The Chronicle output plugin allows ingesting security logs into Google Chronicle serivice. This connector is designed to send unstructured style of security logs.
Fluent Bit streams data into an existing Google Chronicle tenant using a service account that you specify. Therefore, before using the Chronicle output plugin, you must create a service account, create a Google Chronicle tenant, authorize the service account to write to the tenant, and provide the service account credentials to Fluent Bit.
To stream security logs into Google Chronicle, the first step is to create a Google Cloud service account for Fluent Bit:
Fluent Bit does not create a tenant of Google Chronicle for your secutiry logs, so you must create this ahead of time.
Fluent Bit Chronicle output plugin uses a JSON credentials file for authentication credentials. Download the credentials file by following these instructions:
| Key | Description | default |
|---|---|---|
| google_service_credentials | Absolute path to a Google Cloud credentials JSON file. | Value of the environment variable $GOOGLE_SERVICE_CREDENTIALS |
| service_account_email | Account email associated to the service. Only available if no credentials file has been provided. | Value of environment variable $SERVICE_ACCOUNT_EMAIL |
| service_account_secret | Private key content associated with the service account. Only available if no credentials file has been provided. | Value of environment variable $SERVICE_ACCOUNT_SECRET |
| project_id | The project id containing the tenant of Google Chronicle to stream into. | The value of the project_id in the credentials file |
| customer_id | The customer id to identify the tenant of Google Chronicle to stream into. The value of the customer_id should be specified in the configuration file. |
|
| log_type | The log type to handle the request entries. Users must set up the valid log types and here is the supported log types. Otherwise, the chronicle service denies to handle the ingested logs. | |
| region | The GCP region in which to store security logs. Currently, there are several supported regions: US, EU, UK, ASIA. Blank is handled as US. |
|
| log_key | By default, the whole log record will be sent to Chronocle. If you specify a key name with this option, then only the value of that key will be sent to Chronicle. |
See Google's official documentation) for further details.
If you are using a Google Cloud Credentials File, the following configuration is enough to get you started:
[INPUT]
Name dummy
Tag dummy
[OUTPUT]
Name chronicle
Match *
customer_id my_customer_id
log_type my_super_awesome_type