|
| 1 | +--- |
| 2 | + |
| 3 | +# Chronicle |
| 4 | + |
| 5 | +The Chronicle output plugin allows ingesting security logs into [Google Chronicle](https://chronicle.security/) serivice. This connector is designed to send unstructured style of security logs. |
| 6 | + |
| 7 | +## Google Cloud Configuration |
| 8 | + |
| 9 | +Fluent Bit streams data into an existing Google Chronicle tenant using a service account that you specify. Therefore, before using the Chronicle output plugin, you must create a service account, create a Google Chronicle tenant, authorize the service account to write to the tenant, and provide the service account credentials to Fluent Bit. |
| 10 | + |
| 11 | +### Creating a Service Account |
| 12 | + |
| 13 | +To stream security logs into Google Chronicle, the first step is to create a Google Cloud service account for Fluent Bit: |
| 14 | + |
| 15 | +* [Creating a Google Cloud Service Account](https://cloud.google.com/iam/docs/creating-managing-service-accounts) |
| 16 | + |
| 17 | +### Creating a Tenant of Google Chronicle |
| 18 | + |
| 19 | +Fluent Bit does not create a tenant of Google Chronicle for your secutiry logs, so you must create this ahead of time. |
| 20 | + |
| 21 | +### Retrieving Service Account Credentials |
| 22 | + |
| 23 | +Fluent Bit Chronicle output plugin uses a JSON credentials file for authentication credentials. Download the credentials file by following these instructions: |
| 24 | + |
| 25 | +* [Creating and Managing Service Account Keys](https://cloud.google.com/iam/docs/creating-managing-service-account-keys) |
| 26 | + |
| 27 | +## Configurations Parameters |
| 28 | + |
| 29 | +| Key | Description | default | |
| 30 | +| :--- | :--- | :--- | |
| 31 | +| google\_service\_credentials | Absolute path to a Google Cloud credentials JSON file. | Value of the environment variable _$GOOGLE\_SERVICE\_CREDENTIALS_ | |
| 32 | +| service\_account\_email | Account email associated to the service. Only available if **no credentials file** has been provided. | Value of environment variable _$SERVICE\_ACCOUNT\_EMAIL_ | |
| 33 | +| service\_account\_secret | Private key content associated with the service account. Only available if **no credentials file** has been provided. | Value of environment variable _$SERVICE\_ACCOUNT\_SECRET_ | |
| 34 | +| project\_id | The project id containing the tenant of Google Chronicle to stream into. | The value of the `project_id` in the credentials file | |
| 35 | +| customer\_id | The customer id to identify the tenant of Google Chronicle to stream into. The value of the `customer_id` should be specified in the configuration file. | | |
| 36 | +| log\_type | The log type to handle the request entries. Users must set up the valid log types and here is [the supported log types](https://cloud.google.com/chronicle/docs/ingestion/parser-list/supported-default-parsers). Otherwise, the chronicle service denies to handle the ingested logs. | | |
| 37 | +| region | The GCP region in which to store security logs. Currently, there are several supported regions: `US`, `EU`, `UK`, `ASIA`. Blank is handled as `US`. | | |
| 38 | +| log\_key | By default, the whole log record will be sent to Chronocle. If you specify a key name with this option, then only the value of that key will be sent to Chronicle. | | |
| 39 | + |
| 40 | +See Google's [official documentation](https://cloud.google.com/chronicle/docs/reference/ingestion-api)) for further details. |
| 41 | + |
| 42 | +## Configuration File |
| 43 | + |
| 44 | +If you are using a _Google Cloud Credentials File_, the following configuration is enough to get you started: |
| 45 | + |
| 46 | +```text |
| 47 | +[INPUT] |
| 48 | + Name dummy |
| 49 | + Tag dummy |
| 50 | +
|
| 51 | +[OUTPUT] |
| 52 | + Name chronicle |
| 53 | + Match * |
| 54 | + customer_id my_customer_id |
| 55 | + log_type my_super_awesome_type |
| 56 | +``` |
0 commit comments