# Google Chronicle The *Google Chronicle* output plugin lets you ingest security logs into the [Google Chronicle](https://cloud.google.com/security/products/security-operations) service. This connector is designed to send unstructured security logs. ## Google Cloud configuration Fluent Bit streams data into an existing Google Chronicle tenant using a service account that you specify. Before using the Chronicle output plugin, you must: 1. Create a service account. To stream security logs into Google Chronicle, create a [Google Cloud service account](https://docs.cloud.google.com/iam/docs/service-accounts-create) for Fluent Bit: 2. Create a tenant of Google Chronicle. Fluent Bit doesn't create a tenant of Google Chronicle for your security logs, so you must create this ahead of time. 3. Retrieve service account credentials. The Fluent Bit Chronicle output plugin uses a JSON credentials file for authentication credentials. Download the credentials file by following the instructions for [Creating and Managing Service Account Keys](https://docs.cloud.google.com/iam/docs/keys-create-delete). ## Configuration parameters | Key | Description | Default | | ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------- | | `customer_id` | The customer ID identifying the Google Chronicle tenant to stream into. | *none* | | `google_service_credentials` | Absolute path to a Google Cloud credentials JSON file. | Value of the environment variable `$GOOGLE_SERVICE_CREDENTIALS` | | `label` | Add a Chronicle label as a key and value pair. You can set this option multiple times. The label value can be a static string or a [record accessor](/manual/administration/configuring-fluent-bit/classic-mode/record-accessor.md). | *none* | | `log_key` | By default, the whole log record is sent to Google Chronicle. If you specify a key name with this option, only the value of that key is sent. | *none* | | `log_type` | The log type to parse logs as. Google Chronicle supports parsing for [specific log types only](https://docs.cloud.google.com/chronicle/docs/ingestion/parser-list/supported-default-parsers). | *none* | | `namespace` | Set the Chronicle namespace for uploaded logs. If `namespace_key` is also set, this value is used when the record accessor doesn't resolve or resolves to an empty value. | *none* | | `namespace_key` | Record accessor that selects the Chronicle namespace from each record. When records in the same chunk resolve to different namespaces or labels, Fluent Bit sends them in separate Chronicle batches. | *none* | | `project_id` | The project ID containing the Google Chronicle tenant to stream into. | Value of the `project_id` in the credentials file | | `region` | The GCP region in which to store security logs. Supported regions: `US`, `EU`, `UK`, `ASIA`. Blank is treated as `US`. | *none* | | `service_account_email` | Account email associated with the service. Only available if no credentials file has been provided. | Value of the environment variable `$SERVICE_ACCOUNT_EMAIL` | | `service_account_secret` | Private key content associated with the service account. Only available if no credentials file has been provided. | Value of the environment variable `$SERVICE_ACCOUNT_SECRET` | | `workers` | The number of [workers](/manual/administration/multithreading.md#outputs) to perform flush operations for this output. | `0` | See Google's [official documentation](https://cloud.google.com/chronicle/docs/reference/ingestion-api) for further details. ## Configuration file If you are using a Google Cloud credentials file, the following configuration will get you started: {% tabs %} {% tab title="fluent-bit.yaml" %} ```yaml pipeline: inputs: - name: dummy tag: dummy outputs: - name: chronicle match: '*' customer_id: my_customer_id log_type: my_super_awesome_type ``` {% endtab %} {% tab title="fluent-bit.conf" %} ``` [INPUT] Name dummy Tag dummy [OUTPUT] Name chronicle Match * Customer_Id my_customer_id Log_Type my_super_awesome_type ``` {% endtab %} {% endtabs %} The following example sets a fallback namespace, resolves the namespace from the record when present, and sends static and record-derived labels with each Chronicle batch: {% tabs %} {% tab title="fluent-bit.yaml" %} ```yaml pipeline: inputs: - name: dummy tag: dummy outputs: - name: chronicle match: '*' customer_id: my_customer_id log_type: my_super_awesome_type namespace: fallback-namespace namespace_key: "$tenant_namespace" label: "env production" label: "cluster_name $cluster['name']" ``` {% endtab %} {% tab title="fluent-bit.conf" %} ``` [INPUT] Name dummy Tag dummy [OUTPUT] Name chronicle Match * Customer_Id my_customer_id Log_Type my_super_awesome_type Namespace fallback-namespace Namespace_Key $tenant_namespace Label env production Label cluster_name $cluster['name'] ``` {% endtab %} {% endtabs %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.fluentbit.io/manual/data-pipeline/outputs/chronicle.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.