Skip to main content

I have installed the BindPlane agent on a Windows server to ingest Windows logs and listen on port 514 for firewall logs, then ingest them into Google SecOps SIEM.

The Windows log ingestion is working correctly, but the firewall log ingestion is not.

Can someone check my configuration file?

 

receivers: windowseventlog/source0__security: attributes: log_type: windows_event.security channel: security max_reads: 100 poll_interval: 1s raw: true start_at: end udplog/source0_firewall: add_attributes: true async: max_queue_length: 100 processors: 3 readers: 1 listen_address: 0.0.0.0:514 operators: - field: attributes.log_type type: add value: udp exporters: chronicle/chronicle_w0_labels: compression: gzip creds: '' customer_id: xyz endpoint: asia-south1-malachiteingestion-pa.googleapis.com ingestion_labels: env: dev log_type: FORTINET_FIREWALL namespace: TEST_FORTINET_FIREWALL raw_log_field: body chronicle/chronicle_w1_labels: compression: gzip creds: '' customer_id: xyz endpoint: asia-south1-malachiteingestion-pa.googleapis.com ingestion_labels: env: dev log_type: WINEVTLOG namespace: TEST_WINDOWS raw_log_field: body service: pipelines: logs/source0__chronicle_w_labels-0: receivers: - windowseventlog/source0__security exporters: - chronicle/chronicle_w1_labels logs/source0_firewall__chronicle_w_labels-0: receivers: - udplog/source0_firewall exporters: - chronicle/chronicle_w0_labels

Also note, I have checked the listening port using netstat -ano, which shows that port 514 is being listened to by a service related to ObserverIQ.

Take a look at this previous post to see if it is a similar issue: BindPlane agent for Windows event logs - Invalid Argument error

Take a look at this previous post to see if it is a similar issue: BindPlane agent for Windows event logs - Invalid Argument error


@kentphelps wrote:

Take a look at this previous post to see if it is a similar issue: BindPlane agent for Windows event logs - Invalid Argument error

No, These are different issues.

Looks like you're going to maybe need to do a custom source? or find the source associated with the FW. 

https://bindplane.com/docs/resources/sources/windows-events

I did a get-winevent -listlog *fire* and found 3 firewall logs, one with logs on my system. 
Microsoft-windows-windows firewall with advanced security/firewall

This is traversed in windows event viewer as:
Applications/Microsoft/Windows/Windows Firewall....

You'll have to translate that into the source. 

Looks like you're going to maybe need to do a custom source? or find the source associated with the FW. 

https://bindplane.com/docs/resources/sources/windows-events

I did a get-winevent -listlog *fire* and found 3 firewall logs, one with logs on my system. 
Microsoft-windows-windows firewall with advanced security/firewall

This is traversed in windows event viewer as:
Applications/Microsoft/Windows/Windows Firewall....

You'll have to translate that into the source. 


This may help: 

receivers:
    tcplog:
      listen_address: "0.0.0.0:54525"
    windowseventlog/source0__application:
        attributes:
            log_type: windows_event.application
        channel: application
        max_reads: 100
        poll_interval: 1s
        raw: true
        start_at: end

 

Hi @Mustache 
The receiver should be for type udp, for the firewall.

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.