Configure Google Cloud Platform Log Collector
The Alert Logic Google Cloud Platform collector is an AWS-based API Poll (PAWS) log collector library mechanism designed to collect logs from the Google Cloud logs, formerly referred to as Stackdriver. You must generate a Google API, apply the permissions, and then complete the configuration process in the Alert Logic console.
Google Cloud logs do not have host metadata and are formatted in JSON. If you want to collect syslogs, you must use the Alert Logic agent to allow Alert Logic to process them. For more information about how to install the Alert Logic agent, see Install the Alert Logic Agent for Windows or Install the Alert Logic Agent for Linux
You can find Google Cloud Platform logs collected with keyword search in the Alert Logic console Get Started with Search page.
Although Alert Logic does not recommend using a Virtual Machine (VM) instance to forward logs to Google Cloud, if you want to collect logs from a VM, you must use a Google logging agent. The Google logging agent sends logs to the VM parent project by default. You must override and send to another project. To learn more about the Google logging agent, see About the Logging agent.
Generate a Google API in Google Cloud Platform
In the Google Cloud Platform console, you must complete a few key tasks for logs to be collected from Google Cloud.
You must generate a Google API key file:
- In the Google Cloud Platform console, on the side panel, click IAM & admin, and then click Service accounts.
- Click CREATE SERVICE ACCOUNT.
- In the Service account name field, enter a name.
- (Optional) In the Service account description field, and a description.
- Click CREATE.
- From the Select a role drop-down list, select Logging, and then Private Logs Viewer.
- Click Continue.
- (Optional) Grant user permissions if necessary, and then click DONE.
The Role field authorizes your service account to access resources. You can view and change this field later in the Google Cloud Platform console. If you are developing a production app, specify more granular permissions than Private Logs Viewer. For more information, see granting roles to service accounts.
- Under Actions, click the icon, and then click Create key.
- Select JSON, and then click Create. A JSON file that contains your key downloads to your computer. Note the location of JSON file, which you will need later.
Configuring collection from the Alert Logic console
After you generate your JSON key, you must complete the log configuration process in the Alert Logic console. This configuration is an account-level integration, which means you can configure more than one instance of Google Cloud collection. This capability is useful when more than one instance of the application exists.
To access the Application Registry page, click the menu icon (). Click Configure, and then click Application Registry.
To add a new application collection:
- In the Application Registry click the Google Cloud tile, and then click Google Cloud Platform.
- In the Application Name field, enter a name for this Google Cloud collection instance.
- Under Collection Method and Policy, in the Resource identifiers field, enter Google resources from which you want to poll logs. Each element must follow the format <resourceType>/<resourceID> and must be on its own line.
Other formatting examples:
- projects/<PROJECT_ID>
- organizations/<ORGANIZATION_ID>
- billingAccounts/<BILLING_ACCOUNT_ID>
- folders/<FOLDER_ID>
- In the Service Account JSON key field, enter the contents of the JSON file that you downloaded previously from generating a key.
- (Optional) In the Filter field, enter one or more logName values to filter logs, with a single logName on each line. If one or more logNames are entered, only matching logs will be polled from the log exposure. If no logName is specified, all logs will be polled.
The logName must be formatted correctly to function, such as one of the following:- cloudaudit.googleapis.com%2Factivity
- cloudaudit.googleapis.com/activity
Refer to the Google Cloud Platform guide on log names for examples of correctly formatted logNames.
- (Optional) Enter a Collection Start time using a format such as (2020-01-01T16:00:00Z). If the Collection Start field is left blank, only logs generated after you configure this collection instance will be collected.
The collection start time determines how far back you want Alert Logic to collect logs if data already exists in your account. Alert Logic can only collect logs up to 30 days prior to the date you configured this collection instance.
- Click ADD. Wait a few minutes for the application to create and appear in your application list. Do not click ADD again.
In the Applications List tab, if you configured your application correctly, within approximately 10 minutes you will see Configured next to the application. For more information about how to add instances or manage existing collecting applications, see Manage your configured applications.
Troubleshooting tips
Here are common errors than can occur when you test the configuration and suggested troubleshooting steps.
- 401 Access denied : {"error":{"code":401,"message":"Access denied. You are not authorized to read activity records."}
This message indicates authentication/authorization errors. Check the following:- Refer to the Create a service account JSON key in Google Cloud Platform section above and verify that steps 3 to 7 are configured properly in G Suite Admin Console and Google Cloud Console.
- Confirm the correct email address of the admin user is entered as the Delegated User Email Address in the correct format (ex: username@company.com). This is entered in step 3 of Configure collection in the Alert Logic Console.
- 400 Client Error: {"error":"invalid_grant","error_description":"Invalid JWT Signature."
This message indicates JWT token errors. Refer to Using OAuth 2.0 for Server to Server Applications.