Ingesting GCP Logs in to Chronicle

This page shows how to enable and disable the ingestion of your GCP logs into Chronicle. Chronicle enables you to store, search and examine the aggregated security information for your enterprise going back for months or longer.

Before you begin

Before you can ingest your GCP logs into your Chronicle account, you must complete the following steps:

  1. Contact your Chronicle representative and obtain the one-time access code you need to ingest your GCP logs.
  2. Grant the IAM roles required for you to access the Chronicle section:
    • Chronicle Service Admin IAM role for performing all activities.
    • Chronicle Service Viewer IAM role to only view the state of ingestion.

Granting IAM Roles

You can grant the required IAM roles using either the Google Cloud Console or using the gcloud CLI.

To grant IAM roles using Google Cloud console, complete the following steps:

  1. Log on to the GCP Organization you want to connect to and navigate to the IAM screen using Products > IAM & Admin > IAM.
  2. From the IAM screen, select the user and click Edit Member.

  3. In the Edit Permissions screen, click Add Another Role and search for Chronicle to find the IAM roles.

  4. Once you have assigned the roles, click Save.

To grant IAM roles using the gCloud command-line tool, complete the following steps:

  1. Ensure you are logged into the correct organization. Verify this by running the gcloud init command.
  2. To grant the admin IAM role from the gCloud tool, run the following command:

    $ gcloud organizations add-iam-policy-binding <ORGANIZATION_ID> --member user:<USER_EMAIL> --role roles/chroniclesm.admin

  3. To grant the viewer IAM role from the gCloud tool, run the following command:

    $ gcloud organizations add-iam-policy-binding <ORGANIZATION_ID> --member user:<USER_EMAIL> --role roles/chroniclesm.viewer

Enabling GCP Log Ingestion

To enable GCP log ingestion into your Chronicle account, complete the following steps:

  1. Navigate to the Chronicle page for the Google Cloud Console.
    Go to the Chronicle page

  2. Enter your one-time access code in the 1-time Chronicle access code field.

  3. Check the box labeled I consent to the terms and conditions of Chronicle's usage of my Google Cloud data.

  4. Click Connect Chronicle.

    Connect Chronicle page.

Your GCP logs are now going to be sent to Chronicle. You can use Chronicle's analysis features to investigate any security related issues.

Temporarily disabling GCP log ingestion

To temporarily disable GCP log ingestion to your Chronicle account, complete the following steps:

  1. Under Google Cloud Log Ingest, select Disabled from the drop down menu.

  2. Click Save.

    GCP log ingest.

  3. You can return at any time and set the drop down menu to Enabled and click Save to restart GCP log ingestion.

Permanently disabling GCP Log Ingestion

  1. Check the box labeled I want to disconnect Chronicle and stop sending Google Cloud Logs into Chronicle.

  2. Click Disconnect Chronicle.

    Disconnect Chronicle.

Types of GCP logs

When you enable GCP log ingestion, the following types of GCP logs can be ingested to your Chronicle account:

Log Type Supported Sub-log Type Supported Additional Information
Cloud DNS logs N/A Logging and monitoring
Cloud audit logs Admin Activity audit logs
System Event audit logs
Cloud Audit Logs

What's next

  • Open your Chronicle account using the customer specific URL provided by your Chronicle representative.
  • Learn more about Chronicle.