This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
The Google Cloud Security Community is upgrading platforms!

Read more and check out our FAQ
Log in to ask a question

Linux Local Bind Plane Agent sending Weird Characters or Unicode to SecOps

Posted on 03-02-2025 08:33 AM
Rmoss
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Good Day,

I have configured a Ubuntu Server to send Auditd and syslog logs using local BindPlane Agent installed on this same system.  When I view the RAW logs in SecOps its showing odd characters or Unicode.

 

 

 

 

/h���file�1/var/log/remote/msg/ABr-dev01-gateway/AB_FLOW.log�log�qMar  2 16:06:03 ABr-mtl01-gateway AB_FLOW: AB_FLOW_SESSION_CREATE: session created 10.150.202.52/46768->10.55.182.88/28015 0x0 None 0.0.0.0/0->10.55.182.88/28015 0x0 N/A N/A N/A N/A 6 default-policy-logical-system-00 SL-PUBLIC SID-Workload-OCP-Storage-169-Segment-Zone 12886267255 N/A(N/A) ae1.0 UNKNOWN UNKNOWN UNKNOWN N/A N/A -1 N/A N/A N/A Off root N/A N/A N/A N/A���gā�


C�����file�1/var/log/remote/msg/ABr-dev01-gateway/AB_FLOW.log�log�zMar  2 16:05:20 ABr-mtl01-gateway AB_FLOW: AB_FLOW_SESSION_CREATE: session created 10.185.84/32769->10.1.1.245/443 0x0 junos-https 10.55.185.84/32769->10.1.1.245/443 0x0 N/A N/A N/A N/A 6 Allow-ABC-Management-Access-To-External-URLs Management-Public-OCT-Zone SL-PUBLIC 12886678565 N/A(N/A) ae1.787 UNKNOWN UNKNOWN UNKNOWN N/A N/A -1 N/A N/A N/A Off root N/A N/A N/A N/A���gā�

 

 

If I cheche the /etc/audit/audit.conf on the Linux server log_format = ENRCIHED

Rmoss_0-1740933000584.png

I am using the following config.yaml file for the bindplane agent:

 

 

receivers:
  tcplog:
    # Replace the below port <54525> and IP <0.0.0.0> with your specific values
    listen_address: "127.0.0.1:5140" 

exporters:
    chronicle/chronicle_w_labels:
        compression: gzip
        # Adjust the creds location below according the placement of the credentials file you downloaded
        creds: '{ INSERT SECOPS CREDS DATA HERE}'
        # Replace <customer_id> below with your actual ID that you copied
        customer_id: <Cusomter ID>
        endpoint: alachiteingestion-pa.googleapis.com
        # You can apply ingestion labels below as preferred
        ingestion_labels:
        log_type: AUDITD
        namespace: auditd
        raw_log_field: body
service:
    pipelines:
        logs/source0__chronicle_w_labels-0:
            receivers:
                - tcplog
            exporters:
                - chronicle/chronicle_w_labels
                
                /etc/audit/auditd.conf

 

 

Is there a setting I am missing here in the config? or could it be something related to the audit.conf file?

 

0 1 486
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
TravisMalcuit
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I would be happy to help.  This appears to be an encoding issue.  You would typically add an encoding parameter to the tcplog section to specify how they were encoded.  Something like the following:

encoding: utf-8

  You can substitute utf-8 for whichever encoding your logs need.  In your case I believe it may be utf-8.  Also, you may want to try out Bindplane, as it would make configuring agents a more pleasant experience, as these options and more are available in the UI, and managing groups of agents is easier as well.

Top Solution Authors
View all