Configure Log Collection Using Templates
For your USM Anywhere Sensor to receive logs from your Google Cloud Platform (GCP) environment, you must have: an export sink to define which logs are exported, a topic to receive those logs, and a subscription to deliver those exported logs to the sensor. The easiest way to create and configure all of these disparate pieces is by using the templates AT&T Cybersecurity provides.
Important: Since these templates are deployed using the Deployment Manager, you must ensure that both the user executing the deployment and the service account associated with the Deployment Manager have the required permissions:
- The user executing the deployment must be assigned the role "Deployment Manager Editor" for the project in which they will perform the deployment.
- The service account for the Deployment Manager must have the "Logging Admin" and "Pub/Sub Admin" roles for the project or organization from which you will be exporting logs.
To configure log collection using templates
- Download the template files from AT&T Cybersecurity:
- Template: https://storage.googleapis.com/usm-saas-gcp-util/log-export-templates/logExport.py
- Project Schema: https://storage.googleapis.com/usm-saas-gcp-util/log-export-templates/exportProjectLogs.py.schema
- Organization Schema: https://storage.googleapis.com/usm-saas-gcp-util/log-export-templates/exportOrganizationsLog.py.schema
- Deployment Name: A name for this deployment
- source_id: The identification (ID) of the project exporting these logs.
Note: See the Log Types Supported by the GCP Sensor table to understand how these log queries are formatted.
You can verify that your topic and subscription have been created by checking the Topics page under Pub/Sub.