# Google Chronicle The *Google Chronicle* output plugin lets you ingest security logs into the [Google Chronicle](https://cloud.google.com/security/products/security-operations) service. This connector is designed to send unstructured security logs. ## Google Cloud configuration Fluent Bit streams data into an existing Google Chronicle tenant using a service account that you specify. Before using the Chronicle output plugin, you must: 1. Create a service account. To stream security logs into Google Chronicle, create a [Google Cloud service account](https://docs.cloud.google.com/iam/docs/service-accounts-create) for Fluent Bit: 2. Create a tenant of Google Chronicle. Fluent Bit doesn't create a tenant of Google Chronicle for your security logs, so you must create this ahead of time. 3. Retrieve service account credentials. The Fluent Bit Chronicle output plugin uses a JSON credentials file for authentication credentials. Download the credentials file by following the instructions for [Creating and Managing Service Account Keys](https://docs.cloud.google.com/iam/docs/keys-create-delete). ## Configuration parameters | Key | Description | Default | | ---------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------- | | `customer_id` | The customer ID identifying the Google Chronicle tenant to stream into. | *none* | | `google_service_credentials` | Absolute path to a Google Cloud credentials JSON file. | Value of the environment variable `$GOOGLE_SERVICE_CREDENTIALS` | | `log_key` | By default, the whole log record is sent to Google Chronicle. If you specify a key name with this option, only the value of that key is sent. | *none* | | `log_type` | The log type to parse logs as. Google Chronicle supports parsing for [specific log types only](https://docs.cloud.google.com/chronicle/docs/ingestion/parser-list/supported-default-parsers). | *none* | | `project_id` | The project ID containing the Google Chronicle tenant to stream into. | Value of the `project_id` in the credentials file | | `region` | The GCP region in which to store security logs. Supported regions: `US`, `EU`, `UK`, `ASIA`. Blank is treated as `US`. | *none* | | `service_account_email` | Account email associated with the service. Only available if no credentials file has been provided. | Value of the environment variable `$SERVICE_ACCOUNT_EMAIL` | | `service_account_secret` | Private key content associated with the service account. Only available if no credentials file has been provided. | Value of the environment variable `$SERVICE_ACCOUNT_SECRET` | | `workers` | The number of [workers](https://docs.fluentbit.io/manual/administration/multithreading#outputs) to perform flush operations for this output. | `0` | See Google's [official documentation](https://cloud.google.com/chronicle/docs/reference/ingestion-api) for further details. ## Configuration file If you are using a Google Cloud credentials file, the following configuration will get you started: {% tabs %} {% tab title="fluent-bit.yaml" %} ```yaml pipeline: inputs: - name: dummy tag: dummy outputs: - name: chronicle match: '*' customer_id: my_customer_id log_type: my_super_awesome_type ``` {% endtab %} {% tab title="fluent-bit.conf" %} ``` [INPUT] Name dummy Tag dummy [OUTPUT] Name chronicle Match * Customer_Id my_customer_id Log_Type my_super_awesome_type ``` {% endtab %} {% endtabs %}