Google Chronicle

The Google Chronicle output plugin lets you ingest security logs into the Google Chronicle service. This connector is designed to send unstructured security logs.

Google Cloud configuration

Fluent Bit streams data into an existing Google Chronicle tenant using a service account that you specify. Before using the Chronicle output plugin, you must:

Create a service account.
To stream security logs into Google Chronicle, create a Google Cloud service account for Fluent Bit:
Create a tenant of Google Chronicle.
Fluent Bit doesn't create a tenant of Google Chronicle for your security logs, so you must create this ahead of time.
Retrieve service account credentials.
The Fluent Bit Chronicle output plugin uses a JSON credentials file for authentication credentials. Download the credentials file by following the instructions for Creating and Managing Service Account Keys.

Configuration parameters

Key

Description

Default

customer_id

The customer ID identifying the Google Chronicle tenant to stream into.

none

google_service_credentials

Absolute path to a Google Cloud credentials JSON file.

Value of the environment variable $GOOGLE_SERVICE_CREDENTIALS

label

Add a Chronicle label as a key and value pair. You can set this option multiple times. The label value can be a static string or a record accessor.

none

log_key

By default, the whole log record is sent to Google Chronicle. If you specify a key name with this option, only the value of that key is sent.

none

log_type

The log type to parse logs as. Google Chronicle supports parsing for specific log types only.

none

namespace

Set the Chronicle namespace for uploaded logs. If namespace_key is also set, this value is used when the record accessor doesn't resolve or resolves to an empty value.

none

namespace_key

Record accessor that selects the Chronicle namespace from each record. When records in the same chunk resolve to different namespaces or labels, Fluent Bit sends them in separate Chronicle batches.

none

project_id

The project ID containing the Google Chronicle tenant to stream into.

Value of the project_id in the credentials file

region

The GCP region in which to store security logs. Supported regions: US, EU, UK, ASIA. Blank is treated as US.

none

service_account_email

Account email associated with the service. Only available if no credentials file has been provided.

Value of the environment variable $SERVICE_ACCOUNT_EMAIL

service_account_secret

Private key content associated with the service account. Only available if no credentials file has been provided.

Value of the environment variable $SERVICE_ACCOUNT_SECRET

workers

The number of workers to perform flush operations for this output.

0

See Google's official documentation for further details.

Configuration file

If you are using a Google Cloud credentials file, the following configuration will get you started:

pipeline:
  inputs:
    - name: dummy
      tag: dummy

  outputs:
    - name: chronicle
      match: '*'
      customer_id: my_customer_id
      log_type: my_super_awesome_type

The following example sets a fallback namespace, resolves the namespace from the record when present, and sends static and record-derived labels with each Chronicle batch:

pipeline:
  inputs:
    - name: dummy
      tag: dummy

  outputs:
    - name: chronicle
      match: '*'
      customer_id: my_customer_id
      log_type: my_super_awesome_type
      namespace: fallback-namespace
      namespace_key: "$tenant_namespace"
      label: "env production"
      label: "cluster_name $cluster['name']"

[INPUT]
  Name dummy
  Tag  dummy

[OUTPUT]
  Name          chronicle
  Match         *
  Customer_Id   my_customer_id
  Log_Type      my_super_awesome_type
  Namespace     fallback-namespace
  Namespace_Key $tenant_namespace
  Label         env production
  Label         cluster_name $cluster['name']

PreviousGraylog Extended Log Format (GELF)NextGoogle Cloud BigQuery

Last updated 11 days ago

Was this helpful?