Chronicle
Currently only v2 of the ingestion API is supported
Supported Types
Metrics | Logs | Traces |
---|---|---|
✓ |
Prerequisites
Before setting up the Chronicle destination, ensure you have a Google Cloud account and access to the Chronicle security analytics platform. More details on setting this up can be found in the Google Cloud documentation here.
Configuration Fields
Field | Description |
---|---|
Endpoint | The endpoint for sending to chronicle. |
Authentication Method | Method used for authenticating to Google Cloud: auto, json, file. |
Credentials | JSON value from a Google Service Account credential file. Required if Authentication Method is set to 'json'. |
Credentials File | Path to a Google Service Account credential file on the collector system. Required if Authentication Method is set to 'file'. |
Log Type | Type of log to be sent to Chronicle. The Supported Log Types can be seen here. |
Customer ID | The customer ID used for sending logs. |
Raw Log Field | The OTTL formatted field name that contains the raw log data. |
Sources
Chronicle expects to be sent raw unstructured logs. Therefore, when sending logs to Chronicle, you should only use the following supported sources:
- Windows Events (With Advanced -> “Raw Logs” enabled)
- Microsoft SQL Server
- Common Event Format
- CSV
- File
- HTTP
- TCP
- UDP
Log Type Handling / Chronicle Parsing
Chronicle uses the log_type
ingestion label to determine which Chronicle Parser should be applied to logs. In BindPlane you can set the log_type
ingestion label in one of the following ways:
-
Automatic Mapping: BindPlane will automatically create the
log_type
ingestion label for sources that use one of the followinglog_type
s. In these cases, you don’t need to take any action.attributes[“log_type”]
chronicle_log_type
(Ingestion Label)windows_event.security WINEVTLOG windows_event.application WINEVTLOG windows_event.system WINEVTLOG sql_server MICROSFT_SQL -
Set Chronicle Log Type: You can specify a new log attribute called
chronicle_log_type
and set its value to the appropriate Chronicle ingestion label (log_type
). It’s best practice to always explicitly set this when sending logs to Chronicle. You should use the Add Field processor to set this attribute.Note: This field will take precedence over any automatic mapping that may occur.
-
Fallback: The Chronicle Destination has a Log Type field that you can set as a fallback option, in the case that you did not set
chronicle_log_type
or BindPlane couldn’t automatically map thelog_type
for you.
Credentials
This exporter requires a Google Cloud service account with access to the Chronicle API. The service account must have access to the endpoint specfied in the config. Besides the default endpoint (https://malachiteingestion-pa.googleapis.com), there are also regional endpoints that can be used here.
For additional information on accessing Chronicle, see the Chronicle documentation.
Supported Retry and Queuing Settings
This destination supports the following retry and queuing settings:
Sending Queue | Persistent Queue | Retry on Failure |
---|---|---|
✓ | ✓ | ✓ |
Example Configuration
Basic Configuration
This configuration sets up the Chronicle destination with necessary details such as region, authentication method, credentials, and log type.