Stay organized with collections Save and categorize content based on your preferences.

Using Cloud Monitoring for ingestion notifications

This document describes how to use Cloud Monitoring to receive ingestion notifications. Chronicle uses Cloud Monitoring to send the ingestion notifications. Using this feature, you can proactively address the issues. You can integrate email notifications in the existing workflows. Notifications are triggered when the ingestion values reach certain predefined levels. In the Cloud Monitoring documentation, notifications are referred to as alerts.

Before you begin

  • Make sure you are familiar with Cloud Monitoring.

  • Bind Chronicle to a Google Cloud project.

  • Make sure that your Identity and Access Management role includes the permissions in the role roles/monitoring.alertPolicyEditor. For more information about roles, see Access control.

  • Make sure you are familiar with creating alerting policies in Cloud Monitoring. For information about these steps, see Create alerts.

  • Configure the notification channel as email to receive ingestion notifications. For information about these steps, see Manage notification channels.

Set up ingestion notification for health metrics

To set up notifications that monitor ingestion health metrics specific to Chronicle, do the following:

  1. In the Google Cloud console, select Monitoring.

  2. In the navigation pane, select Alerting and then click Create policy.

  3. On the Select a metric page, select Chronicle Collector > Ingestion and then select either Total ingested log count or Total ingested log size. Click Apply.

  4. On the Select a metric page, click Add Filter. In the filter dialog, select the collector_id label, a comparator, and then the filter value.

    • You can use the following filters.

      • project_id: The identifier of the Google Cloud project associated with this resource.

      • location: The physical location of the cluster that contains the collector object.

      • collector_id: The ID of the collector.

      • log_type: The name of the log type.

      • Metric label > namespace: The namespace of the log.

    • You can use any of the following special Collector IDs. Collector ID can also mean forwarder ID or a special ID based on the ingestion method.

      • aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa: represents all feeds created using the Feed Management API or page. For more information about feed management, see Feed management and Feed management API.

      • bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb: represents all ingestion sources that use the Ingestion API unstructuredlogentries method. For more information about ingestion API, see Chronicle Ingestion API.

      • cccccccc-cccc-cccc-cccc-cccccccccccc: represents all ingestion sources that use the Ingestion API udmevents method.

  5. In the Transform data section, do the following:

    1. Set the Time series aggregation field to sum.
    2. Set the Time series group by field to project_id.

  6. For more information and examples on using multiple conditions within an alert policy, see Policies with multiple conditions.