Google Cloud Platform (GCP)
Create a Log Sink Destination#
Create a new project that will house the Log Sink#
1. In the Google Cloud console, go to Menu > IAM & Admin > Create a Project.
2. In the Project Name field, enter a descriptive name for your project. We suggest “SolCyber Log Sink”
3. In the Location field, click Browse to display potential locations for your project. Then, click Select.
4. Click Create. The Google Cloud console navigates to the Dashboard page and your project is created within a few minutes.
5. Please make note of the Project ID. You will need this later.
Create a Service Account to be used in thew new project#
1. Be sure you are viewing the correct context for the new project you just created.
2. In the Google Cloud console, go to Menu > IAM & Admin > Service Accounts.
3. Click Create service account.
4. In the Service account details section, enter a name for the service account. Click Create and continue.
5. In the Grant this service account access to project, give the service account the “Pub/Sub Subscriber” role (you can search for “Pub/Sub Subscriber” to find the specific role. Click CONTINUE.
6. Click DONE.
When you are done it should look like this
Generate a Credential file for the Service Account#
Once you have created the service account, you will be taken a page listing all active service accounts (there should only be one since this is a newly created project).
1. Select the service account.
2. Click Keys > Add key > Create new key.
3. Select JSON, then click Create. Your new public/private key pair is generated and downloaded to your machine as a new file. Please store this file in a safe location such as a password vault.
Configure Pub/Sub Topic#
1. Navigate to the Pub/Sub Topics list for the project. https://console.cloud.google.com/cloudpubsub/topic/list
2. Click CREATE TOPIC.
3. In the Topic ID field, enter an ID for your topic.
4. Retain the option Add a default subscription.
5. Do not select the other options.
6. Click Create topic.
7. Make note of the Topic Name. You will need this later.
8. Make note of both the Subscription ID and the Subscription name - SolCyber will need these.
Create a new Topic for each type of GCP logs you want to ingest.
Items to provide to SolCyber during the working session#
- Log Sink project ID
- Pub/Sub topic subscription ID
- Service account credential file
- send this file to SolCyber in a secure method:
- As an attachment in an ENCRYPTED email. · Via https://wormhole.app/
- send this file to SolCyber in a secure method:
Configuration for GCP AUDIT Logs#
Note: These steps need to be completed for every GCP project that you would like to ingest logs from.
- Go to the Cloud Console Page and make a note of the Project ID for which the data needs to be ingested. Select the project.
- Visit the Log Router service by going to Logging > Log router. You can also search for “Log router”.
.png)
- Click CREATE SINK.
- In the Sink details panel, enter the following details:
- Sink name: Provide an identifier for the sink; note that after you create the sink, you can’t rename the sink but you can delete it and create a new sink.
- Sink description (optional): Describe the purpose or use case for the sink
- Click CREATE SINK
- In the Sink Destination tab, select Other Resource for Select Sink Service. Enter the Sink Destination which is of the format: pubsub.googleapis.com/TOPIC_NAME (the TOPIC_NAME from “Configure Pub/Sub Topic, Step 7).
Example: pubsub.googleapis.com/projects/securonix-log-sink/topics/gcp-log-sink-securonix
- Click NEXT
- In the Choose logs to include in sink tab, enter the following string AFTER replacing the PROJECT_ID
logName=(“projects/<PROJECT_ID>/logs/cloudaudit.googleapis.com%2Factivity” OR “projects/<PROJECT_ID>/logs/cloudaudit.googleapis.com%2Fdata_access”)
- You can click Preview logs to ensure you have formatted the query correctly.
- Click Create sink