Collect Quest Change Auditor for EMC logs

Supported in:

Google secops SIEM

This document explains how to ingest Quest Change Auditor for EMC logs to Google Security Operations using the Bindplane agent.

Quest Change Auditor for EMC is a real-time change auditing and reporting solution for EMC storage environments. It captures detailed information about changes to files, folders, and permissions on EMC storage systems, providing comprehensive audit trails for compliance and security monitoring.

Before you begin

Make sure you have the following prerequisites:

A Google SecOps instance
Windows Server 2016 or later, or Linux host with systemd
Network connectivity between the Bindplane agent and the Quest Change Auditor coordinator server
If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements
Privileged access to the Quest Change Auditor for EMC console with administrator permissions

Get Google SecOps ingestion authentication file

Sign in to the Google SecOps console.
Go to SIEM Settings > Collection Agents.
Download the Ingestion Authentication File.
Save the file securely on the system where Bindplane will be installed.

Note: This JSON file contains credentials for authenticating the Bindplane agent to Google SecOps.

Get Google SecOps customer ID

Sign in to the Google SecOps console.
Go to SIEM Settings > Profile.
Copy and save the Customer ID from the Organization Details section.

Note: The customer ID is required for configuring the Bindplane agent exporter.

Install the Bindplane agent

Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.

Windows installation

Open Command Prompt or PowerShell as an administrator.

Run the following command:

msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet

Wait for the installation to complete.
Verify the installation by running:
```
sc query observiq-otel-collector
```
The service should show as RUNNING.

Linux installation

Open a terminal with root or sudo privileges.

Run the following command:

sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh

Wait for the installation to complete.
Verify the installation by running:
```
sudo systemctl status observiq-otel-collector
```
The service should show as active (running).

Additional installation resources

For additional installation options and troubleshooting, see the Bindplane agent installation guide.

Configure the Bindplane agent to ingest syslog and send to Google SecOps

Locate the configuration file

Linux:

sudo nano /opt/observiq-otel-collector/config.yaml

Windows:

notepad "C:\Program Files\observIQ OpenTelemetry Collector\config.yaml"

Edit the configuration file

Replace the entire contents of config.yaml with the following configuration:

receivers:
    tcplog:
        listen_address: "0.0.0.0:514"

exporters:
    chronicle/quest_change_auditor_emc:
        compression: gzip
        creds_file_path: '/etc/bindplane-agent/ingestion-auth.json'
        customer_id: '<customer_id>'
        endpoint: malachiteingestion-pa.googleapis.com
        log_type: QUEST_CHANGE_AUDITOR_EMC
        raw_log_field: body

service:
    pipelines:
        logs/quest_emc_to_chronicle:
            receivers:
                - tcplog
            exporters:
                - chronicle/quest_change_auditor_emc

Configuration parameters

Replace the following placeholders:

Receiver configuration:
- listen_address: IP address and port to listen on:
  - 0.0.0.0 to listen on all interfaces (recommended)
  - Port 514 is the standard syslog port (requires root on Linux; use 1514 for non-root)
Exporter configuration:
- creds_file_path: Full path to ingestion authentication file:
  - Linux: /etc/bindplane-agent/ingestion-auth.json
  - Windows: C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json
- customer_id: Customer ID copied from the Google SecOps console
- endpoint: Regional endpoint URL:
  - US: malachiteingestion-pa.googleapis.com
  - Europe: europe-malachiteingestion-pa.googleapis.com
  - Asia: asia-southeast1-malachiteingestion-pa.googleapis.com
  - See Regional Endpoints for complete list

Save the configuration file

After editing, save the file:
- Linux: Press Ctrl+O, then Enter, then Ctrl+X
- Windows: Click File > Save

Restart the Bindplane agent to apply the changes

To restart the Bindplane agent in Linux, run the following command:

sudo systemctl restart observiq-otel-collector

Verify the service is running:

sudo systemctl status observiq-otel-collector

Check logs for errors:

sudo journalctl -u observiq-otel-collector -f

To restart the Bindplane agent in Windows, choose one of the following options:
- Command Prompt or PowerShell as administrator:
```
net stop observiq-otel-collector && net start observiq-otel-collector
```
- Services console:
  1. Press Win+R, type services.msc, and press Enter.
  2. Locate observIQ OpenTelemetry Collector.
  3. Right-click and select Restart.
  4. Verify the service is running:
```
sc query observiq-otel-collector
```
  5. Check logs for errors:
```
type "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"
```

Configure Quest Change Auditor for EMC syslog forwarding

Quest Change Auditor supports native SIEM integration including syslog forwarding through event subscriptions. Configure a syslog event subscription on the coordinator server to forward events to the Bindplane agent.

Open PowerShell on the Change Auditor coordinator server with administrator privileges.
Create a syslog event subscription using the following command:
```
New-CASyslogEventSubscription -Name "Chronicle-Bindplane" -SyslogServer "<BINDPLANE_IP>" -Port 514 -Protocol TCP
```
- Replace <BINDPLANE_IP> with the IP address of the Bindplane agent host (for example, 192.168.1.100).
Select the event types and audited objects to forward:
- File and folder changes on EMC storage
- Permission changes
- Share modifications
- Administrative actions
Verify the subscription is active:
```
Get-CASyslogEventSubscription
```
Verify logs are being received by checking the Bindplane agent logs.

Note: The New-CASyslogEventSubscription PowerShell cmdlet is part of the Quest Change Auditor management module. Ensure the Change Auditor PowerShell module is installed on the coordinator server before running these commands.

UDM mapping table

Log Field	UDM Mapping	Logic
facility, agentID, eventClassID, subsystemID, facilityID, valueTypeID, actionID, resultID, coordinatorId, parentDomainID, domainDn, siteDn, organizationalUnit, parentObjectID, objectID, objectClass, objectName, attributeName, objectDn, objectCanonical, sslTls, kerberos, adOriginatingObjectID, adUsnChangedPre, adUsnChangedPost, administrator, originAdSite, simpleBind, authPort, adStatusCode, eventId, id, Keywords, EventType, Task, ThreadID, Channel, Opcode	additional.fields	Merged as labels with keys matching field names
description	metadata.description	Value copied directly
EventTime	metadata.event_timestamp	Converted from epoch ms to timestamp
event_data	metadata.event_type	Set based on conditional logic on event_data
EventReceivedTime	metadata.ingested_timestamp	Converted from epoch ms to timestamp
categoryBehavior, EventID	metadata.product_event_type	Value from categoryBehavior if not empty, else EventID
RecordNumber	metadata.product_log_id	Value copied directly
SourceModuleType	observer.application	Value copied directly
SourceModuleName	observer.resource.attribute.labels	Merged as label
Domain	principal.administrative_domain	Value copied directly
SourceName	principal.application	Value copied directly
origin, Hostname	principal.asset.hostname	Value from origin if not empty, else Hostname
ipAddress, originIPv4	principal.asset.ip	Value from ipAddress if not empty, else from originIPv4 if valid IP
origin, Hostname	principal.hostname	Value from origin if not empty, else Hostname
ipAddress, originIPv4	principal.ip	Value from ipAddress if not empty, else from originIPv4 if valid IP
osVersion	principal.platform	Set to "WINDOWS" if osVersion matches Windows
osVersion	principal.platform_version	Value copied directly if Windows
ProcessID	principal.process.pid	Value copied directly
link	principal.url	Value copied directly
AccountType	principal.user.attribute.roles.name	Value copied directly
adUserMail, initiatorMail	principal.user.email_addresses	Merged from adUserMail if matches email pattern, and initiatorMail
userDisplay, initiatorUserName	principal.user.user_display_name	Value from userDisplay if not empty, else initiatorUserName
userSid, AccountName	principal.user.userid	Value from userSid if not empty, else AccountName
UserID	principal.user.windows_sid	Value copied directly
result	security_result.action	Set to "ALLOW" if result matches Success, "BLOCK" if matches failure
result	security_result.action_details	Value copied directly
start, end, timeDetected, timeZoneOffset, timeBatched, timeOfDay, siteID	security_result.detection_fields	Merged as labels
description	security_result.description	Value copied directly
SeverityValue	security_result.severity	Set to INFORMATIONAL if 1-3, ERROR if 4, CRITICAL if 5
Severity	security_result.severity_details	Value copied directly
Category	security_result.summary	Value copied directly
file_path	src.file.full_path	Value copied directly
file_path	src.process.file.full_path	Value copied directly
initiatorMail	src.user.email_addresses	Value copied directly
initiatorUserName	src.user.user_display_name	Value copied directly
initiatorSid	src.user.userid	Value copied directly
domainFqdn	target.administrative_domain	Value copied directly
subsystem	target.application	Value copied directly
serverFqdn, ip_or_host	target.asset.hostname	Value from serverFqdn if not empty, else ip_or_host if not IP
ip_or_host	target.asset.ip	Extracted IP from ip_or_host
domainID	target.asset_id	Set to "DOMAIN ID:" + domainID
file_path, new_path	target.file.full_path	Value from file_path or new_path depending on EventID
serverFqdn, ip_or_host	target.hostname	Value from serverFqdn if not empty, else ip_or_host if not IP
site	target.location.name	Value copied directly
file_path, new_path	target.process.file.full_path	Value from file_path or new_path depending on EventID
filer_name	target.resource.attribute.labels	Merged as label
computer	target.resource.name	Value copied directly
serverDn	target.user.group_identifiers	Value copied directly
	metadata.product_name	Set to "Quest Change Auditor EMC"
	metadata.vendor_name	Set to "Quest"

Need more help? Get answers from Community members and Google SecOps professionals.