Receiving events from Cloud Audit Logs

Learn how to deploy a service in Cloud Run for Anthos on Google Cloud and then create and send events to that service from Cloud Audit Logs.

Before you begin

To complete this task, you must have an events broker and know in which namespace it's running. Learn how to configure Events for Cloud Run for Anthos and create an events broker.

If you have an events broker running, you can view the Kubernetes namespace by running:

kubectl get brokers -n NAMESPACE

Deploying a Cloud Run for Anthos on Google Cloud event receiver service

Deploy a Cloud Run for Anthos on Google Cloud service that receives events from the event broker.

  1. Clone the repository:

    Python

    git clone https://github.com/GoogleCloudPlatform/python-docs-samples.git
    cd python-docs-samples/eventarc/audit-storage
    

    Java

    git clone https://github.com/GoogleCloudPlatform/java-docs-samples.git
    cd java-docs-samples/eventarc/audit-storage
    

    Go

    git clone https://github.com/GoogleCloudPlatform/golang-samples.git
    cd golang-samples/eventarc/audit_storage
    

    Node.js

    git clone https://github.com/GoogleCloudPlatform/nodejs-docs-samples.git
    cd nodejs-docs-samples/eventarc/audit-storage
    

    C#

    git clone https://github.com/GoogleCloudPlatform/dotnet-docs-samples.git
    cd dotnet-docs-samples/eventarc/audit-storage
    
  2. Build the container and upload it to Cloud Build:

    gcloud builds submit \
       --tag gcr.io/$(gcloud config get-value project)/CLOUD_RUN_CONTAINER_NAME
    

    where CLOUD_RUN_CONTAINER_NAME is the filename of your container.

  3. Deploy the container image to Cloud Run for Anthos on Google Cloud:

    gcloud run deploy CLOUD_RUN_SERVICE_NAME \
        --namespace=NAMESPACE \
        --image gcr.io/$(gcloud config get-value project)/CLOUD_RUN_CONTAINER_NAME
    

    where NAMESPACE is the same namespace as your events broker.

    When you see the service URL, it has been successfully deployed.

Creating an Cloud Audit Logs trigger

  1. Create a trigger in the same namespace as your events broker:

    gcloud beta events triggers create TRIGGER_NAME \
       --namespace NAMESPACE \
       --target-service=CLOUD_RUN_SERVICE_NAME \
       --type=google.cloud.audit.log.v1.written \
       --parameters serviceName=pubsub.googleapis.com \
       --parameters methodName=google.pubsub.v1.Publisher.CreateTopic
    

    In this example, the trigger filters Cloud Audit Logs entries that have the methodName entries equal to google.pubsub.v1.Publisher.CreateTopic. For more filtering options, see AuditLog formatting.

  2. After 60 seconds, verify that the trigger is working:

    gcloud beta events triggers list \
       --target-service CLOUD_RUN_SERVICE_NAME \
       --namespace NAMESPACE
    

    where NAMESPACE is the same namespace as your events broker.

    The output is similar to the following:

    TRIGGER                EVENT TYPE                          TARGET
    trigger-name           google.cloud.audit.log.v1.written   cloud-run-service
    

Generating an event

  1. Generate an event by creating a Pub/Sub topic:

    gcloud pubsub topics create TOPIC_NAME
    
  2. Check that the event was received by the Cloud Run service:

    kubectl logs \
       --selector serving.knative.dev/service=CLOUD_RUN_SERVICE_NAME \
       -c user-container \
       -n NAMESPACE \
       --tail=200
    

    where NAMESPACE is the same namespace as your events broker.

    The output is similar to the following:

      [...]
      [2020-09-10 18:51:28 +0000] [1] [INFO] Starting gunicorn 20.0.4
      [2020-09-10 18:51:28 +0000] [1] [INFO] Listening at: http://0.0.0.0:8080 (1)
      [2020-09-10 18:51:28 +0000] [1] [INFO] Using worker: threads
      [2020-09-10 18:51:28 +0000] [7] [INFO] Booting worker with pid: 7
      GCS CloudEvent type: pubsub.googleapis.com/projects/PROJECT_NAME/topics/to-be-deleted
      GCS CloudEvent type: pubsub.googleapis.com/projects/PROJECT_NAME/topics/to-be-deleted2
      [...]
    

Clean up

Delete the resources created in this tutorial to avoid recurring charges.

  1. To delete the trigger, type:

    gcloud beta events triggers delete TRIGGER_NAME \
        --namespace NAMESPACE
    

    where NAMESPACE is the same namespace as your events broker.

  2. Delete the Pub/Sub topic:

    gcloud pubsub topics delete TOPIC_NAME