.

Take a look at this previous post to see if it is a similar issue: BindPlane agent for Windows event logs - Invalid Argument error

Take a look at this previous post to see if it is a similar issue: BindPlane agent for Windows event logs - Invalid Argument error


@kentphelps wrote:

Take a look at this previous post to see if it is a similar issue: BindPlane agent for Windows event logs - Invalid Argument error

No, These are different issues.

Looks like you're going to maybe need to do a custom source? or find the source associated with the FW. 

https://bindplane.com/docs/resources/sources/windows-events

I did a get-winevent -listlog *fire* and found 3 firewall logs, one with logs on my system. 
Microsoft-windows-windows firewall with advanced security/firewall

This is traversed in windows event viewer as:
Applications/Microsoft/Windows/Windows Firewall....

You'll have to translate that into the source. 

Looks like you're going to maybe need to do a custom source? or find the source associated with the FW. 

https://bindplane.com/docs/resources/sources/windows-events

I did a get-winevent -listlog *fire* and found 3 firewall logs, one with logs on my system. 
Microsoft-windows-windows firewall with advanced security/firewall

This is traversed in windows event viewer as:
Applications/Microsoft/Windows/Windows Firewall....

You'll have to translate that into the source. 


This may help: 

receivers:

    tcplog:

      listen_address: "0.0.0.0:54525"

    windowseventlog/source0__application:

        attributes:

            log_type: windows_event.application

        channel: application

        max_reads: 100

        poll_interval: 1s

        raw: true

        start_at: end

 

Hi @Mustache 
The receiver should be for type udp, for the firewall.

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.