Google Chronicle

Chronicle
The Chronicle output plugin allows ingesting security logs into Google Chronicle service. This connector is designed to send unstructured security logs.
Google Cloud Configuration
Fluent Bit streams data into an existing Google Chronicle tenant using a service account that you specify. Therefore, before using the Chronicle output plugin, you must create a service account, create a Google Chronicle tenant, authorize the service account to write to the tenant, and provide the service account credentials to Fluent Bit.
Creating a Service Account
To stream security logs into Google Chronicle, the first step is to create a Google Cloud service account for Fluent Bit:
​Creating a Google Cloud Service Account​
Creating a Tenant of Google Chronicle
Fluent Bit does not create a tenant of Google Chronicle for your security logs, so you must create this ahead of time.
Retrieving Service Account Credentials
Fluent Bit's Chronicle output plugin uses a JSON credentials file for authentication credentials. Download the credentials file by following these instructions:
​Creating and Managing Service Account Keys​
Configurations Parameters
Key
Description
default
google_service_credentials
Absolute path to a Google Cloud credentials JSON file.
Value of the environment variable $GOOGLE_SERVICE_CREDENTIALS
service_account_email
Account email associated with the service. Only available if no credentials file has been provided.
Value of environment variable $SERVICE_ACCOUNT_EMAIL
service_account_secret
Private key content associated with the service account. Only available if no credentials file has been provided.
Value of environment variable $SERVICE_ACCOUNT_SECRET
project_id
The project id containing the tenant of Google Chronicle to stream into.
The value of the project_id in the credentials file
customer_id
The customer id to identify the tenant of Google Chronicle to stream into. The value of the customer_id should be specified in the configuration file.
​
log_type
The log type to parse logs as. Google Chronicle supports parsing for specific log types only.
​
region
The GCP region in which to store security logs. Currently, there are several supported regions: US, EU, UK, ASIA. Blank is handled as US.
​
log_key
By default, the whole log record will be sent to Google Chronicle. If you specify a key name with this option, then only the value of that key will be sent to Google Chronicle.
​
See Google's official documentation for further details.
Configuration File
If you are using a Google Cloud Credentials File, the following configuration is enough to get you started:
[INPUT]
    Name  dummy
    Tag   dummy
​
[OUTPUT]
    Name       chronicle
    Match      *
    customer_id my_customer_id
    log_type my_super_awesome_type

Key	Description	default
google_service_credentials	Absolute path to a Google Cloud credentials JSON file.	Value of the environment variable $GOOGLE_SERVICE_CREDENTIALS
service_account_email	Account email associated with the service. Only available if no credentials file has been provided.	Value of environment variable $SERVICE_ACCOUNT_EMAIL
service_account_secret	Private key content associated with the service account. Only available if no credentials file has been provided.	Value of environment variable $SERVICE_ACCOUNT_SECRET
project_id	The project id containing the tenant of Google Chronicle to stream into.	The value of the `project_id` in the credentials file
customer_id	The customer id to identify the tenant of Google Chronicle to stream into. The value of the `customer_id` should be specified in the configuration file.
log_type	The log type to parse logs as. Google Chronicle supports parsing for specific log types only.
region	The GCP region in which to store security logs. Currently, there are several supported regions: `US`, `EU`, `UK`, `ASIA`. Blank is handled as `US`.
log_key	By default, the whole log record will be sent to Google Chronicle. If you specify a key name with this option, then only the value of that key will be sent to Google Chronicle.

GELF

Google Cloud BigQuery

Last modified 8h ago