Collect AMD Pensando DSS Firewall logs
Parser Version: 1.0
This document explains how to ingest AMD Pensando DSS Firewall logs to Google Security Operations using Bindplane.
AMD Pensando Distributed Services Switch (DSS) Firewall is a hardware-accelerated stateful firewall that runs on the AMD Pensando DPU inside Aruba CX 10000 series switches. It provides microsegmentation and east-west traffic inspection at line rate. The firewall is managed through the AMD Pensando Policy and Services Manager (PSM), which provides centralized policy configuration, monitoring, and syslog export capabilities.
Before you begin
Make sure you have the following prerequisites:
- A Google SecOps instance.
- Windows Server 2016 or later, or Linux host with
systemd. - If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements.
- Privileged access to the AMD Pensando Policy and Services Manager (PSM) or Aruba CX 10000 switch management interface.
- Network connectivity between the Bindplane agent host and the Aruba CX 10000 switch or PSM.
Get Google SecOps ingestion authentication file
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Collection Agents.
- Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.
Get Google SecOps customer ID
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Profile.
- Copy and save the Customer ID from the Organization Details section.
Install the Bindplane agent
Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.
Windows installation
- Open Command Prompt or PowerShell as an administrator.
Run the following command:
msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet
Linux installation
- Open a terminal with root or sudo privileges.
Run the following command:
sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh
Additional installation resources
For additional installation options, see Bindplane agent installation guide.
Configure the Bindplane agent to ingest syslog and send to Google SecOps
Access the configuration file:
- Locate the
config.yamlfile. Typically, it is in the/etc/bindplane-agent/directory on Linux or in the installation directory on Windows. - Open the file using a text editor (for example,
nano,vi, or Notepad).
- Locate the
Edit the
config.yamlfile as follows:receivers: udplog: # Replace the port and IP address as required listen_address: "0.0.0.0:514" exporters: chronicle/chronicle_w_labels: compression: gzip # Adjust the path to the credentials file you downloaded in Step 1 creds_file_path: '/path/to/ingestion-authentication-file.json' # Replace with your actual customer ID from Step 2 customer_id: '<CUSTOMER_ID>' endpoint: malachiteingestion-pa.googleapis.com # Add optional ingestion labels for better organization log_type: 'AMD_DSS_FIREWALL' raw_log_field: body ingestion_labels: service: pipelines: logs/source0__chronicle_w_labels-0: receivers: - udplog exporters: - chronicle/chronicle_w_labels
- Replace the port and IP address as required in your infrastructure.
- Replace
<CUSTOMER_ID>with the actual customer ID. - Update
/path/to/ingestion-authentication-file.jsonto the file path where the authentication file was saved.
Restart the Bindplane agent to apply the changes
To restart the Bindplane agent in Linux:
Run the following command:
sudo systemctl restart observiq-otel-collectorVerify the service is running:
sudo systemctl status observiq-otel-collectorCheck logs for errors:
sudo journalctl -u observiq-otel-collector -f
To restart the Bindplane agent in Windows:
Choose one of the following options:
- Command Prompt or PowerShell as administrator:
net stop observiq-otel-collector && net start observiq-otel-collector- Services console:
- Press
Win+R, typeservices.msc, and press Enter. - Locate observIQ OpenTelemetry Collector.
- Right-click and select Restart.
- Press
Verify the service is running:
sc query observiq-otel-collectorCheck logs for errors:
type "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"
Configure syslog forwarding on AMD Pensando DSS Firewall
The AMD Pensando DSS Firewall supports two methods for configuring syslog forwarding: through the Pensando Policy and Services Manager (PSM) web interface or through the AOS-CX CLI on the Aruba CX 10000 switch.
Configure syslog export via Pensando PSM
- Sign in to the AMD Pensando Policy and Services Manager (PSM) web interface.
- Go to Monitoring > Alerts & Events.
- Select the Destinations tab.
- Click Add Destination.
- Provide the following configuration details:
- Destination type: Select Syslog.
- Server address: Enter the IP address of the Bindplane agent host (for example,
192.168.1.100). - Port: Enter the port configured in the Bindplane agent
config.yaml(for example,514). - Protocol: Select UDP to match the Bindplane agent receiver configuration.
- Format: Select BSD (RFC 5424).
- Click Save to create the syslog destination.
- Select the Alert Policies tab.
- Click Add Alert Policy to define which events and alerts to forward.
- Select the desired event categories and severity levels.
- In the Destinations section, select the syslog destination you created.
Click Save to activate the alert policy.
Configure syslog via AOS-CX CLI on Aruba CX 10000
- Connect to the Aruba CX 10000 switch via SSH or console.
Enter configuration mode:
configure terminalConfigure the remote syslog server with UDP (replace
<BINDPLANE_IP>with your Bindplane agent IP address):logging <BINDPLANE_IP> udp 514 severity infoOr for TCP:
logging <BINDPLANE_IP> tcp 1470 severity infoOr for TLS:
logging <BINDPLANE_IP> tls 6514 severity infoSet the syslog facility:
logging facility local0Save the configuration:
write memoryExit configuration mode:
exit
For more information about the AOS-CX logging command, see the AOS-CX CLI Reference.
UDM mapping table
| Log Field | UDM Mapping | Logic |
|---|---|---|
action |
read_only_udm.metadata.product_event_type |
Direct mapping. |
action |
read_only_udm.security_result.action |
If action is "deny", set to "BLOCK". If action is "allow", set to "ALLOW". |
column10 |
read_only_udm.network.session_id |
Direct mapping. |
column11 |
read_only_udm.additional.fields.value.string_value |
Direct mapping. Key is hardcoded as "security_policy_id". |
column12 |
read_only_udm.security_result.rule_id |
Direct mapping. |
column13 |
read_only_udm.security_result.rule_name |
Direct mapping. |
column14 |
read_only_udm.network.sent_packets |
Direct mapping. |
column15 |
read_only_udm.network.sent_bytes |
Direct mapping. |
column16 |
read_only_udm.network.received_packets |
Direct mapping. |
column17 |
read_only_udm.network.received_bytes |
Direct mapping. |
column18 |
read_only_udm.additional.fields.value.string_value |
Direct mapping. Key is hardcoded as "vlan". |
column19 |
read_only_udm.principal.asset.software.vendor_name |
Direct mapping. |
column19 |
read_only_udm.principal.asset.software.name |
Direct mapping. |
column2 |
read_only_udm.metadata.product_event_type |
Direct mapping. |
column20 |
read_only_udm.principal.asset.software.version |
Direct mapping. |
column21 |
read_only_udm.principal.asset_id |
Concatenates "asset_id:" with the value of column21. |
column22 |
read_only_udm.principal.asset.attribute.labels.value |
Direct mapping. Key is hardcoded as "device_name". |
column23 |
read_only_udm.principal.asset.attribute.labels.value |
Direct mapping. Key is hardcoded as "unit_id". |
column24 |
read_only_udm.metadata.product_version |
Direct mapping. |
column25 |
read_only_udm.additional.fields.value.string_value |
Direct mapping. Key is hardcoded as "policy_name". |
column25 |
read_only_udm.security_result.rule_type |
Direct mapping. |
column4 |
read_only_udm.principal.resource.product_object_id |
Direct mapping. |
column5 |
read_only_udm.principal.ip |
Direct mapping. |
column6 |
read_only_udm.principal.port |
Direct mapping. |
column7 |
read_only_udm.target.ip |
Direct mapping. |
column8 |
read_only_udm.target.port |
Direct mapping. |
column9 |
read_only_udm.network.ip_protocol |
Maps the numeric protocol number to its corresponding name (e.g., 6 to TCP, 17 to UDP). |
dip |
read_only_udm.target.ip |
Direct mapping. |
dport |
read_only_udm.target.port |
Direct mapping. |
dvc |
read_only_udm.intermediary.hostname |
If dvc is not an IP address, map to hostname. Otherwise, map to IP. |
iflowbytes |
read_only_udm.network.sent_bytes |
Direct mapping. |
iflowpkts |
read_only_udm.network.sent_packets |
Direct mapping. |
msg_id |
read_only_udm.additional.fields.value.string_value |
Direct mapping. Key is hardcoded as "msg_id". |
policy_name |
read_only_udm.additional.fields.value.string_value |
Direct mapping. Key is hardcoded as "policy_name". |
policy_name |
read_only_udm.security_result.rule_type |
Direct mapping. |
proc_id |
read_only_udm.target.process.pid |
Direct mapping. |
proc_name |
read_only_udm.target.application |
Direct mapping. |
protocol_number_src |
read_only_udm.network.ip_protocol |
Maps the numeric protocol number to its corresponding name (e.g., 6 to TCP, 17 to UDP). |
rflowbytes |
read_only_udm.network.received_bytes |
Direct mapping. |
rflowpkts |
read_only_udm.network.received_packets |
Direct mapping. |
rule_id |
read_only_udm.security_result.rule_id |
Direct mapping. |
rule_name |
read_only_udm.security_result.rule_name |
Direct mapping. |
sd |
read_only_udm.additional.fields.value.string_value |
Direct mapping. Key is hardcoded as "sd". |
security_policy_id |
read_only_udm.additional.fields.value.string_value |
Direct mapping. Key is hardcoded as "security_policy_id". |
session_id |
read_only_udm.network.session_id |
Direct mapping. |
session_state |
read_only_udm.metadata.product_event_type |
Direct mapping. |
sip |
read_only_udm.principal.ip |
Direct mapping. |
software_version |
read_only_udm.principal.asset.software.version |
Direct mapping. |
sport |
read_only_udm.principal.port |
Direct mapping. |
ts |
read_only_udm.metadata.event_timestamp |
The timestamp from the log is parsed and formatted into the UDM timestamp format. |
vlan |
read_only_udm.additional.fields.value.string_value |
Direct mapping. Key is hardcoded as "vlan". |
read_only_udm.metadata.event_type |
If both sip and dip are present, set to "NETWORK_UNCATEGORIZED". If only sip is present, set to "STATUS_UPDATE". Otherwise, set to "GENERIC_EVENT". | |
read_only_udm.metadata.log_type |
Hardcoded to "AMD_DSS_FIREWALL". | |
read_only_udm.metadata.product_name |
Hardcoded to "AMD_DSS_FIREWALL". | |
read_only_udm.metadata.vendor_name |
Hardcoded to "AMD_DSS_FIREWALL". | |
read_only_udm.principal.resource.resource_type |
Hardcoded to "VPC_NETWORK". |
Change Log
View the Change Log for this parser
Need more help? Get answers from Community members and Google SecOps professionals.