Collect Progress MOVEit Transfer logs
This document explains how to ingest Progress MOVEit Transfer logs into Google Security Operations using Bindplane.
Progress MOVEit Transfer is a managed file transfer (MFT) solution that provides secure, encrypted file transfers using protocols such as HTTPS, FTPS, and SFTP. It offers tamper-evident audit logging, role-based access controls, and compliance support for regulations including HIPAA, PCI DSS, and GDPR. MOVEit Transfer records all file transfer activity, user authentication events, and administrative actions in its audit database.
Before you begin
Make sure you have the following prerequisites:
- A Google SecOps instance
- Windows Server 2016 or later, or Linux host with
systemd - Network connectivity between the Bindplane agent and the Progress MOVEit Transfer server
- If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements
- SysAdmin-level access to the Progress MOVEit Transfer web administration console
- UDP port 514 (or your chosen syslog port) open from the MOVEit Transfer server to the Bindplane agent host
Get Google SecOps ingestion authentication file
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Collection Agents.
- Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.
Get Google SecOps customer ID
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Profile.
- Copy and save the Customer ID from the Organization Details section.
Install the Bindplane agent
Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.
Windows installation
- Open Command Prompt or PowerShell as an administrator.
Run the following command:
msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quietWait for the installation to complete.
Verify the installation by running:
sc query observiq-otel-collectorThe service should show as RUNNING.
Linux installation
- Open a terminal with root or sudo privileges.
Run the following command:
sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.shWait for the installation to complete.
Verify the installation by running:
sudo systemctl status observiq-otel-collectorThe service should show as active (running).
Additional installation resources
For additional installation options and troubleshooting, see Bindplane agent installation guide.
Configure Bindplane agent to ingest syslog and send to Google SecOps
Locate the configuration file
Linux:
sudo nano /etc/bindplane-agent/config.yamlWindows:
notepad "C:\Program Files\observIQ OpenTelemetry Collector\config.yaml"
Edit the configuration file
Replace the entire contents of
config.yamlwith the following configuration:receivers: udplog: listen_address: "0.0.0.0:514" exporters: chronicle/moveit_transfer: compression: gzip creds_file_path: '<CREDS_FILE_PATH>' customer_id: '<CUSTOMER_ID>' endpoint: <REGION_ENDPOINT> log_type: IPSWITCH_MOVEIT_TRANSFER raw_log_field: body ingestion_labels: log_source: moveit_transfer service: pipelines: logs/moveit_to_chronicle: receivers: - udplog exporters: - chronicle/moveit_transfer
Configuration parameters
Replace the following placeholders.
Exporter configuration:
<CREDS_FILE_PATH>: Full path to ingestion authentication file:- Linux:
/etc/bindplane-agent/ingestion-auth.json - Windows:
C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json
- Linux:
<CUSTOMER_ID>: Google SecOps customer ID copied earlier<REGION_ENDPOINT>: Regional endpoint URL:- US:
malachiteingestion-pa.googleapis.com - Europe:
europe-malachiteingestion-pa.googleapis.com - Asia:
asia-southeast1-malachiteingestion-pa.googleapis.com - See Regional Endpoints for complete list
- US:
Example configuration
receivers: udplog: listen_address: "0.0.0.0:514" exporters: chronicle/moveit_transfer: compression: gzip creds_file_path: '/etc/bindplane-agent/ingestion-auth.json' customer_id: 'a1b2c3d4-e5f6-g7h8-i9j0-k1l2m3n4o5p6' endpoint: malachiteingestion-pa.googleapis.com log_type: IPSWITCH_MOVEIT_TRANSFER raw_log_field: body ingestion_labels: log_source: moveit_transfer service: pipelines: logs/moveit_to_chronicle: receivers: - udplog exporters: - chronicle/moveit_transfer
Save the configuration file
After editing, save the file:
* Linux: Press Ctrl+O, then Enter, then Ctrl+X
* Windows: Click File > Save
Restart the Bindplane agent to apply the changes
To restart the Bindplane agent in Linux, do the following:
Run the following command:
sudo systemctl restart observiq-otel-collectorVerify the service is running:
sudo systemctl status observiq-otel-collectorCheck logs for errors:
sudo journalctl -u observiq-otel-collector -f
To restart the Bindplane agent in Windows, do the following:
Choose one of the following options:
Command Prompt or PowerShell as administrator:
net stop observiq-otel-collector && net start observiq-otel-collectorServices console:
- Press
Win+R, typeservices.msc, and press Enter. - Locate observIQ OpenTelemetry Collector.
- Right-click and select Restart.
Verify the service is running:
sc query observiq-otel-collectorCheck logs for errors:
type "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"
- Press
Configure Progress MOVEit Transfer syslog forwarding
To configure MOVEit Transfer to forward audit log entries to the Bindplane agent via syslog:
- Sign in to the MOVEit Transfer web administration console as a user with SysAdmin permissions.
- Go to SETTINGS > System > Auditing > Syslog. The Configure Syslog Settings page displays.
- In the Syslog Logging section, select Enabled. When enabled, each audit log entry is sent to the specified syslog host as well as to the MOVEit Transfer audit database.
- In the Syslog Host field, enter the IP address or hostname of the Bindplane agent host (for example,
192.168.1.100). In the Syslog Port field, enter
514. If this field is left blank, it reverts to the default port514.In the Syslog Facility dropdown, select the facility under which MOVEit Transfer syslog messages will appear on the remote syslog host. The default value is FTP. The following standard syslog facilities are available:
- KERN
- USER
- DAEMON
- AUTH
- SYSLOG
- LPR
- NEWS
- UUCP
- CRON
- AUTHPRIV
- FTP (default)
- LOCAL0 through LOCAL7
Click Change Logging Settings to save the configuration.
Click Send Test Syslog Message to send a test message to the specified Bindplane agent host. Because the BSD Syslog implementation is based on UDP, manually verify that the test message arrived by checking the Bindplane agent logs.
Verify the test message was received by the Bindplane agent:
Linux:
sudo journalctl -u observiq-otel-collector -fWindows:
type "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"
Firewall requirements
Ensure the following firewall rule is in place to allow syslog traffic from MOVEit Transfer to the Bindplane agent:
| Direction | Protocol | Source | Destination | Port |
|---|---|---|---|---|
| Outbound from MOVEit Transfer | UDP | MOVEit Transfer server IP | Bindplane agent host IP | 514 |
UDM mapping table
| Log field | UDM mapping | Logic |
|---|---|---|
| column1 | metadata.collected_timestamp | Converted using date match patterns: d/M/yyyy H:mm:ss A, M/d/yyyy H:mm:ss A, MM/dd/yyyy HH:mm:ss A |
| column1 | metadata.event_timestamp | Converted using date match patterns: d/M/yyyy H:mm:ss A, M/d/yyyy H:mm:ss A, MM/dd/yyyy HH:mm:ss A |
| column2 | security_result.action_details | Value copied directly |
| column3 | target.hostname, target.asset.hostname | Value copied directly from column3 |
| column4 | principal.ip, principal.asset.ip | Extracted from column4 using grok pattern for IP |
| column6 | target.file.full_path | Concatenated from folderPath and fileName if both present, else from fileName alone |
| column7 | target.file.full_path | |
| column15 | target.file.full_path | |
| column7 | target.user.email_addresses | Merged if column2 == file_sentemail |
| column10 | metadata.description | Value copied directly |
| column11 | metadata.product_event_type | Value copied directly if not None |
| column12 | target.ip, target.asset.ip | Extracted from column12 using grok pattern for IP |
| column16 | target.file.full_path | Concatenated from folderPath and fileName if both present, else from fileName alone |
| column23 | target.file.full_path | |
| column19 | target.user.user_display_name | Value copied directly if column2 == file_sentemail and column8 == sender, else for target user |
| event_received_time | metadata.collected_timestamp | Converted using date match patterns: UNIX_MS, dd/MM/yyyy HH:mm:ss, yyyy-MM-dd HH:mm:ss, MM/dd/yyyy HH:mm:ss A, yyyy/MM/dd HH:mm:ss, RFC3339, yyyy-MM-ddTHH:mm:ss |
| timestamp | metadata.event_timestamp | Converted using date match patterns: MMM d HH:mm:ss, MMM dd HH:mm:ss, ISO8601, yyyy-MM-dd HH:mm:ss, yyyy-MM-dd HH:mm:ss Z, MM/dd/yyyy HH:mm:ss A, yy-MM-dd HH:mm:ss, RFC3339, yyyy-MM-ddTHH:mm:ss |
| prin_ip | principal.ip, principal.asset.ip | Value copied directly |
| AgentVersion | metadata.product_version | Value copied directly |
| principal_host | principal.hostname, principal.asset.hostname | Value copied directly |
| Username | principal.user.userid | Value copied directly |
| company_name | principal.user.company_name | Value copied directly |
| ID | target.process.pid | Value copied directly |
| InstID | metadata.product_log_id | Value copied directly |
| FileID | target.resource.attribute.labels | Merged as additional_id_2 with key FileID and value from FileID |
| FolderID | target.resource.attribute.labels | Merged as additional_id_3 with key FolderID and value from FolderID |
| FolderPath | target.file.full_path | Concatenated from FolderPath and FileName if both present, else from FolderPath |
| FileName | target.file.full_path | |
| FileName | target.resource.attribute.labels | Merged as filename with key FileName and value from FileName |
| host | principal.hostname, principal.asset.hostname | Value copied directly |
| log_level | security_result.severity | Set to INFORMATIONAL if INFO or DEBUG, ERROR if ERROR |
| source_module_name | observer.resource.attribute.labels | Merged as source_module_label with key source_module_name and value from source_module_name |
| source_module_type | observer.application | Value copied directly |
| log_msg | metadata.description | Value from log_msg if http_method != GET and file_path empty, else log_desc, else description, else Message |
| log_desc | metadata.description | |
| description | metadata.description | |
| Message | metadata.description | |
| port | principal.port | Value copied directly, converted to integer |
| tgtport | target.port | Value copied directly, converted to integer |
| package | principal.process.command_line | Value copied directly |
| srcip | principal.ip, principal.asset.ip | Value copied directly |
| username | principal.user.userid | Value copied directly |
| version | metadata.product_version | Value copied directly |
| http_method | network.http.method | Value copied directly |
| action | security_result.action_details | Value copied directly |
| summary | security_result.summary | Value copied directly |
| security_result | security_result | Merged directly |
| tgtip | target.ip, target.asset.ip | Value copied directly |
| application_proto | network.application_protocol | Uppercased and copied directly |
| url | network.http.referral_url | Value copied directly |
| status_code | network.http.response_code | Value copied directly, converted to integer |
| file_path | principal.process.file.full_path | Value copied directly |
| file_size | principal.process.file.size | Converted to uinteger if not 0 |
| process_id | principal.process.pid | Value copied directly |
| session_id | network.session_id | Value copied directly |
| task_id | additional.fields | Merged as additional_field with key TASK_ID and string_value from task_id |
| AgentBrand | metadata.product_event_type | Value copied directly |
| Parm1 | additional.fields | Merged as additional_field_3 with key Parm1 and string_value from Parm1 |
| Parm2 | additional.fields | Merged as additional_field_4 with key Parm2 and string_value from Parm2 |
| Error | additional.fields | Merged as additional_field_5 with key Error and string_value from Error |
| XFerSize | target.resource.attribute.labels | Merged as additional_field_1 with key XFerSize and value from XFerSize |
| FolderPath | metadata.event_type | Set to FILE_DELETION if FolderPath and action_performed matches Delete File, NETWORK_HTTP if tgtip or host and application_proto == HTTP, USER_LOGIN if Username or username, STATUS_UPDATE if tgtip or host or principal_host or IPAddress, else GENERIC_EVENT |
| tgtip | metadata.event_type | |
| host | metadata.event_type | |
| principal_host | metadata.event_type | |
| IPAddress | metadata.event_type | |
| Username | metadata.event_type | |
| username | metadata.event_type | |
| tgtip | metadata.event_type | Set to USER_LOGIN if column2 == sec_signon and tgtip or tar_host, USER_LOGOUT if sec_signoff and tgtip or tar_host, FILE_UNCATEGORIZED if folder_add, FILE_CREATION if file_upload or download and tgtip and is_tgt_file_present, FILE_DELETION if file_delete and srcip and is_tgt_file_present, FILE_MODIFICATION if file_rename, FILE_UNCATEGORIZED if file_dlhashchk, EMAIL_TRANSACTION if file_sentemail and useremail, STATUS_UPDATE if srcip, else GENERIC_EVENT |
| tar_host | metadata.event_type | |
| srcip | metadata.event_type | |
| is_tgt_file_present | metadata.event_type | |
| column2 | metadata.event_type | |
| useremail | metadata.event_type | |
| security_result | metadata.event_type | |
| extensions.auth.type | extensions.auth.type | Set to MACHINE for login/logout events |
| metadata.vendor_name | metadata.vendor_name | Set to "IPS" |
| metadata.product_name | metadata.product_name | Set to "IPSWITCH MOVEIT TRANSFER" |
Need more help? Get answers from Community members and Google SecOps professionals.