Hi All,
We have onboarded logs from multiple GCP projects using direct ingestion into SecOps. However, the GCP projects belong to different business solutions.
The objective is to tag the logs from GCP projects based on the business owner or solutions.
I have read some article suggesting to use custom ingestion pipelines: Multi-Tenant Google Cloud log collection with PubSub Push | by Chris Martin (@thatsiemguy) | Medium and like the article confirmed - it’s going to incur additional cost.
Please, anyone know how best to tag logs from multiple GCP projects with the existing ingestion method.
Regards.
Question
Tagging GCP Logs From Multiple Projects
+1
+13You could use Data Processing Pipelines with the Add Fields Processor.
Docs: https://docs.cloud.google.com/chronicle/docs/ingestion/data-processing-pipeline
Webinar: https://www.youtube.com/watch?v=47PGRaCBuT0
Add Fields processor example - update the Condition to look at Project ID and then the Field and Value for the field that will be added to business owner, for example.
Fields added:
+1You could use Data Processing Pipelines with the Add Fields Processor.
Docs: https://docs.cloud.google.com/chronicle/docs/ingestion/data-processing-pipeline
Webinar: https://www.youtube.com/watch?v=47PGRaCBuT0
Add Fields processor example - update the Condition to look at Project ID and then the Field and Value for the field that will be added to business owner, for example.
Fields added:
Hi
+13
Data Processing Pipelines supports GCP native ingestion - ex. native ingest of GCP Cloud Audit logs with a processor:
This feature added in an OTel library in the SecOps ingestion pipeline. You are no longer limited to transforming on-prem logs coming from Bindplane. Setting up the Bindplane console, even if you are not using it for other logs, may be the easiest way of adding processors to non on-prem sources, but it is also doable through the API:
+1
Data Processing Pipelines supports GCP native ingestion - ex. native ingest of GCP Cloud Audit logs with a processor:
This feature added in an OTel library in the SecOps ingestion pipeline. You are no longer limited to transforming on-prem logs coming from Bindplane. Setting up the Bindplane console, even if you are not using it for other logs, may be the easiest way of adding processors to non on-prem sources, but it is also doable through the API:
thanks,
https://docs.cloud.google.com/chronicle/docs/ingestion/default-parsers/ingest-gcp-logs#enable-direct-ingestion
So there is no Bindplane in the architecture at all.
Based on all I have read, there seems not to be a way to include a tag with direct ingestion, unfortunately.
+13Understood, but with direct ingestion for GCP logs, this is still possible, but requires the Data Processing Pipeline feature. If you do not want to use Bindplane, you can use the APIs to manage - https://docs.cloud.google.com/chronicle/docs/ingestion/data-processing-pipeline#using_secops_data_pipeline_apis
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.