Help Document

Introduction

Getting started

Pre-logging setup

Logging setup

Product features

Admin settings

Google Cloud Platform

To monitor your Google Cloud Platform, Cloud Security Plus requires a valid service account with the necessary permissions. The solution will use the designated service account to collect logs from your Google Cloud Platform project.

To configure Cloud Security Plus with Google Cloud Platform, please follow the steps below.

Create a service account:

  • Open the service accounts page in the Google Cloud Platform Console.
  • Click on Select to view the list of projects.
  • Select the project to be added to Cloud Security Plus.
  • In the service accounts page, click on +CREATE SERVICE ACCOUNT. Fill in the necessary details and click on Create.
  • Provide this service account with the role: Pub/Sub → Pub/Sub Editor, so that it has complete permissions for actions on the resources in your project.
  • Click on +CREATE KEY and select JSON key type.
  • Save the JSON file in the machine where Cloud Security Plus is installed.
  • Click on Done.

A service account will be successfully created with the required permissions.

Export logs with Pub/Sub:

  • Click on Menu.
  • Under StackDriver, click on Logging, and then click on Logs Viewer.
  • Following this, click on CREATE EXPORT. A pop-up titled Edit Export will open.
  • Enter sink name, select sink service as Could Pub/Sub and sink destination as create new cloud Pub/Sub topic.
  • Give the new Cloud Pub/Sub topic a name and click on CREATE.
  • After the successful creation of sink destination, click on Create Sink.

Enable audit logs:

Open the Google Cloud Platform console, select IAM & Admin, scroll down and click on Audit Logs. In the Audit Logs page, click on the check box to the left of the Title to select the services that are available.

In the Log Type tab on the right side of the screen, select all the three boxes and click save.

Create a subscription:

  • Navigate to Pub/Sub → Topics
  • Create a subscription for a previously created topic by clicking on the topic.
  • Click on +New Subscription. The create a subscription page will open.
  • Enter a Subscription Name.
  • Keep the delivery type as Pull.
  • Keep the subscription expiration as Never expire.
  • Keep the acknowledgement deadline at 600 Seconds.
  • The maximum message retention duration should be 7 days. Do not make changes to the remaining fields.
  • Click on create

Now, configure Cloud Security Plus with Google Cloud Platform.

To configure Cloud Security Plus, please follow the steps below.

  • In Select Cloud Type, choose Google.
  • In Display Name field, enter a display name. Make sure it does not contain any spaces and special characters other than underscores. This name cannot be changed later.
  • In Project ID field, enter the Google Cloud Platform Project ID (not the display name in the console) you want to configure with Cloud Security Plus
  • In the Subscription Name field, enter the Subscription Name you had configured in the previous step.
  • In the JSON Path field, give the path of the JSON file downloaded before.
Note: The path of the JSON file should be in the same machine where Cloud Security Plus is running.

Example: If your .json file is located in C:\Users\ManageEngine\, then your JSON path is C:\Users\ManageEngine\cloud-security-plus.json

After configuring Cloud Security Plus:

  • Go to Menu → Stackdriver Logging → Exports.
  • Select the Sink you have created before and click on Edit sink.
  • Copy and paste the filter below into the search area.
  • resource.type!="container"
    protoPayload.serviceName!="monitoring.googleapis.com"
    protoPayload.serviceName!="logging.googleapis.com"
    protoPayload.serviceName!="cloudbilling.googleapis.com"
    resource.type!="gke_nodepool"
    protoPayload.serviceName!="pubsub.googleapis.com"
    protoPayload.serviceName!="clouderrorreporting.googleapis.com"
    resource.type!="gke_cluster"
    resource.type!="gce_backend_service"
    resource.type!="gce_forwarding_rule"
    resource.type!="gce_target_http_proxy"
    resource.type!="gce_url_map"
    resource.type!="gce_target_pool"
    resource.type!="gce_target_ssl_proxy"
    resource.type!="gce_operation"
    resource.type!="http_load_balancer"
    resource.type!="gce_ssl_certificate"
    protoPayload.serviceName!="k8s.io"

  • Click on Update Sink.
Note: Edit the filter only after configuring Google Cloud Platform with Cloud Security Plus only.