Forwarder Management API

You can use the Google Security Operations Forwarder Management API to do the following programmatically:

Create and manage forwarders.
Create and manage collectors.
Get the file contents for a Google Security Operations forwarder's configuration.(.conf) and authentication (_auth.conf) files.

Forwarders are composed of one or more collectors. Each collector's configuration specifies its ingestion mechanism (for example, File, Kafka, PCAP, Splunk, or Syslog) and log type.

Assuming hardware requirements are met, you can use many collectors on the same forwarder to ingest data from a variety of mechanisms and log types. For example, you can install a forwarder with two syslog collectors listening for PAN_FIREWALL and CISCO_ASA_FIREWALL data on separate ports, respectively.

The API lets you create forwarders and their collectors in your Google Security Operations instance. Once a forwarder is created, you can use the Generate Forwarder Files endpoint to get the file contents (as JSON payload) for a forwarder's configuration (.conf) and authentication (_auth.conf) files. These contents can then be written to their respective .conf files for deployment with the Google Security Operations Forwarder service on a Windows or Linux system.

For Python samples that use the Forwarder Management API, see the GitHub repository.

Create a forwarder and its collector(s)

A forwarder must be created before any of its collectors can be created.

To create a forwarder and its collector(s):

Create a forwarder.
Create a collector for the forwarder.
(Optional) Repeat Step 2 to add more collectors.

How to authenticate with the Google Security Operations API[:#authenticate]

This Google Security Operations API uses the OAuth 2.0 protocol for authentication and authorization. Your application can complete these tasks using either of the following implementations:

Using the Google API Client Library for your computer language.
Directly interfacing with the OAuth 2.0 system using HTTP.

See the reference documentation for the Google Authentication library in Python.

Google Authentication libraries are a subset of the Google API client libraries. See other language implementations.

Getting API authentication credentials

Your Google Security Operations representative will provide you with a Google Developer Service Account Credential to enable the API client to communicate with the API.

You also must provide the Auth Scope when initializing your API client. OAuth 2.0 uses a scope to limit an application's access to an account. When an application requests a scope, the access token issued to the application is limited to the scope granted.

Use the following scope to initialize your Google API client:

https://www.googleapis.com/auth/chronicle-backstory

Python example

The following Python example demonstrates how to use the OAuth2 credentials and HTTP client using google.oauth2 and googleapiclient.

# Imports required for the sample - Google Auth and API Client Library Imports.
# Get these packages from https://pypi.org/project/google-api-python-client/ or run $ pip
# install google-api-python-client from your terminal
from google.oauth2 import service_account
from googleapiclient import _auth

SCOPES = ['https://www.googleapis.com/auth/chronicle-backstory']

# The apikeys-demo.json file contains the customer's OAuth 2 credentials.
# SERVICE_ACCOUNT_FILE is the full path to the apikeys-demo.json file
# ToDo: Replace this with the full path to your OAuth2 credentials
SERVICE_ACCOUNT_FILE = '/customer-keys/apikeys-demo.json'

# Create a credential using Google Developer Service Account Credential and Google Security Operations API
# Scope.
credentials = service_account.Credentials.from_service_account_file(SERVICE_ACCOUNT_FILE, scopes=SCOPES)

# Build an HTTP client to make authorized OAuth requests.
http_client = _auth.authorized_http(credentials)

# <your code continues here>

Chronicle API query limits

The Chronicle API enforces limits on the volume of requests that can be made by any one customer against the Google Security Operations platform. If you reach or exceed the query limit, the Chronicle API server returns HTTP 429 (RESOURCE_EXHAUSTED) to the caller. When developing applications for the Chronicle API, Google recommends that you enforce rate limits within your system to avoid resource exhaustion. These limits apply to all of the Chronicle APIs, including the Search, Forwarder Management, and Tooling APIs.

The following limit for the Chronicle Forwarder Management API is being enforced and is measured in queries per second (QPS):

Chronicle API	API Endpoint	Limit
Forwarder Management	Create Forwarder	1 QPS
	Get Forwarder	1 QPS
	List Forwarders	1 QPS
	Update Forwarder	1 QPS
	Delete Forwarder	1 QPS
Collector Management	Create Collector	1 QPS
	Get Collector	1 QPS
	List Collectors	1 QPS
	Update Collector	1 QPS
	Delete Collector	1 QPS

Forwarder API reference

This section describes the endpoints for creating and managing forwarders. For endpoints for creating and managing collectors, see the Collector API reference.

Create Forwarder

Creates a new forwarder in the Google SecOps instance. The new forwarder will include any forwarder configuration values provided in the request body. Configuration values for collectors must be specified using Create Collector after using Create Forwarder.

For certain settings, configuration values that are missing or zero-valued in the request body are set to default values. For details about forwarder fields and values, see Forwarder configuration fields.

Request

POST https://backstory.googleapis.com/v2/forwarders

Request body

{
  "display_name": string,
  "config": {
    object (ForwarderConfig)
  }
}

Body parameters

Field	Type	Required	Description
display_name	string	Required	The name of the forwarder. This name is displayed in the Google SecOps interface.
config	object	Optional	The configuration settings for this forwarder. See Forwarder configuration fields.

Request example

This example shows the required key:value pairs in a Create Forwarder request. If a field isn't specified in the request and has a default value, the default value is applied during forwarder creation. For details about default values, see Forwarder configuration fields.

POST https://backstory.googleapis.com/v2/forwarders
{
  "display_name": "chronicle_forwarder"
}

Response

If the request is successful, the response returns an HTTP status code of 200 (OK).

The response shows the configuration values applied during creation of the forwarder. Default configuration values are applied for certain settings during resource creation if those fields are missing or zero-valued in the request body. For details, see Forwarder configuration fields.

Response fields

In addition to the fields specified in the request and the fields for which default values are applied, the response includes the following generated and output-only fields.

Field	Type	Description
name	string	The resource ID of the forwarder. The format is "forwarders/forwarderID". For example: forwarders/12ab3cd4-56ef-7ghi-j89k-1l23m4nopq56
state	enum	Specifies the current state of the forwarder. Valid values are: ACTIVE: The forwarder is allowed to upload data. SUSPENDED: The forwarder is not allowed to upload data. The default value is ACTIVE.

Field

Type

Description

name

string

The resource ID of the forwarder. The format is "forwarders/forwarderID". For example:

forwarders/12ab3cd4-56ef-7ghi-j89k-1l23m4nopq56

state

enum

Specifies the current state of the forwarder. Valid values are:

ACTIVE: The forwarder is allowed to upload data.
SUSPENDED: The forwarder is not allowed to upload data.

The default value is ACTIVE.

Response example

This is an example of the response returned for the request example above.

{
  "name": "forwarders/12ab3cd4-56ef-7abc-d89e-1f23a4bcde56",
  "displayName": "chronicle_forwarder",
  "config": {
    "uploadCompression": "false",
    "serverSettings": {
      "gracefulTimeout": 15,
      "drainTimeout": 10,
      "httpSettings": {
        "port": "8080",
        "host": "0.0.0.0",
        "readTimeout": "3",
        "readHeaderTimeout": "3",
        "writeTimeout": "3",
        "idleTimeout": "3"
        "routeSettings": {
          "availableStatusCode": "204",
          "readyStatusCode": "204",
          "unreadyStatusCode": "503"
        },
      },
    },
  },
  "state": "ACTIVE"
}

Get Forwarder

Returns a forwarder.

Request

GET https://backstory.googleapis.com/v2/forwarders/{forwarderID}

Request body

Don't include a request body.

Request example

GET https://backstory.googleapis.com/v2/forwarders/12ab3cd4-56ef-7abc-d89e-1f23a4bcde56

Response example

{
  "name": "forwarders/12ab3cd4-56ef-7abc-d89e-1f23a4bcde56",
  "displayName": "chronicle_forwarder",
  "config": {
    "uploadCompression": "false",
    "serverSettings": {
      "gracefulTimeout": 15,
      "drainTimeout": 10,
      "httpSettings": {
        "port": "8080",
        "host": "0.0.0.0",
        "readTimeout": "3",
        "readHeaderTimeout": "3",
        "writeTimeout": "3",
        "idleTimeout": "3"
        "routeSettings": {
          "availableStatusCode": "204",
          "readyStatusCode": "204",
          "unreadyStatusCode": "503"
        },
      },
    },
  },
  "state": "ACTIVE"
}

List Forwarders

Lists all of the forwarders for a Google SecOps instance.

Request

GET https://backstory.googleapis.com/v2/forwarders

Request example

GET https://backstory.googleapis.com/v2/forwarders

Response

Returns a list of forwarders.

Response example

{
  "forwarders": [
    {
      "name": "forwarders/12ab3cd4-56ef-7abc-d89e-1f23a4bcde56",
      "displayName": "chronicle_forwarder_1",
      "config": {
        "uploadCompression": "false",
        "serverSettings": {
          "gracefulTimeout": 15,
          ...
         },
      },
      "state": "ACTIVE"
    },
    {
      "name": "forwarders/12ab3cd4-56ef-7abc-d89e-1f23a4bcde57",
      "displayName": "chronicle_forwarder_2",
      "config": {
        "uploadCompression": "false",
        "serverSettings": {
          "gracefulTimeout": 15,
       ...
       },
      },
      "state": "ACTIVE"
    }
  ]
}

Update Forwarder

You can update a forwarder by using the updateMask URL query parameter to specify the fields to update.

For example, to update the display name, you would use the updateMask query parameter as follows in the patch request:

?updateMask=displayName

The request body should only contain the fields that you wish to update (in their exact locations).

Request

PATCH https://backstory.googleapis.com/v2/forwarders/{forwarderID}?updateMask=<field_1,field_2>

Request body

{
  "display_name": string,
  "config": {
    object (ForwarderConfig)
  },
}

Body parameters

Field	Type	Required	Description
display_name	string	Required	The name of the forwarder. This name is displayed in the Google SecOps interface.
config	object	Optional	The configuration settings for this forwarder. See Forwarder configuration fields.

Request example

This is an example of an Update Forwarder request where the request specifies new values for displayName and adds a Metadata label.

PATCH https://backstory.googleapis.com/v2/forwarders/12ab3cd4-56ef-7abc-d89e-1f23a4bcde56?updateMask=displayName,config.metadata.labels
{
  "display_name": "UpdatedForwarder",
  "config": {
    "metadata": {
      "labels": [
        {
          "key": "office",
          "value": "corporate",
        }
      ]
    }
  }
}

Response example

This is an example of the response returned for the request example above.

{
  "name": "forwarders/{forwarderUUID}",
  "displayName": "UpdatedForwarder",
  "config": {
    "uploadCompression": "false",
    "metadata": {
      "labels": [
        {
          "key": "office",
          "value": "corporate"
        }
      ]
    }
  },
  "state": "ACTIVE"
}

Delete Forwarder

Deletes a forwarder.

Request

DELETE https://backstory.googleapis.com/v2/forwarders/{forwarderID}

Request body

Don't include a request body.

Request example

DELETE https://backstory.googleapis.com/v2/forwarders/12ab3cd4-56ef-7abc-d89e-1f23a4bcde56

Response example

If the operation is successful, Delete Forwarder returns an empty response with an HTTP status code 200 (OK).

{}

Generate Forwarder Files

Generates and returns the contents of the forwarder's configuration (.conf) and authentication (_auth.conf) files.

Request

GET https://backstory.googleapis.com/v2/forwarders/{forwarderID}:generateForwarderFiles

Request body

Don't include a request body.

Request example

GET https://backstory.googleapis.com/v2/forwarders/12ab3cd4-56ef-7abc-d89e-1f23a4bcde56:generateForwarderFiles

Response example

If the operation is successful, it returns an HTTP status code 200 (OK). It also returns the contents of a forwarder configuration file, including the configuration data for the forwarder's collectors, as well as the contents of the authentication (_auth.conf) file that is used by the forwarder to authenticate with the Google SecOps instance.

Forwarder configuration fields

The following table lists the forwarder configuration settings that you can specify using Create Forwarder and Update Forwarder. If you don't specify a value for a setting when you use Create Forwarder, the setting's default value (shown below) is applied.

The following fields can be provided in the config object of the request body.

Field	Type	Required	Description
upload_compression	bool	Optional	If `true`, batches of data are compressed before upload. The default is `false`.
metadata.asset_namespace	string	Optional	The namespace for identifying logs from this forwarder. Note: This is a global setting that applies to the forwarder and the forwarder's collectors, unless it is overridden at the collector level. For more information, see Configure namespaces.
metadata.labels	list	Optional	A list of arbitrary key:value pairs that can be specified in the forwarder configuration. Note: This is a global setting that applies to the forwarder and the forwarder's collectors, unless it is overridden at the collector level.
metadata.labels.key	string	Optional	The key for a field in the metadata labels list.
metadata.labels.value	string	Optional	The value for a field in the metadata labels list.
regex_filters.description	string	Optional	Describes what is being filtered and why.
regex_filters.regexp	string	Optional	The regular expression used to match against each incoming line.
regex_filters.behavior	enum	Optional	Specifies the state of the server functionality. Valid values are: ALLOW: This state allows the filtered line to be uploaded. BLOCK: This state prevents the filtered line from being uploaded.
server_settings	object	Optional	Settings that configure the forwarder's built-in HTTP server, which can be used to configure load balancing and high availability options for syslog collection on Linux.
server_settings.state	enum	Optional	Specifies the state of the server functionality. Valid values are: ACTIVE: In this state, server settings are applied as specified. SUSPENDED In this state, server settings are not applied.
server_settings.graceful_timeout	integer	Optional	The number of seconds after which the forwarder returns a bad readiness/health check and still accepts new connections. This is also the time to wait between receiving a signal to stop and actually beginning the shutdown of the server itself. This allows the load balancer time to remove the forwarder from the pool. The default value is `15`.
server_settings.drain_timeout	integer	Optional	The number of seconds after which the forwarder waits for active connections to successfully close on their own before being closed by the server. The default value is `10`.
server_settings.http_settings.port	integer	Optional	The port number that the HTTP server listens on for health checks from the load balancer. Must be between 1024-65535. The default is `8080`.
server_settings.http_settings.host	string	Optional	The IP address, or hostname that can be resolved to IP addresses, that the server should listen to. The default value is `0.0.0.0` (the local system).
server_settings.http_settings.read_timeout	integer	Optional	The maximum number of seconds allowed to read entire requests, which includes the header and the body. The default value is `3`.
server_settings.http_settings.read_header_timeout	integer	Optional	The maximum number of seconds allowed to read request headers. The default value is `3`.
server_settings.http_settings.write_timeout	integer	Optional	The maximum number of seconds allowed to send a response. The default value is `3`.
server_settings.http_settings.idle_timeout	integer	Optional	The maximum number of seconds to wait for the next request when idle connections are enabled. The default is `3`.
server_settings.http_settings.route_settings.available_status_code	integer	Optional	The status code returned when a liveness check is received and the forwarder is available. The default is `204`.
server_settings.http_settings.route_settings.ready_status_code	integer	Optional	The status code returned when the forwarder is ready to accept traffic. The default is `204`.
server_settings.http_settings.route_settings.unready_status_code	integer	Optional	The status code returned when the forwarder is not ready to accept traffic. The default is `503`.

Collector API reference

This section describes the endpoints for working with collectors.

When creating and updating collectors, note that each collector configuration can specify ingestion settings for one, but not more than one, of the following:

Log file data
Kafka topics
Packet data (pcap)
Splunk data
Syslog data

For endpoints for working with forwarders, see the Forwarder API reference.

Create Collector

Creates a new collector in the Google SecOps account. Configuration values for collectors must be specified using Create Collector after using Create Forwarder.

For certain settings, configuration values that are missing or zero-valued in the request body are set to default values. For details about collector configuration fields and values, see Collector configuration fields.

Request

POST https://backstory.googleapis.com/v2/forwarders/{forwarderID}/collectors

Request body

{
  "display_name": string,
  "config": {
    object (CollectorConfig)
  }
  "state": enum
}

Body parameters

Field	Type	Required	Description
display_name	string	Required	The name of the collector. This name is displayed in the Google SecOps interface.
config	object	Required	The configuration settings for this collector. See Collector configuration fields.
state	enum	Optional	Specifies the current state of the collector. Valid values are: ACTIVE: The collector is allowed to accept data. SUSPENDED: The collector is not allowed to accept data.

Field

Type

Required

Description

display_name

string

Required

The name of the collector. This name is displayed in the Google SecOps interface.

config

object

Required

The configuration settings for this collector. See Collector configuration fields.

state

enum

Optional

Specifies the current state of the collector. Valid values are:

ACTIVE: The collector is allowed to accept data.
SUSPENDED: The collector is not allowed to accept data.

Request example

This example shows the required key:value pairs in a Create Collector request. For any fields that aren't provided, default values are applied during collector creation.

In this example, the collector type is file, so the collector configuration includes file_settings to indicate the collector type and its settings. If the collector type is syslog, then the collector configuration includes syslog_settings. For more information, see Collector configuration fields.

POST https://backstory.googleapis.com/v2/forwarders/12ab3cd4-56ef-7abc-d89e-1f23a4bcde56/collectors
{
  "display_name": "abc_collector",
  "config" {
    "log_type": "CS_EDR"
    "file_settings": {
      "file_path": "/opt/chronicle/edr/output/sample.txt",
    }
  }
}

Response

If the request is successful, the response returns an HTTP status code of 200 (OK).

The response shows the configuration values applied during creation of the collector. Default configuration values are applied for certain settings during resource creation if those fields are missing or zero-valued in the request body. For details, see Collector configuration fields.

Response fields

In addition to the fields specified in the request and the fields for which default values are applied, the response includes the following fields:

Field	Type	Description
name	string	The resource ID of the collector. The format is "forwarders/{forwarderID}/collectors/{collectorID}". For example: `forwarders/12ab3cd4-56ef-7abc-d89e-1f23a4bcde56/collectors/98ab7cd6-54ef-3abc-d21e-1f23a4bcde56`

Response example

This is an example of the response returned for the request example above.

{
  "name": "forwarders/12ab3cd4-56ef-7ghi-j89k-1l23m4nopq56/collectors/
     98ab7cd6-54ef-3abc-d21e-1f23a4bcde56",
  "displayName": "abc_collector",
  "config": {
    "logType": "tomcat",
    "maxSecondsPerBatch": "10",
    "maxBytesPerBatch": "1048576"
  }
}

Get Collector

Returns a collector.

Request

GET https://backstory.googleapis.com/v2/forwarders/{forwarderID}/collectors/{collectorID}

Request body

Don't include a request body.

Request example

GET
https://backstory.googleapis.com/v2/forwarders/12ab3cd4-56ef-7abc-d89e-1f23a4bcde56/collectors/98ab7cd6-54ef-3abc-d21e-1f23a4bcde56

Response example

{
  "name": "?",
  "displayName": "abc_collector",
  "config": {
    "logType": "tomcat",
    "maxSecondsPerBatch": "10",
    "maxBytesPerBatch": "1048576"
  }
}

List Collectors

Lists the existing collectors for the specified forwarder.

Request

GET https://backstory.googleapis.com/v2/forwarders/{forwarderID}/collectors

Request example

GET https://backstory.googleapis.com/v2/forwarders/12ab3cd4-56ef-7abc-d89e-1f23a4bcde56/collectors

Response

Returns multiple collectors.

Response example

{
  "collectors": [
    {
      "name": "?",
      "displayName": "abc_collector_1",
      "config": {
        "logType": "tomcat",
        "maxSecondsPerBatch": "10",
        "maxBytesPerBatch": "1048576"
      }
    },
    {
      "name": "?",
      "displayName": "abc_collector_2",
      "config": {
        "logType": "tomcat",
        "maxSecondsPerBatch": "10",
        "maxBytesPerBatch": "1048576"
      }
    }
  ]
}

Update Collector

When updating a collector with the API, you can choose to overwrite the entire collector configuration or to overwrite only specific fields of the collector configuration. It is usually best to overwrite specific fields, so you avoid accidentally overwriting all of your data. To overwrite specific fields, supply a FieldMask to your update request.

To supply a FieldMask to update the display name for a collector, supply the updateMask URL query parameter in the patch request. For example:

?updateMask=displayName

The request body should only contain the fields that you wish to update (in their exact locations).

Request

PATCH https://backstory.googleapis.com/v2/forwarders/{forwarderID}/collectors/{collectorID}?updateMask=<field_1,field_2>

Request body

{
  "display_name": string,
  "config": {
    object (CollectorConfig)
  },
}

Body parameters

Field	Type	Required	Description
displayName	string	Required	The name of the collector. This name is displayed in the Google SecOps interface.
config	object	Optional	The configuration settings for this forwarder. See Collector configuration fields.

Request example

This is an example of an Update Collector request where the request specifies new values for displayName, logType, assetNamespace, and protocol.

PATCH https://backstory.googleapis.com/v2/forwarders/12ab3cd4-56ef-7abc-d89e-1f23a4bcde56/collectors/98ab7cd6-54ef-3abc-d21e-1f23a4bcde56?updateMask=displayName,config.logType,config.metadata.assetNamespace,config.syslogSettings.protocol
{
  "display_name": "UpdatedCollector"
  "config": {
    "metadata": {
      "asset_namespace": "COLLECTOR",
      },
      "log_type": "CISCO_ASA_FIREWALL",
      "syslog_settings": {
        "protocol": "TCP",
      }
    }
  }

Response example

This is an example of the response returned for the request example above.

{
  "name": "forwarders/12ab3cd4-56ef-7abc-d89e-1f23a4bcde56/collectors/98ab7cd6-54ef-3abc-d21e-1f23a4bcde56",
  "displayName": "UpdatedCollector",
  "config": {
    "logType": "CISCO_ASA_FIREWALL",
    "metadata": {
      "assetNamespace": "COLLECTOR"
    },
    "maxSecondsPerBatch": 10,
    "maxBytesPerBatch": "1048576",
    "syslogSettings": {
      "protocol": "TCP",
      "address": "0.0.0.0",
      "port": 10514,
    }
  },
  "state": "ACTIVE"
}

Delete Collector

Deletes a collector.

Request

DELETE https://backstory.googleapis.com/v2/forwarders/{forwarderID}/collectors/{collectorID}

Request body

Don't include a request body.

Request example

DELETE https://backstory.googleapis.com/v2/forwarders/12ab3cd4-56ef-7abc-d89e-1f23a4bcde56/collectors/98ab7cd6-54ef-3abc-d21e-1f23a4bcde56

Response example

If the operation is successful, Delete Collector returns an empty response with an HTTP status code 200 (OK).

{}

Collector configuration fields

The following fields can be provided in the config object of the request body.

Field	Type	Required	Description
log_type	string	Required	A supported log type (one that can be ingested by Google SecOps). For a list of supported log types for which Google SecOps has a parser, see the the Ingestion Label column on the Supported default parsers page. To get a complete list of supported log types, use the `logtypes` endpoint.
metadata.asset_namespace	object	Optional	The namespace for identifying logs from this collector. Note: This is a global setting that applies to the forwarder and the forwarder's collectors, unless it is overridden at the collector level. For more information, see Configure namespaces.
metadata.labels	list	Optional	A list of arbitrary key:value pairs that can be specified in the collector configuration. Note: This is a global setting that applies to the forwarder and the forwarder's collectors, unless it is overridden at the collector level.
metadata.labels.key	string	Optional	The key for a field in the metadata labels list.
metadata.labels.value	string	Optional	The value for a field in the metadata labels list.
regex_filters.description	string	Optional	Describes what is being filtered and why.
regex_filters.regexp	string	Optional	The regular expression used to match against each incoming line.
regex_filters.behavior	enum	Optional	Specifies the state of the server functionality. Valid values are: ALLOW: This state allows the filtered line to be uploaded. BLOCK: This state prevents the filtered line from being uploaded.
disk_buffer.state	enum	Optional	Specifies the disk buffering state for the collector. Valid values are: ACTIVE: Buffering is enabled. SUSPENDED: Buffering is disabled.
disk_buffer.directory_path	string	Optional	The directory path for files written.
disk_buffer.max_file_buffer_bytes	integer	Optional	The maximum buffered file size.
max_seconds_per_batch	integer	Optional	The number of seconds between batches. The default is `10`.
max_bytes_per_batch	integer	Optional	The number of bytes queued before forwarder batch upload. The default is `1048576`.
<collector_type>_settings.<fields>		Required	Specifies a collector type and its settings. Every collector must specify one collector type and its fields. For example, to use the `file` collector type, the `file_settings.file_path` field must be added to the configuration and given a value. For example: `"file_settings": { "file_path": "/opt/chronicle/edr/output/sample.txt", }` The collector types and their fields are listed in the subsequent rows of this table. The available collector types are: `file` `kafka` `pcap` `splunk` `syslog`
file_settings.file_path	string	Optional	The path of the file to monitor.
kafka_settings.authentication.username	string	Optional	The username of an identity used for authentication.
kafka_settings.authentication.password	string	Optional	The password of the account identified by the username.
kafka_settings.topic	string	Optional	The Kafka topic from which to ingest data. For details, see Collect data from Kafka topics.
kafka_settings.group_id	string	Optional	A group ID.
kafka_settings.timeout	integer	Optional	The maximum number of seconds a dial will wait for a connect to complete. The default is `60`.
kafka_settings.brokers	string	Optional	A repeated string listing Kafka brokers. For example: "broker-1:9092", "broker-2:9093" Note: All values are replaced during an update operation. Therefore, to update a list of brokers to add a new broker, specify all existing brokers and the new broker.
kafka_settings.tls_settings.certificate	string	Optional	The path and certificate filename. For example: `/path/to/cert.pem`
kafka_settings.tls_settings.certificate_key	string	Optional	The path and certificate key filename. For example: `/path/to/cert.key`
kafka_settings.tls_settings.minimum_tls_version	string	Optional	The minimum TLS version.
kafka_settings.tls_settings.insecure_skip_verify	bool	Optional	If `true`, enables SSL certification verification. The default is `false`.
pcap_settings.network_interface	string	Optional	The interface to listen to for PCAP data.
pcap_settings.bpf	string	Optional	The Berkeley Packet Filter (BPF) for pcap.
splunk_settings.authentication.username	string	Optional	The username of an identity used for authentication.
splunk_settings.authentication.password	string	Optional	The password of the account identified by the username.
splunk_settings.host	string	Optional	The host or IP address for the Splunk REST API.
splunk_settings.port	integer	Optional	The port for the Splunk REST API.
splunk_settings.minimum_window_size	integer	Optional	The minimum time range in seconds for a given Splunk search. For details, see Collect Splunk data. The default is `10`.
splunk_settings.maximum_window_size	integer	Optional	The maximum time range in seconds for a given Splunk search. For details, see Collect Splunk data. The default is `30`.
splunk_settings.query_string	string	Optional	The query used to filter records within Splunk. For example: `search index=* sourcetype=dns`
splunk_settings.query_mode	string	Optional	The query mode for Splunk. For example: `realtime`
splunk_settings.cert_ignored	bool	Optional	If `true`, the certificate is ignored.
syslog_settings.protocol	enum	Optional	Specifies the protocol the collector will use to listen for syslog data. Valid values are: `TCP` `UDP`
syslog_settings.address	string	Optional	The target IP address or hostname where the collector resides and listens for syslog data.
syslog_settings.port	integer	Optional	The target port where the collector resides and listens for syslog data.
syslog_settings.buffer_size	integer	Optional	The size in bytes of the TCP socket's buffer. The default for TCP is `65536`. The default for UDP is `8192`.
syslog_settings.connecton_timeout	integer	Optional	The number of seconds of inactivity after which the TCP connection is dropped. The default is `60`.
syslog_settings.tls_settings.certificate	string	Optional	The path and certificate filename. For example: `/path/to/cert.pem`
syslog_settings.tls_settings.certificate_key	string	Optional	The path and certificate key filename. For example: `/path/to/cert.key`
syslog_settings.tls_settings.minimum_tls_version	string	Optional	The minimum TLS version.
syslog_settings.tls_settings.insecure_skip_verify	bool	Optional	If `true`, enables SSL certification verification. The default is `false`.