Collect One Identity TPAM logs

Supported in:

Google secops SIEM

This document explains how to ingest One Identity TPAM logs to Google Security Operations using Bindplane.

One Identity Privileged Access Manager (TPAM) is a legacy privileged access management solution that provides centralized password management, session monitoring, and privileged account governance for enterprise environments. TPAM generates activity logs for password retrievals, system administration actions, and privileged session activities.

Before you begin

Make sure you have the following prerequisites:

A Google SecOps instance
Windows Server 2016 or later, or Linux host with systemd
Network connectivity between the Bindplane agent and One Identity TPAM appliance
If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements
Privileged access to the One Identity TPAM web administration interface
TPAM appliance configured and operational

Get Google SecOps ingestion authentication file

Sign in to the Google SecOps console.
Go to SIEM Settings > Collection Agents.
Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.

Note: This JSON file contains credentials for authenticating the Bindplane agent to Google SecOps.

Get Google SecOps customer ID

Sign in to the Google SecOps console.
Go to SIEM Settings > Profile.
Copy and save the Customer ID from the Organization Details section.

Note: The customer ID is required for configuring the Bindplane agent exporter.

Install the Bindplane agent

Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.

Windows installation

Open Command Prompt or PowerShell as an administrator.

Run the following command:

msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet

Wait for the installation to complete.
Verify the installation by running:
```
sc query observiq-otel-collector
```
The service should show as RUNNING.

Linux installation

Open a terminal with root or sudo privileges.

Run the following command:

sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh

Wait for the installation to complete.
Verify the installation by running:
```
sudo systemctl status observiq-otel-collector
```
The service should show as active (running).

Additional installation resources

For additional installation options and troubleshooting, see Bindplane agent installation guide.

Configure Bindplane agent to ingest syslog and send to Google SecOps

Locate the configuration file

Linux:

sudo nano /etc/bindplane-agent/config.yaml

Windows:

notepad "C:\Program Files\observIQ OpenTelemetry Collector\config.yaml"

Edit the configuration file

Replace the entire contents of config.yaml with the following configuration:

receivers:
  udplog:
    listen_address: "0.0.0.0:514"

exporters:
  chronicle/tpam:
    compression: gzip
    creds_file_path: '/etc/bindplane-agent/ingestion-auth.json'
    customer_id: 'YOUR_CUSTOMER_ID'
    endpoint: malachiteingestion-pa.googleapis.com
    log_type: ONEIDENTITY_TPAM
    raw_log_field: body
    ingestion_labels:
      source: tpam

service:
  pipelines:
    logs/tpam_to_chronicle:
      receivers:
        - udplog
      exporters:
        - chronicle/tpam

Configuration parameters

Replace the following placeholders:

Receiver configuration:
- listen_address: IP address and port to listen on
  - 0.0.0.0:514 listens on all interfaces on port 514 (standard syslog port)
  - Use 0.0.0.0:1514 if running as non-root user on Linux
  - TPAM only supports UDP syslog, so udplog receiver is required
Exporter configuration:
- creds_file_path: Full path to ingestion authentication file:
  - Linux: /etc/bindplane-agent/ingestion-auth.json
  - Windows: C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json
- customer_id: Replace YOUR_CUSTOMER_ID with the customer ID from the previous step
- endpoint: Regional endpoint URL:
  - US: malachiteingestion-pa.googleapis.com
  - Europe: europe-malachiteingestion-pa.googleapis.com
  - Asia: asia-southeast1-malachiteingestion-pa.googleapis.com
  - See Regional Endpoints for complete list
- log_type: Must be ONEIDENTITY_TPAM exactly as shown
- ingestion_labels: Optional labels for filtering and organization

Example configuration for Linux (non-root user)

receivers:
  udplog:
    listen_address: "0.0.0.0:1514"

exporters:
  chronicle/tpam:
    compression: gzip
    creds_file_path: '/etc/bindplane-agent/ingestion-auth.json'
    customer_id: 'a1b2c3d4-e5f6-g7h8-i9j0-k1l2m3n4o5p6'
    endpoint: malachiteingestion-pa.googleapis.com
    log_type: ONEIDENTITY_TPAM
    raw_log_field: body
    ingestion_labels:
      env: production
      source: tpam

service:
  pipelines:
    logs/tpam_to_chronicle:
      receivers:
        - udplog
      exporters:
        - chronicle/tpam

Example configuration for Windows

receivers:
  udplog:
    listen_address: "0.0.0.0:514"

exporters:
  chronicle/tpam:
    compression: gzip
    creds_file_path: 'C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json'
    customer_id: 'a1b2c3d4-e5f6-g7h8-i9j0-k1l2m3n4o5p6'
    endpoint: malachiteingestion-pa.googleapis.com
    log_type: ONEIDENTITY_TPAM
    raw_log_field: body
    ingestion_labels:
      env: production
      source: tpam

service:
  pipelines:
    logs/tpam_to_chronicle:
      receivers:
        - udplog
      exporters:
        - chronicle/tpam

Save the configuration file

After editing, save the file:
- Linux: Press Ctrl+O, then Enter, then Ctrl+X
- Windows: Click File > Save

Restart the Bindplane agent to apply the changes

To restart the Bindplane agent in Linux:

Run the following command:

sudo systemctl restart observiq-otel-collector

Verify the service is running:

sudo systemctl status observiq-otel-collector

Check logs for errors:

sudo journalctl -u observiq-otel-collector -f

To restart the Bindplane agent in Windows:

Choose one of the following options:
- Command Prompt or PowerShell as administrator:
```
net stop observiq-otel-collector && net start observiq-otel-collector
```
- Services console:
  1. Press Win+R, type services.msc, and press Enter.
  2. Locate observIQ OpenTelemetry Collector.
  3. Right-click and select Restart.
Verify the service is running:
```
sc query observiq-otel-collector
```

Check logs for errors:

type "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"

Configure One Identity TPAM syslog forwarding

Configure TPAM to forward syslog messages to the Bindplane agent.

Sign in to the One Identity TPAM web administration interface.
Navigate to /admin.
In the left navigation menu, go to System Status > SysLog Configuration.
In the SysLog Configuration page, provide the following configuration details:
- SysLog Server: Enter the IP address of the Bindplane agent host (for example, 192.168.1.100).
- Port: Enter the port number configured in the Bindplane agent (for example, 514 or 1514).
  - Default port is 514
  - If using non-root Bindplane agent on Linux, use 1514 or higher
- Protocol: TPAM only supports UDP for syslog transmission.
Click Save or Apply to save the configuration.
Click Test Connection if available to verify connectivity to the Bindplane agent.
Enable syslog forwarding if there is a separate enable/disable toggle. Note: TPAM sends syslog messages in a custom proprietary format (not CEF compliant). The format includes two log types:
- Activity Report (tpam): Password retrievals, system operations, and privileged access activities
- Sys-Admin Activity Log (sysadmin): Administrative actions and configuration changes

The syslog message format follows this structure:

PAR[PID]: UserName/AdminName, Operation, ObjectType, Target/ObjectName, Role, Failed, OtherInfo

Verify syslog forwarding

Perform a test action in TPAM (for example, retrieve a password or modify a system).

Check the Bindplane agent logs to verify syslog messages are being received:

Linux:

sudo journalctl -u observiq-otel-collector -f | grep -i tpam

Windows:

type "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log" | findstr /i "tpam"

Troubleshooting syslog connectivity

If syslog messages are not being received:

Verify network connectivity between TPAM appliance and Bindplane agent:
```
ping <bindplane_agent_ip>
```
Verify UDP port is open and listening on Bindplane agent:
- Linux:
```
sudo netstat -ulnp | grep 514
```
- Windows:
```
netstat -an | findstr :514
```
Check firewall rules allow UDP traffic on the configured port:
- Source: TPAM appliance IP address
- Destination: Bindplane agent IP address
- Protocol: UDP
- Port: 514 (or configured port)

Verify TPAM syslog configuration is saved and active:

Sign in to TPAM web interface
Navigate to /admin > System Status > SysLog Configuration
Verify IP address and port are correct
Test connection if available

Review TPAM system logs for syslog transmission errors:

Navigate to /admin > System Status > System Logs
Look for syslog-related error messages

For additional troubleshooting information, see the One Identity TPAM syslog troubleshooting guide.

UDM mapping table

Log Field	UDM Mapping	Logic
cn1	additional.fields	Additional vendor-specific event data that cannot be adequately represented within the formal sections of the UDM model
cn1Label	additional.fields
cs1	additional.fields
cs1Label	additional.fields
cs2	additional.fields
cs2Label	additional.fields
cs3	additional.fields
cs3Label	additional.fields
cs4	additional.fields
cs4Label	additional.fields
cs5	additional.fields
cs5Label	additional.fields
cs6	additional.fields
cs6Label	additional.fields
msg	metadata.description	Description of the event
metadata.event_type	metadata.event_type	Type of event (e.g., USER_LOGIN, NETWORK_CONNECTION)
eventid	metadata.product_event_type	Product-specific event type
logmsg	metadata.product_event_type
version	metadata.product_version	Version of the product
hostname	principal.asset.hostname	Hostname of the asset associated with the principal
groupName	principal.group.group_display_name	Display name of the group
hostname	principal.hostname	Hostname of the principal
cs1	principal.user.attribute.roles	Roles associated with the user
deviceCustomDate1	security_result.detection_fields	Fields used in detection
deviceCustomDate1Label	security_result.detection_fields
reason	security_result.summary	Summary of the security result
destinationDnsDomain	target.domain.name	Name of the target domain
cn1	target.resource.product_object_id	Product-specific object ID of the target resource
requestUrl	target.url	URL of the target
duser	target.user.user_display_name	Display name of the target user
duid	target.user.userid	User ID of the target user
logmessage	metadata.product_name	Name of the product
logtype	metadata.vendor_name	Name of the vendor

Need more help? Get answers from Community members and Google SecOps professionals.