Google Cloud Pub/Sub connector configuration options

The Google Cloud Pub/Sub connector is an active outbound connector for the QRadar® product that collects Google Cloud Platform (GCP) logs.

If automatic updates are not enabled, download the GoogleCloudPubSub connector RPM from the IBM® support website.

The following table describes the connector-specific parameters for collecting Google Cloud Pub/Sub logs with the Google Cloud Pub/Sub connector:
Table 1. Google Cloud Pub/Sub data source parameters for Google Cloud Pub/Sub
Parameter Description
Service Account Credential Type

Specify where the required Service Account Credentials are coming from.

Ensure that the associated service account has the Pub/Sub Subscriber role or the more specific pubsub.subscriptions.consume permission on the configured Subscription Name in GCP.

User Managed Key
Provided in the Service Account Key field by inputting the full JSON text from a downloaded Service Account Key.
GCP Managed Key
Ensure that the QRadar product managed host is running in a GCP Compute instance and the Cloud API access scopes include Cloud Pub/Sub.
Service Account Key

The full text from the JSON file that was downloaded when you created a User Managed Key for a service account in the IAM & admin > Service accounts section in Google Cloud Platform (GCP).

Example: 

{
  "type": "service_account",
  "project_id": "qradar-test-123456",
  "private_key_id": "453422aa6efb1c2de189f12d725c417c8346033b",
  "private_key": "-----BEGIN PRIVATE KEY-----\\n<MULTILINE PRIVATE KEY DATA>\\n-----END PRIVATE KEY-----\\n",
  "client_email": "pubsubtest@qradar-test-123456.iam.gserviceaccount.com",
  "client_id": "526344196064252652671",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/pubsubtest%40qradar-test-123456.iam.gserviceaccount.com"
}
Subscription Name The full name of the Cloud Pub/Sub subscription. For example, projects/my-project/subscriptions/my-subscription.
Use As A Gateway Log Source

Select this option for the collected events to flow through the QRadar product Traffic Analysis engine and for the QRadar product to automatically detect one or more data sources.

When you select this option, the Log Source Identifier Pattern can optionally be used to define a custom Log Source Identifier for events being processed.
Log Source Identifier Pattern

When the Use As A Gateway Log Source option is selected, use this option to define a custom Log Source Identifier for events that are processed. If the Log Source Identifier Pattern is not configured, The QRadar product receives events as unknown generic .

The Log Source Identifier Pattern field accepts key-value pairs, such as key=value, to define the custom Log Source Identifier for events that are being processed and for to be automatically discovered when applicable. Key is the Identifier Format String which is the resulting source or origin value. Value is the associated regex pattern that is used to evaluate the current payload. The value (regex pattern) also supports capture groups which can be used to further customize the key (Identifier Format String).

Multiple key-value pairs can be defined by typing each pattern on a new line. When multiple patterns are used, they are evaluated in order until a match is found. When a match is found, a custom Log Source Identifier displays.

The following examples show the multiple key-value pair functionality:
Patterns
VPC=\sREJECT\sFAILURE
$1=\s(REJECT)\sOK
VPC-$1-$2=\s(ACCEPT)\s(OK)
Events
{LogStreamName: LogStreamTest,Timestamp: 0,Message: ACCEPT OK,IngestionTime: 0,EventId: 0}
Resulting custom log source identifier
VPC-ACCEPT-OK
Use Proxy

Select this option for the QRadar product to connect to the GCP by using a proxy.

If the proxy requires authentication, configure the Proxy Server, Proxy Port, Proxy Username, and Proxy Password fields.

If the proxy does not require authentication, configure the Proxy Server and Proxy Port fields.
Proxy IP or Hostname The IP or host name of the proxy server.
Proxy Port The port number that is used to communicate with the proxy server.

The default is 8080.
Proxy Username Required only when the proxy requires authentication.
Proxy Password Required only when the proxy requires authentication.
EPS Throttle

The upper limit for the maximum number of events per second (EPS) that this data source should not exceed. The default is 5000.

If the Use As A Gateway Log Source option is selected, this value is optional.

If the EPS Throttle parameter value is left blank, no EPS limit is imposed by the QRadar product.