Collect A10 Network Load Balancer logs

Supported in:

This document explains how to ingest A10 Network Load Balancer logs to Google Security Operations using Bindplane agent.

A10 Networks provides application delivery controllers (ADCs) and load balancers that optimize and secure application traffic. The A10 Thunder series supports server load balancing, SSL offloading, DDoS protection, and web application firewall capabilities.

Before you begin

Make sure you have the following prerequisites:

  • A Google SecOps instance
  • Windows Server 2016 or later, or Linux host with systemd
  • Network connectivity between the Bindplane agent and A10 Load Balancer
  • If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements
  • Privileged access to the A10 Load Balancer CLI (admin credentials)

Get Google SecOps ingestion authentication file

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Collection Agents.
  3. Download the Ingestion Authentication File.

  4. Save the file securely on the system where the Bindplane agent will be installed.

Get Google SecOps customer ID

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Profile.

  3. Copy and save the Customer ID from the Organization Details section.

Install the Bindplane agent

Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.

Windows installation

  1. Open Command Prompt or PowerShell as an administrator.

  2. Run the following command:

    msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet

  3. Wait for the installation to complete.

  4. Verify the installation by running:

    sc query observiq-otel-collector

    The service should show as RUNNING.

Linux installation

  1. Open a terminal with root or sudo privileges.

  2. Run the following command:

    sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh

  3. Wait for the installation to complete.

  4. Verify the installation by running:

    sudo systemctl status observiq-otel-collector

    The service should show as active (running).

Additional installation resources

For additional installation options and troubleshooting, see Bindplane agent installation guide.

Configure Bindplane agent to ingest syslog and send to Google SecOps

Locate the configuration file

  • Linux:

    sudo nano /etc/bindplane-agent/config.yaml

  • Windows:

    notepad "C:\Program Files\observIQ OpenTelemetry Collector\config.yaml"

Edit the configuration file

  • Replace the entire contents of config.yaml with the following configuration:

    receivers:
    udplog:
        listen_address: "0.0.0.0:514"

exporters:
    chronicle/a10_lb:
        compression: gzip
        creds_file_path: '/etc/bindplane-agent/ingestion-auth.json'
        customer_id: '<customer_id>'
        endpoint: malachiteingestion-pa.googleapis.com
        log_type: A10_LOAD_BALANCER
        raw_log_field: body

service:
    pipelines:
        logs/a10_to_chronicle:
            receivers:
                - udplog
            exporters:
                - chronicle/a10_lb

Configuration parameters

Replace the following placeholders:

  • Receiver configuration:

    • listen_address: IP address and port to listen on:
      • 0.0.0.0 to listen on all interfaces (recommended)
      • Port 514 is the standard syslog port (requires root on Linux; use 1514 for non-root)

  • Exporter configuration:

    • creds_file_path: Full path to ingestion authentication file:
      • Linux: /etc/bindplane-agent/ingestion-auth.json
      • Windows: C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json
    • customer_id: Customer ID copied from the Google SecOps console
    • endpoint: Regional endpoint URL:
      • US: malachiteingestion-pa.googleapis.com
      • Europe: europe-malachiteingestion-pa.googleapis.com
      • Asia: asia-southeast1-malachiteingestion-pa.googleapis.com
      • See Regional Endpoints for complete list

Save the configuration file

  • After editing, save the file:
    • Linux: Press Ctrl+O, then Enter, then Ctrl+X
    • Windows: Click File > Save

Restart the Bindplane agent to apply the changes

  • To restart the Bindplane agent in Linux, run the following command:

    sudo systemctl restart observiq-otel-collector

    1. Verify the service is running:

      sudo systemctl status observiq-otel-collector

    2. Check logs for errors:

      sudo journalctl -u observiq-otel-collector -f

  • To restart the Bindplane agent in Windows, choose one of the following options:

    • Command Prompt or PowerShell as administrator:

      net stop observiq-otel-collector && net start observiq-otel-collector

    • Services console:

      1. Press Win+R, type services.msc, and press Enter.
      2. Locate observIQ OpenTelemetry Collector.
      3. Right-click and select Restart.

      4. Verify the service is running:

        sc query observiq-otel-collector

      5. Check logs for errors:

        type "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"

Configure syslog forwarding on the A10 Load Balancer

  1. Establish an SSH connection to the A10 Load Balancer using an SSH client.

  2. Enter configuration mode by running the following command:

    config

  3. Configure the remote syslog server by running the following command:

    logging host <BINDPLANE_IP> <PORT>
    • Replace <BINDPLANE_IP> with the IP address of the Bindplane agent host (for example, 192.168.1.100).
    • Replace <PORT> with the port configured in the Bindplane receiver (for example, 514).

  4. Set the severity level by running the following command:

    logging level information

  5. Ensure syslog logging is enabled by running the following command:

    logging enable

  6. Save the configuration to ensure it persists after a reboot:

    write memory

  7. Example of a complete CLI configuration:

    config
logging host 192.168.1.100 514
logging level information
logging enable
write memory

UDM mapping table

Log field UDM mapping Logic
dns additional.fields.dns.value.string_value The value is taken from the dns field extracted by the grok pattern.
dns_server additional.fields.dns_server.value.string_value The value is taken from the dns_server field extracted by the grok pattern.
gslb additional.fields.gslb.value.string_value The value is taken from the gslb field extracted by the grok pattern.
host_name principal.hostnameprincipal.asset.hostname The value is taken from the host_name field extracted by the grok pattern.
httpmethod network.http.method The value is taken from the httpmethod field extracted by the grok pattern.
partion_id additional.fields.partion_id.value.string_value The value is taken from the partion_id field extracted by the grok pattern.
prin_ip principal.ipprincipal.asset.ip The value is taken from the prin_ip field extracted by the grok pattern.
prin_mac principal.mac The value is taken from the prin_mac field extracted by the grok pattern, with dots removed and colons inserted every two characters.
prin_port principal.port The value is taken from the prin_port field extracted by the grok pattern and converted to an integer.
proto network.ip_protocol The value is taken from the proto field extracted by the grok pattern. If the message field contains UDP, the value is set to UDP.
sessionid network.session_id The value is taken from the sessionid field extracted by the grok pattern.
status_code network.http.response_code The value is taken from the status_code field extracted by the grok pattern and converted to an integer.
tar_ip target.iptarget.asset.ip The value is taken from the tar_ip field extracted by the grok pattern.
tar_mac target.mac The value is taken from the tar_mac field extracted by the grok pattern, with dots removed and colons inserted every two characters.
tar_port target.port The value is taken from the tar_port field extracted by the grok pattern and converted to an integer.
time metadata.event_timestamp.seconds The value is parsed from the time field extracted by the grok pattern, using multiple possible date formats.
url target.url The value is taken from the url field extracted by the grok pattern.
user principal.user.userid The value is taken from the user field extracted by the grok pattern.
N/A metadata.event_type Determined by the parser logic based on the presence of principal and target information:
-NETWORK_CONNECTION: if both principal and target information are present.
-STATUS_UPDATE: if only principal information is present.
-GENERIC_EVENT: otherwise.
N/A metadata.log_type Hardcoded to A10_LOAD_BALANCER.
N/A network.application_protocol Set to HTTP if the proto field is HTTP.

Need more help? Get answers from Community members and Google SecOps professionals.