Google Cloud Pub/Sub protocol configuration options

The Google Cloud Pub/Sub protocol is an outbound/active protocol for IBM QRadar that collects Google Cloud Platform (GCP) logs.

If automatic updates are not enabled, download the GoogleCloudPubSub protocol RPM from the IBM® support website.

Important: Google Cloud Pub/Sub protocol is supported on QRadar 7.3.2.6, build number 20191022133252 or later.

The following table describes the protocol-specific parameters for collecting Google Cloud Pub/Sub logs with the Google Cloud Pub/Sub protocol:

Table 1. Google Cloud Pub/Sub log source parameters for Google Cloud Pub/Sub
Parameter	Description
Service Account Credential Type	Specify where the required Service Account Credentials are coming from. Ensure that the associated service account has the Pub/Sub Subscriber role or the more specific pubsub.subscriptions.consume permission on the configured Subscription Name in GCP. User Managed Key Provided in the Service Account Key field by inputting the full JSON text from a downloaded Service Account Key. GCP Managed Key Ensure that the QRadar managed host is running in a GCP Compute instance and the Cloud API access scopes include Cloud Pub/Sub.
Service Account Key	The full text from the JSON file that was downloaded when you created a User Managed Key for a service account in the IAM & admin > Service accounts section in Google Cloud Platform (GCP). Example: { "type": "service_account", "project_id": "qradar-test-123456", "private_key_id": "453422aa6efb1c2de189f12d725c417c8346033b", "private_key": "-----BEGIN PRIVATE KEY-----\\n<MULTILINE PRIVATE KEY DATA>\\n-----END PRIVATE KEY-----\\n", "client_email": "pubsubtest@qradar-test-123456.iam.gserviceaccount.com", "client_id": "526344196064252652671", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://oauth2.googleapis.com/token", "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/pubsubtest%40qradar-test-123456.iam.gserviceaccount.com" }
Subscription Name	The full name of the Cloud Pub/Sub subscription. For example, projects/my-project/subscriptions/my-subscription.
Use As A Gateway Log Source	Select this option for the collected events to flow through the QRadar Traffic Analysis engine and for QRadar to automatically detect one or more log sources. When you select this option, the Log Source Identifier Pattern can optionally be used to define a custom Log Source Identifier for events being processed.
Log Source Identifier Pattern	When the Use As A Gateway Log Source option is selected, use this option to define a custom log source identifier for events that are processed. If the Log Source Identifier Pattern is not configured, QRadar receives events as unknown generic log sources. The Log Source Identifier Pattern field accepts key-value pairs, such as key=value, to define the custom Log Source Identifier for events that are being processed and for log sources to be automatically discovered when applicable. Key is the Identifier Format String which is the resulting source or origin value. Value is the associated regex pattern that is used to evaluate the current payload. The value (regex pattern) also supports capture groups which can be used to further customize the key (Identifier Format String). Multiple key-value pairs can be defined by typing each pattern on a new line. When multiple patterns are used, they are evaluated in order until a match is found. When a match is found, a custom Log Source Identifier displays. The following examples show the multiple key-value pair functionality: Patterns `VPC=\sREJECT\sFAILURE` `$1=\s(REJECT)\sOK` `VPC-$1-$2=\s(ACCEPT)\s(OK)` Events `{LogStreamName: LogStreamTest,Timestamp: 0,Message: ACCEPT OK,IngestionTime: 0,EventId: 0}` Resulting custom log source identifier VPC-ACCEPT-OK
Use Predictive Parsing	If you enable this parameter, an algorithm extracts log source identifier patterns from events without running the regex for every event, which increases the parsing speed. Tip: In rare circumstances, the algorithm can make incorrect predictions. Enable predictive parsing only for log source types that you expect to receive high event rates and require faster parsing.
Use Proxy	Select this option for QRadar to connect to the GCP by using a proxy. If the proxy requires authentication, configure the Proxy Server, Proxy Port, Proxy Username, and Proxy Password fields. If the proxy does not require authentication, configure the Proxy Server and Proxy Port fields.
Proxy IP or Hostname	The IP or host name of the proxy server.
Proxy Port	The port number that is used to communicate with the proxy server. The default is 8080.
Proxy Username	Required only when the proxy requires authentication.
Proxy Password	Required only when the proxy requires authentication.
EPS Throttle	The maximum number of events per second that QRadar ingests. If your data source exceeds the EPS throttle, data collection is delayed. Data is still collected and then it is ingested when the data source stops exceeding the EPS throttle. The default is 5000.
Convert Google VPC Flow Logs to IPFIX	This option converts Google VPC Flow Logs to IPFIX that is then sent to the flow processor.
Flow Destination Hostname	The flow processor hostname where the Google VPC Flow logs are sent. Note: Enable Convert Google VPC Flow Logs to IPFIX to configure this parameter.
Flow Destination Port	The flow processor port where the Google VPC Flow logs are sent. Note: Enable Convert Google VPC Flow Logs to IPFIX to configure this parameter.