Collect Nokia VitalQIP DDI logs

Supported in:

Google secops SIEM

This document explains how to ingest Nokia VitalQIP DDI logs to Google Security Operations using Bindplane.

Nokia VitalQIP (now owned by Cygna Labs) is an enterprise-grade DDI solution providing centralized management of DNS (Domain Name System), DHCP (Dynamic Host Configuration Protocol), and IPAM (IP Address Management). VitalQIP delivers carrier-grade IP address management with scalable, secure DNS/DHCP services designed for large enterprises, telecom providers, and service providers requiring high-performance, on-premises, and hybrid cloud DDI solutions.

Before you begin

Make sure you have the following prerequisites:
- A Google SecOps instance
- Windows Server 2016 or later, or Linux host with systemd
- Network connectivity between the Bindplane agent and VitalQIP Appliance Management Software (AMS)
- If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements
- Administrative access to the VitalQIP Appliance Management Software (AMS) web interface
- VitalQIP Appliance Manager version 1.7 or later (for multiple syslog server support)
- At least one VitalQIP appliance (AMS, ESM, or AMM) configured in your environment

Get Google SecOps ingestion authentication file

Sign in to the Google SecOps console.
Go to SIEM Settings > Collection Agents.
Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.

Get Google SecOps customer ID

Sign in to the Google SecOps console.
Go to SIEM Settings > Profile.
Copy and save the Customer ID from the Organization Details section.

Install the Bindplane agent

Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.

Windows installation

Open Command Prompt or PowerShell as an administrator.

Run the following command:

msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet

Wait for the installation to complete.
Verify the installation by running:
```
sc query observiq-otel-collector
```
The service should show as RUNNING.

Linux installation

Open a terminal with root or sudo privileges.

Run the following command:

sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh

Wait for the installation to complete.
Verify the installation by running:
```
sudo systemctl status observiq-otel-collector
```
The service should show as active (running).

Additional installation resources

For additional installation options and troubleshooting, see Bindplane agent installation guide.

Configure Bindplane agent to ingest syslog and send to Google SecOps

Locate the configuration file

Linux:

sudo nano /etc/bindplane-agent/config.yaml

Windows:

notepad "C:\Program Files\observIQ OpenTelemetry Collector\config.yaml"

Edit the configuration file

Replace the entire contents of config.yaml with the following configuration:

receivers:
  udplog:
    listen_address: "0.0.0.0:514"

exporters:
  chronicle/vitalqip:
    compression: gzip
    creds_file_path: '/etc/bindplane-agent/ingestion-auth.json'
    customer_id: 'YOUR_CUSTOMER_ID'
    endpoint: malachiteingestion-pa.googleapis.com
    log_type: VITALQIP
    raw_log_field: body
    ingestion_labels:
      env: production
      source: vitalqip

service:
  pipelines:
    logs/vitalqip_to_chronicle:
      receivers:
        - udplog
      exporters:
        - chronicle/vitalqip

Configuration parameters

Replace the following placeholders:

Receiver configuration:
- listen_address: Set to 0.0.0.0:514 to listen on all interfaces on UDP port 514
  - For Linux systems running as non-root, use port 1514 or higher
  - Adjust the port number if your environment requires a different port
Exporter configuration:
- creds_file_path: Full path to ingestion authentication file:
  - Linux: /etc/bindplane-agent/ingestion-auth.json
  - Windows: C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json
- customer_id: Replace YOUR_CUSTOMER_ID with the customer ID from the previous step
- endpoint: Regional endpoint URL:
  - US: malachiteingestion-pa.googleapis.com
  - Europe: europe-malachiteingestion-pa.googleapis.com
  - Asia: asia-southeast1-malachiteingestion-pa.googleapis.com
  - See Regional Endpoints for complete list
- log_type: Set to VITALQIP (exact match for Chronicle parser)
- ingestion_labels: Optional labels for filtering and organization

Save the configuration file

After editing, save the file:
- Linux: Press Ctrl+O, then Enter, then Ctrl+X
- Windows: Click File > Save

Restart the Bindplane agent to apply the changes

To restart the Bindplane agent in Linux:

Run the following command:

sudo systemctl restart observiq-otel-collector

Verify the service is running:

sudo systemctl status observiq-otel-collector

Check logs for errors:

sudo journalctl -u observiq-otel-collector -f

To restart the Bindplane agent in Windows:

Choose one of the following options:
- Command Prompt or PowerShell as administrator:
```
net stop observiq-otel-collector && net start observiq-otel-collector
```
- Services console:
  1. Press Win+R, type services.msc, and press Enter.
  2. Locate observIQ OpenTelemetry Collector.
  3. Right-click and select Restart.
Verify the service is running:
```
sc query observiq-otel-collector
```

Check logs for errors:

type "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"

Configure VitalQIP syslog forwarding

VitalQIP Appliance Manager (AM) version 1.7 and later supports configuring up to 10 remote syslog servers per appliance through the AMS web interface.

Sign in to VitalQIP Appliance Management Software

Open a web browser and navigate to your VitalQIP AMS web interface URL:
- For non-secure connection: http://<AMS_HOSTNAME>:<PORT>/qip
- For secure connection: https://<AMS_HOSTNAME>:<PORT>/qip
Note: The default non-secure port is typically 80, and the default secure port is 443 or 743.
Enter your VitalQIP administrator credentials and click Login.

Configure remote syslog server for appliances

In the VitalQIP AMS web interface, expand the Appliances section in the left navigation panel.
Select the appliance you want to configure for syslog forwarding (AMS, ESM, or AMM appliance).
Navigate to the appliance configuration settings.
Locate the Remote Logging or Syslog Configuration section.
Click Add to add a new remote syslog server.
Configure the following syslog server parameters:
- Server Name: Enter a descriptive name (for example, Chronicle-Bindplane)
- IP Address: Enter the IP address of the Bindplane agent host
- Port: Enter 514 (or the port configured in your Bindplane agent)
- Protocol: Select UDP
- Facility: Select local0 through local7 (or as required by your organization)
- Severity Level: Select Info or Debug to capture all relevant log events
Click Save or Apply to save the syslog server configuration.
Deploy the configuration to the appliance:
1. Navigate to the appliance deployment section.
2. Select the configuration changes.
3. Click Deploy to push the syslog configuration to the appliance.
Repeat steps 2-8 for each VitalQIP appliance (ESM, AMM) that you want to forward logs from.

Verify syslog forwarding

Generate test activity in VitalQIP:
- Perform a DNS query
- Allocate or release a DHCP lease
- Make an administrative change in the VitalQIP GUI
Check the Bindplane agent logs to verify log reception:
- Linux: sudo journalctl -u observiq-otel-collector -f
- Windows: type "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"
Sign in to the Google SecOps console and verify that VitalQIP logs are appearing in the log search.

Additional configuration notes

VitalQIP logs include DNS query logs, DHCP lease events, IP address management actions, and audit trails for administrator activities.
VitalQIP supports syslog format compliant with RFC 3164 (BSD syslog).
For high-volume environments, consider configuring multiple Bindplane agents with load balancing.
VitalQIP appliances can be configured to send logs to multiple remote syslog servers simultaneously (up to 10 servers per appliance in AM 1.7+).
Ensure network connectivity and firewall rules allow UDP port 514 (or your configured port) from VitalQIP appliances to the Bindplane agent host.

UDM mapping table

Log Field	UDM Mapping	Logic
tty	additional.fields	Merged with labels for terminal (tty), pwd, and subnet
pwd	additional.fields
subnet	additional.fields
dhcp_client_ip	dhcp.ciaddr	Set for Delete Lease or Auto Release
req_addr	dhcp.requested_address	Value copied directly
dhcp.type	dhcp.type	Set to "RELEASE" for Delete Lease or Auto Release, "ACK" for RenewLease or GrantLease
dhcp_client_ip	dhcp.yiaddr	Renamed for RenewLease or GrantLease
log_msg	metadata.description	Value copied directly
event_type	metadata.event_type	Set to event_type if not empty, else "GENERIC_EVENT"
log_source	network.application_protocol	Set to "DNS" for named log_source, "DHCP" for dhcpd
dhcp_domain	principal.administrative_domain	Value copied directly
log_source	principal.application	Set if log_source does not contain / or sudo
dns_server	principal.ip	Value copied directly
log_source	principal.process.command_line	Set to log_source if contains / or sudo, else to cmd
cmd	principal.process.command_line
pid	principal.process.pid	Value copied directly
user	principal.user.userid	Value copied directly
questions_name	questions.name	Value copied directly
QTYPE	questions.type	Converted to uinteger
client_id	target.asset_id	Set to "id: " + client_id
dhcp_client_hostname	target.hostname	Value copied directly
client_ip_address	target.ip	Merged from client_ip_address (DNS) or dhcp_client_ip (DHCP)
dhcp_client_ip	target.ip
client_mac	target.mac	Value copied directly (after formatting)
client_port	target.port	Converted to integer
metadata.product_name	metadata.product_name	Set to "VITALQIP"
metadata.vendor_name	metadata.vendor_name	Set to "NOKIA"

Need more help? Get answers from Community members and Google SecOps professionals.