Before you can add a log source in IBM
QRadar, you must create a
Pub/Sub Topic and Subscription, create a service account to access the Pub/Sub Subscription, and
then populate the Pub/Sub topic with data.
Procedure
- Create a topic in the Pub/Sub tab on the Google Cloud Platform
(https://console.cloud.google.com).
- Create a subscription
Important: The following parameters need specific configuration to work with
QRadar:
- For the Delivery Type parameter, enable the Pull
option.
- To ensure that messages are processed only once, set the Acknowledgement
Deadline to 60 seconds, and deselect the Retain acknowledged
messages option.
- Create a service account on the IAM & admin
menu.
Tip: You do not need to make a service account if any of the following conditions apply
to you:
- You already have an account that you want to use.
- You use GCP Managed Key as the Service Account
Type option on your QRadar All-in-One appliance or QRadar Event Collector that collects
events from a Google Cloud Platform Compute instance.
If you use the
User Managed Key option for the
Service Account Key parameter when you configure a log source in
QRadar, you must create a service
account key. For more information, see
Creating and managing service account keys
(https://cloud.google.com/iam/docs/creating-managing-service-account-keys).
- Assign permissions to your service account.
Tip: You do not need to assign the permissions for the service account if any of the
conditions from step 3 apply to you.
- Populate the Pub/Sub topic with data by creating a Logging Sink.
For more
information about creating a Logging Sink, see
Configure and manage sinks
(https://cloud.google.com/logging/docs/export/configure_export_v2).
What to do next
Add a Google Cloud Pub/Sub log source on the QRadar Console by using the Google Cloud
Pub/Sub protocol. For more information, see Adding a Google Cloud Pub/Sub log source in QRadar.