PowerDMARC Integration
This document outlines the steps for integrating PowerDMARC with BluSapphire Log collection platform.
#Pre-requisites:
Before proceeding, request the following details from your client:
• API Address: The URL for Power DMARC's API endpoint.
• API Key/Token: The authentication token required to access the Power DMARC API.
Verify the data using CURL command
curl -X GET <API Address with full path>-H 'Authorization: Token <API Token>'
#Backend Configuration:
Pipeline Configuration
a. Edit the pipelines.yml file located at /opt/lc/conf/collector/gateway-client/pipelines.yml.
b. Add the following configuration snippet to define a new pipeline named proxy-mail-powerdmarc:
YAML
pipeline.id: proxy-mail-powerdmarc
pipeline.workers: 4 # Number of worker threads for the pipeline (default: 1) pipeline.batch.size: 300 # Number of events processed per batch (default: 100) pipeline.batch.delay: 50 # Delay (in milliseconds) between batches (default: 10)
path.config: "/opt/lc/pipelines/processors/proxy/mail/powerdmarc/*.conf" # Path to processor configuration files
Input Configuration
a. Navigate to the directory containing processor configurations:
cd /opt/lc/pipelines/processors/proxy/mail
b. Copy an existing processor directory (e.g., <source_dir>) and rename it to powerdmarc:
cp -r <source_dir> powerdmarc cd powerdmarc
c. Rename the file 01-input-tcp.conf to 01-input-http.conf as Power DMARC uses an HTTP API.
d. Edit 01-input-http.conf with the following content, replacing placeholders with the obtained client details:
input {
http_poller {
urls => {
power_dmarc=> {
method => get
url => "${POWER_API_URL}"
headers => {
"Authorization" => "${POWER_AUTH_TOKEN}"
}
}
}
request_timeout => 60
schedule => { cron => "* * * * * UTC"}
codec => "json"
}
}
3. Filter Configuration
Edit the file 02-metadata-filter.conf with the following content:
filter {
mutate { add_field => { "[@metadata][debug]" => "${DEBUG_PROXY_MAIL_POWERDMARC:False}" } }
mutate { add_field => { "[@metadata][prefix_path]" => "${PREFIX_PATH:logs}" } }
mutate { add_field => { "[@metadata][log_type]" => "${LOG_PROXY_MAIL_POWERDMARC:proxy-mail-powerdmarc}" } }
mutate { add_field => { "[@metadata][client_id]" => "${CLIENT_ID}" } }
mutate { add_field => { "[@metadata][sensor_id]" => "${SENSOR_ID}" } }
}
Blucluster Configuration
a. Edit the main configuration file /opt/lc/conf/blucluster.conf.
b. Set the following environment variables:
• DEBUG_PROXY_MAIL_POWERDMARC=False (or desired value)
• LOG_PROXY_MAIL_POWERDMARC=proxy-mail-powerdmarc
c. Add the following section under a designated area (e.g., PowerDMARC configuration):
#PowerDMARC configuration
POWER_API_URL="https://cn.powerdmarc.com/api/v1/audit-logs" POWER_AUTH_TOKEN="Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiIxIiwianRpIjoiNjlkNzg2ZjBkYjllMDBkODMwYjVjMzEwOWNkYTM1NTcxYzQzYjdhMTVmMGFlMzYzNDM3YzM1Yzg5YjYxZjA4MzgwZTAzNTdmOWI0NWMwZGEiLCJpYXQiOjE3MTE5NzUwMTEuOTA2NjI4LCJuYmYiOjE3MTE5NzUwMTEuOTA2NjMxLCJleHAiOjE3NDM1MTEwMTEuOTAwMzUyLCJzdWIiOiIyNzY5NCIsInNjb3BlcyI6WyJ1c2VyOmFnZ3JlZ2F0ZS1yZXBvcnQiLCJ1c2VyOmZvcmVuc2ljLXJlcG9ydCIsInVzZXI6YXVkaXQtbG9ncyJdfQ.IDHSL_wYtN2jLgvqoi2rUF7wcfpcQHTShdWuS0pAArZf6ed7Ihh_-ylPTOek6LCOCD2o-lwh2bkCR847xjjpgG0o8vwNwurPNFcDpEnQiD3SMSffJ64RpaZvaD-FV-uWzwXlnPIU4NPNIRAN62wFEfmkrViLeRljqRslTisukhj-AvIPRtxrBY18jMd2HoSCPJka5up7UxdwShEdIymXAPGsdtZxQLLB7pxRT5Y_ct9fxr1FOVwWZXh0El-xHNu8XFHan6Xa_P69s5G4HQ9-t2NLGCeQBBIGrwBorY-XIcNs988k5arzra3xyT3UWSGf-nHREz33opzrbYPcpgBDleGelHZ3HIEFDazra4oyWfSj4GkylgsTf7IxlIUJ2P74gCLH-NB4FCQIOuv2Wwr1SGNEhmj1Os5kqFug5u7P2gRcKQEU75KpECsGAohTCrrc5l2l6O-RAM8WZrjH_igfVx8l-99nvy0yXO5Ta5c6Um5Xm1rsyIrpB5Kbaz0TDMb3ahML3eSLeunbAFGP-LpL_R9PBbmSgQUbb_oZ-kyhp354k-5mmTiw72OdJsqglckvK7uVpAKya3J1eCrZSa8zwnWtJwlS9fpGdxuZk8cf_rHXCOqTWhg_5hOG57tqsqmpXa-24wEdbZ4Zu82Jt9FNCSes8LnXRk6ValZAqDXWgLA"
Important: Replace POWER_API_URL and POWER_AUTH_TOKEN with the values obtained from the client.
5. Restart Service Restart the Log collector service:
sudo systemctl restart blu_gc.service 6. Verification
• Check the temporary directory (/optllc/te
Last updated