Skip to content

Integration with Google Cloud Platform

In order to create integration with your organization's Google Cloud Platform, there are two options: pull and push.

Pulling logs from GCP

In order to pull logs, you have to provide us with a dedicated Service accound in your Google cloud. That accound should have the permission(s) required to read the Logs that you want to feed into LogSentinel.

  1. Login to the GCP Console
  2. From the dropdown box (on the top) choose the project you want integrated with LogSentinel SIEM.
  3. Enable logging (if not enabled yet) by visiting the Cloud Logging API page
  4. From the menu on the left choose [IAM & Admin] then [Service Accounts] then click on the [+ Create service account] button on the top.
  5. Choose service account name (we suggest using the name "logsentinel-logsviewer") and add an appropriate description (for your own convenience).
  6. Click on [Create] button.
  7. Next step - grant either the "Logs Viewer" or "Private Logs Viewer" role to the service account (reading audit logs requires the latter). You may grant or revoke this role for any other project or for your whole organization through [IAM & Admin] | [IAM] page. You may do that later as well.
  8. After clicking [Done] you will be taken to the "Service accounts" page. Find the newly created service, open the 3-dotted context menu on its line and select [Create key]
  9. Choose to the suggested key type "JSON" and click [Create]
  10. Use the generated key file to create the GCloud integration in LogSentinel UI. Once you're done you'd better securely dispose of the key file - you won't need it any more. At the "Create integration" page, you should also enter the comma separated list of all resource names (i.e. log names) that you want to integrate. To monitor a project with ID "api-project-36956931912" the resource id should be "projects/api-project-36956931912". Note that viewing any of those should be permitted to the service account. You may test this locally using the gcloud tool and impersonating the service account.
  11. If you ever suspect the keyfile is being compromised - delete the key, create a new one and repeat step 9. You can do that by editing the service account through [IAM & Admin] | [Service Accounts].

Here is Google's documentation page on the topic of 'Creating a Service account'.

Pushing GCP logs to LogSentinel SIEM

In odrer to push logs from GCP to LogSentinel SIEM, you need to first create a data source and then configure a GCP log sink.

  1. In LogSentinel SIEM go to Sources & Integrations -> Data sources and create a new one, name GCP Logs (you can choose a different name)
  2. Go to API -> API Credentials and copy the ApplicationID for the GCP source
  3. Login to the GCP Console
  4. Navigate to Logging -> Logs Router
  5. Click on "Creat sink"
  6. Specify sink name and description
  7. On the "Sink destination" step choose "Cloud Pub/Sub Topic" and choose to create a new topic
  8. In the last two steps, specify logs to include or exclude. By default you can leave these blank in order to receive all logs and you can fine-tune it later
  9. Navigate to Pub/Sub
  10. Click on the vertical three dots next to your newly created topic and click "Create subscription"
  11. Specify a name for your subscription (e.g. LogSentinel SIEM Subscription)
  12. Specify delivery type "Push" and enter the following URL: https://siem.logsentinel.com/api-external/gcp-pubsub/log/{ApplicationId} where ApplicationId is the ID you copied on step 2.
  13. Optionally enable authentication (we support it, but it requires additional service account configuration and we will accept unauthenticated pushes as well)
  14. At the bottom specify "Retry after exponential backoff delay" for a retry policy
  15. Click "Create"