Collect Akeyless Vault logs
Parser Version: 2.0
This document explains how to ingest Akeyless Vault logs to Google Security Operations using Bindplane.
Akeyless Vault is a cloud-native secrets management platform that provides centralized access to credentials, certificates, and encryption keys. It uses a patented Distributed Fragments Cryptography (DFC) technology that ensures secrets are never stored in a single location, providing zero-knowledge security across hybrid and multi-cloud environments.
Before you begin
Make sure you have the following prerequisites:
- A Google SecOps instance
- Windows Server 2016 or later, or Linux host with
systemd - Network connectivity between the Bindplane agent and Akeyless Gateway
- If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements
- Privileged access to the Akeyless Gateway web UI with administrator permissions
Get Google SecOps ingestion authentication file
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Collection Agents.
Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.
Get Google SecOps customer ID
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Profile.
Copy and save the Customer ID from the Organization Details section.
Install the Bindplane agent
Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.
Windows installation
- Open Command Prompt or PowerShell as an administrator.
Run the following command:
msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quietWait for the installation to complete.
Verify the installation by running:
sc query observiq-otel-collector
The service should show as RUNNING.
Linux installation
- Open a terminal with root or sudo privileges.
Run the following command:
sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.shWait for the installation to complete.
Verify the installation by running:
sudo systemctl status observiq-otel-collector
The service should show as active (running).
Additional installation resources
For additional installation options and troubleshooting, see Bindplane agent installation guide.
Configure the Bindplane agent to ingest syslog and send to Google SecOps
Locate the configuration file
Linux:
sudo nano /status observiq-otel-collector/config.yamlWindows:
notepad "C:\Program Files\observIQ OpenTelemetry Collector\config.yaml"
Edit the configuration file
Replace the entire contents of
config.yamlwith the following configuration:receivers: udplog: listen_address: "0.0.0.0:514" exporters: chronicle/akeyless_vault: compression: gzip creds_file_path: '<PLACEHOLDER_CREDS_FILE_PATH>' customer_id: '<PLACEHOLDER_CUSTOMER_ID>' endpoint: malachiteingestion-pa.googleapis.com log_type: AKEYLESS_VAULT raw_log_field: body ingestion_labels: env: production service: pipelines: logs/akeyless_to_chronicle: receivers: - udplog exporters: - chronicle/akeyless_vault
Configuration parameters
Replace the following placeholders:
Receiver configuration:
udplog: UDP syslog receiver for Akeyless Gateway log forwarding0.0.0.0:514: IP address and port to listen on. Replace the port as required in your infrastructure
Exporter configuration:
<PLACEHOLDER_CREDS_FILE_PATH>: Full path to ingestion authentication file:- Linux:
/etc/bindplane-agent/ingestion-auth.json - Windows:
C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json
- Linux:
<PLACEHOLDER_CUSTOMER_ID>: Google SecOps customer IDmalachiteingestion-pa.googleapis.com: Regional endpoint URL. Replace with the appropriate endpoint for your region:- US:
malachiteingestion-pa.googleapis.com - Europe:
europe-malachiteingestion-pa.googleapis.com - Asia:
asia-southeast1-malachiteingestion-pa.googleapis.com - See Regional Endpoints for complete list
- US:
Save the configuration file
- After editing, save the file:
- Linux: Press
Ctrl+O, thenEnter, thenCtrl+X - Windows: Click File > Save
- Linux: Press
Restart the Bindplane agent to apply the changes
To restart the Bindplane agent in Linux:
Run the following command:
sudo systemctl restart observiq-otel-collectorVerify the service is running:
sudo systemctl status observiq-otel-collectorCheck logs for errors:
sudo journalctl -u observiq-otel-collector -f
To restart the Bindplane agent in Windows:
Choose one of the following options:
- Command Prompt or PowerShell as administrator:
net stop observiq-otel-collector && net start observiq-otel-collector- Services console:
- Press
Win+R, typeservices.msc, and press Enter. - Locate observIQ OpenTelemetry Collector.
- Right-click and select Restart.
- Press
Verify the service is running:
sc query observiq-otel-collectorCheck logs for errors:
type "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"
Configure syslog forwarding in Akeyless Vault
- Sign in to your Akeyless Gateway web UI.
- Go to Log Forwarding.
- Select the Enable checkbox.
- Choose the log format - select JSON.
- In the Audit Log Server field, enter
https://audit.akeyless.io/. - From the Log Service dropdown list, select Syslog.
- Provide the following configuration details:
- Syslog Network: Select the network protocol used by the Bindplane agent (for example, UDP).
- Syslog Host: Enter the hostname or IP address of the Bindplane agent host (for example,
192.168.1.100:514). - Syslog Tag: (Optional) Enter the tag for audit logs. The default value is
audit-export. - Syslog Formatter: Select Text or CEF.
- TLS: (Optional) Select the TLS checkbox and upload the TLS Certificate of your log server if TLS encryption is required.
- Click Save Changes.
UDM mapping table
| Log Field | UDM Mapping | Logic |
|---|---|---|
access_id |
metadata.product_log_id |
Directly mapped from access_id field. If not present, extracted from the message field using regex. |
account_id |
target.user.userid |
Directly mapped from account_id field. |
action |
security_result.action_details |
Directly mapped from action field. |
component |
target.resource.name |
Directly mapped from component field. |
duration |
network.session_duration.seconds |
Directly mapped from duration field and converted to integer. |
remote_addr |
principal.ip |
Extracted from remote_addr field, split by comma and added to the principal.ip array. |
request_parameters.access_type |
target.resource.attribute.labels (key: access_type) |
Directly mapped from request_parameters.access_type field. If not present, extracted from the message field using regex. |
request_parameters.comment |
target.resource.attribute.labels (key: comment) |
Directly mapped from request_parameters.comment field. |
request_parameters.operation |
target.resource.attribute.labels (key: operation) |
Directly mapped from request_parameters.operation field. |
request_parameters.product |
target.resource.attribute.labels (key: product) |
Directly mapped from request_parameters.product field. If not present, extracted from the message field using regex. |
request_parameters.token_id |
target.resource.attribute.labels (key: token_id) |
Directly mapped from request_parameters.token_id field. |
request_parameters.transaction_type |
target.resource.attribute.labels (key: transaction_type) |
Directly mapped from request_parameters.transaction_type field and converted to string. If not present, extracted from the message field using regex. |
request_parameters.unique_id |
target.resource.attribute.labels (key: unique_id) |
Directly mapped from request_parameters.unique_id field. If not present, extracted from the message field using regex. |
request_parameters.universal_identity_rotate_type |
target.resource.attribute.labels (key: universal_identity_rotate_type) |
Directly mapped from request_parameters.universal_identity_rotate_type field. |
request_parameters.user_agent |
target.resource.attribute.labels (key: user_agent) |
Directly mapped from request_parameters.user_agent field. |
severity |
security_result.severity |
Mapped from severity field: Info to INFORMATIONAL, Error to ERROR, Warning to MEDIUM, otherwise UNKNOWN_SEVERITY. |
status |
network.http.response_code |
Directly mapped from status field and converted to integer. |
timestamp |
metadata.event_timestamp |
Directly mapped from the log entry timestamp field. |
| N/A | metadata.log_type |
Hardcoded to AKEYLESS_VAULT. |
| N/A | metadata.event_type |
Set to STATUS_UPDATE if IP is present, otherwise defaults to GENERIC_EVENT. |
| N/A | metadata.vendor_name |
Extracted from the message field using CEF regex pattern. |
| N/A | metadata.product_name |
Extracted from the message field using CEF regex pattern. |
| N/A | metadata.product_version |
Extracted from the message field using CEF regex pattern. |
| N/A | metadata.product_event_type |
Extracted from the message field using syslog header regex pattern. |
| N/A | target.namespace |
Extracted from the message field using regex. |
action |
network.http.method |
Mapped from action field: get to GET, put and Authentication to PUT, post to POST, delete to DELETE. |
remote_addr |
event.idm.read_only_udm.intermediary.ip |
Mapped from changelog |
syslog_hostname |
event.idm.read_only_udm.observer.hostname |
Mapped from changelog |
process_name |
event.idm.read_only_udm.observer.application |
Mapped from changelog |
pid |
event.idm.read_only_udm.observer.process.pid |
Mapped from changelog |
severity |
event.idm.read_only_udm.security_result.severity |
Mapped from changelog |
request_parameters.unique_id |
event.idm.read_only_udm.principal.user.email_addresses |
Mapped from changelog |
item_type |
event.idm.read_only_udm.target.resource.resource_subtype |
Mapped from changelog |
request_parameters.session_id |
event.idm.read_only_udm.network.session_id |
Mapped from changelog |
duration_in_ms |
event.idm.read_only_udm.target.resource.attribute.labels |
Mapped from changelog |
request_parameters.source |
event.idm.read_only_udm.target.resource.attribute.labels |
Mapped from changelog |
request_parameters.item_accessibility |
event.idm.read_only_udm.target.resource.attribute.labels |
Mapped from changelog |
remote_addr array |
principal.ip |
Mapped from changelog |
Change Log
View the Change Log for this parser
Need more help? Get answers from Community members and Google SecOps professionals.