Collect Delinea PAM logs

Supported in:

This document explains how to ingest Delinea Privileged Access Manager (PAM) logs to Google Security Operations using Bindplane. The Logstash parser code extracts security event data from DELINEA_PAM logs in either SYSLOG or CSV format. It then uses Grok patterns and CSV parsing to structure the data, maps the extracted fields to the Unified Data Model (UDM), and finally outputs the transformed event data.

Before you begin

Make sure you have the following prerequisites:

  • Google SecOps instance
  • Windows 2016 or later, or a Linux host with systemd
  • If running behind a proxy, firewall ports are open
  • Privileged access to Delinea Privileged Access Manager

Get Google SecOps ingestion authentication file

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Collection Agents.
  3. Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.

Get Google SecOps customer ID

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Profile.
  3. Copy and save the Customer ID from the Organization Details section.

Install the Bindplane agent

Windows installation

  1. Open the Command Prompt or PowerShell as an administrator.

  2. Run the following command:

    msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet

Linux installation

  1. Open a terminal with root or sudo privileges.

  2. Run the following command:

    sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh

Additional installation resources

For additional installation options, consult the installation guide.

Configure the Bindplane agent to ingest Syslog and send to Google SecOps

  1. Access the configuration file:
    • Locate the config.yaml file. Typically, it's in the /etc/bindplane-agent/ directory on Linux or in the installation directory on Windows.
    • Open the file using a text editor (for example, nano, vi, or Notepad).

  2. Edit the config.yaml file as follows:

    receivers:
    udplog:
        # Replace the port and IP address as required
        listen_address: "0.0.0.0:514"

exporters:
    chronicle/chronicle_w_labels:
        compression: gzip
        # Adjust the path to the credentials file you downloaded in Step 1
        creds_file_path: '/path/to/ingestion-authentication-file.json'
        # Replace with your actual customer ID from Step 2
        customer_id: <customer_id>
        endpoint: malachiteingestion-pa.googleapis.com
        # Add optional ingestion labels for better organization
        ingestion_labels:
            log_type: 'DELINEA_PAM'
            raw_log_field: body

service:
    pipelines:
        logs/source0__chronicle_w_labels-0:
            receivers:
                - udplog
            exporters:
                - chronicle/chronicle_w_labels

  3. Replace the port and IP address as required in your infrastructure.

  4. Replace <customer_id> with the actual customer ID.

  5. Update /path/to/ingestion-authentication-file.json to the path where the authentication file was saved in the Get Google SecOps ingestion authentication file section.

Restart the Bindplane agent to apply the changes

  • To restart the Bindplane agent in Linux, run the following command:

    sudo systemctl restart bindplane-agent

  • To restart the Bindplane agent in Windows, you can either use the Services console or enter the following command: 

    net stop BindPlaneAgent && net start BindPlaneAgent

Configure Syslog in Delinea Privilege Manager

  1. Sign in to the Delinea PAM web UI.
  2. Go to Admin > Configuration > Foreign Systems.
  3. Click Create on Syslog Page.
  4. Provide the following configuration details:
    • Name: Enter a descriptive name for the Server.
    • Protocol: Select UDP (you can also select TCP, depending on your Bindplane agent configuration).
    • Host: Enter the Bindplane agent IP address.
    • Port: Enter the Bindplane agent port number. (514 for UDP).
  5. Click Save Changes.

Configure SysLog Server Tasks in Delinea Privilege Manager

  1. Go to Admin > Tasks > expand Server Tasks folder > expand Foreign Systems folder.
  2. Select Syslog.
  3. Click Create.
  4. Template options:
    • Send SysLog Application Action Events: Use this template to send application action events to your SysLog system. Application Action Events contain generic information about the application that run, which policy was triggered, the date and timestamp, computer, and user for example.
    • Send SysLog Application Justification Events: Use this template to send application justification events to your SysLog system. For example, if a user runs an application requiring a justification workflow.
    • Send SysLog Bad Rated Application Action Events: Use this template to send an event to your SysLog system, when an application is being installed or executed, that is identified with a bad security rating.
    • Send SysLog Change History Events: Use this template to send change history events to your SysLog system. When this task runs for the first time, it sends all change history to your SysLog server. On subsequent runs it only sends the delta of new change history events.
    • Send SysLog Events: Use this template to send all SysLog events to your SysLog system. These events are based on the different options you selected on the SysLog server during setup.
    • Send SysLog Newly Discovered File Events: Use this template to send newly discovered file events to your SysLog system. For this to produce any events the Default File Inventory Policy needs to be enabled and resource discovery schedules need to be customized.
    • Send SysLog Password Disclosure Events: Use this template to send all password disclosure events to your SysLog system.
  5. Provide the following configuration details:
    • Template: Select a syslog template (for example, Send Syslog Events to send all the events).
    • Name: Enter a meaningful name for the task (for example, you can enter the same name as the selected template).
    • Event Name: Enter a name for the events.
    • Event Severity: Enter a severity level threshold for the events to be sent.
    • Syslog System: Select the Syslog server foreign system Bindplane agent server you created in the previous step.
  6. Click Create.

UDM mapping table

Log Field UDM Mapping Logic
CEF:0|...|column1 metadata.vendor_name Extracted from the CEF string, specifically the value after the first "
CEF:0|...|column2 metadata.product_name Extracted from the CEF string, specifically the value after the second "
CEF:0|...|column3 metadata.product_version Extracted from the CEF string, specifically the value after the third "
CEF:0|...|column5 metadata.product_event_type Extracted from the CEF string, specifically the value after the fifth "
CEF:0|...|column7 security_result.description Extracted from the CEF string, specifically the value after the seventh "
%{HOSTNAME} principal.hostname Extracted from the log message using the grok pattern "%{HOSTNAME}".
%{TIMESTAMP_ISO8601} metadata.event_timestamp Extracted from the log message using the grok pattern "%{TIMESTAMP_ISO8601}".
metadata.event_type Hardcoded to "STATUS_UPDATE" in the parser code.
metadata.log_type Hardcoded to "DELINEA_PAM" in the parser code.
timestamp timestamp The event timestamp is parsed from the "timestamp" field in the raw log, converting it to a UDM timestamp format.

Need more help? Get answers from Community members and Google SecOps professionals.