Configuring Google Cloud Pub/Sub

Google Cloud Pub/Sub is a fully-managed real-time messaging service that allows you to send and receive messages between independent applications.

We use it to get security events from the Google Cloud instances without creating a special logic to avoid reprocessing events.

In this section, we see how to create a topic, a subscription, and a sink to fully configure Google Cloud Pub/Sub to work with Wazuh.

Create a topic

Every publishing application sends messages to topics. Wazuh will retrieve the logs from this topic.

Create a subscription

Follow the steps below to fill in the Create subscription form:

  1. Fill in the Subscription ID

  2. Select a topic from Select a Cloud Pub/Sub topic

  3. Choose Pull in the Delivery type field

  4. Select the duration of the Message retention duration

  5. Select the duration in days of the Expiration period

You can create as many subscriptions as you wish.

At this point, the Pub/Sub environment is ready to manage the message flow between the publishing and subscribing applications.

Get your credentials

If you do not have credentials yet, follow the steps in the credentials section.

Export logs via sink

Log activities should appear under the Logs Router section. Cloud Audit logs can be published to a Cloud Pub/Sub topic through the sinks. Create a sink and use the topic as a destination.

Follow the steps below to complete the Create logs routing sink form:

  1. Sink details: provide a name and description for logs routing sink

  2. Sink destination: select the sink service type and destination

  3. Choose logs to include in sink: create an inclusion filter to determine which logs are included

  4. Choose logs to filter out to sink: create exclusion filters to determine which logs are excluded

  5. Click the CREATE SINK button.

After you set everything up, you should see activity in the Log Viewer section. Follow the link if you need help setting up Cloud Pub/Sub topic and subscription.