Skip to content

google_secops.md

Latest commit

 

History

History
76 lines (51 loc) · 3.28 KB

google_secops.md

File metadata and controls

76 lines (51 loc) · 3.28 KB
title Google SecOps Destination
disable_toc false
products
name icon url
Logs
logs
/observability_pipelines/configuration/?tab=logs#pipeline-types

{{< product-availability >}}

Overview

Use Observability Pipelines' Google SecOps destination to send logs to Google SecOps.

The Observability Pipelines Worker uses standard Google authentication methods. See Authentication methods at Google for more information about choosing the authentication method for your use case.

Setup

Set up the Google SecOps destination and its environment variables when you set up a pipeline. The information below is configured in the pipelines UI.

Set up the destination

To set up the Worker's Google SecOps destination:

  1. Enter the identifier for your Google SecOps endpoint URL. If you leave it blank, the default is used.
    • Note: Only enter the identifier for the endpoint URL. Do not enter the actual URL.
  2. Enter the customer ID for your Google SecOps instance.
  3. If you have a credentials JSON file, enter the path to your credentials JSON file. The credentials file must be placed under DD_OP_DATA_DIR/config. Alternatively, you can use the GOOGLE_APPLICATION_CREDENTIALS environment variable to provide the credential path.
  4. Select JSON or Raw encoding in the dropdown menu.
  5. Enter the log type. See template syntax if you want to route logs to different log types based on specific fields in your logs.

Optional buffering

{{% observability_pipelines/destination_buffer %}}

Note: Logs sent to the Google SecOps destination must have ingestion labels. For example, if the logs are from a A10 load balancer, it must have the ingestion label A10_LOAD_BALANCER. See Google Cloud's Support log types with a default parser for a list of available log types and their respective ingestion labels.

Set secrets

{{% observability_pipelines/set_secrets_intro %}}

{{< tabs >}} {{% tab "Secrets Management" %}}

  • Google Chronicle endpoint URL identifier:
    • The default identifier is DESTINATION_GOOGLE_CHRONICLE_UNSTRUCTURED_ENDPOINT_URL.

{{% /tab %}}

{{% tab "Environment Variables" %}}

{{% observability_pipelines/configure_existing_pipelines/destination_env_vars/chronicle %}}

{{% /tab %}} {{< /tabs >}}

How the destination works

Event batching

A batch of events is flushed when one of these parameters is met. See event batching for more information.

Maximum Events Maximum Size (MB) Timeout (seconds)
None 1 15