Google Cloud Pub/Sub connector configuration options
The Google Cloud Pub/Sub connector is an active outbound connector for the QRadar® product that collects Google Cloud Platform (GCP) logs.
If automatic updates are not enabled, download the GoogleCloudPubSub connector RPM from the IBM® support website.
|Service Account Credential Type||
Specify where the required Service Account Credentials are coming from.
Ensure that the associated service account has the Pub/Sub Subscriber role or the more specific pubsub.subscriptions.consume permission on the configured Subscription Name in GCP.
|Service Account Key||
The full text from the JSON file that was downloaded when you created a User Managed Key for a service account in the section in Google Cloud Platform (GCP).
|Subscription Name||The full name of the Cloud Pub/Sub subscription. For example, projects/my-project/subscriptions/my-subscription.|
|Use As A Gateway Log Source||
Select this option for the collected events to flow through the QRadar product Traffic Analysis engine and for the QRadar product to automatically detect one or more data sources.
When you select this option, the Log Source Identifier Pattern can optionally be used to define a custom Log Source Identifier for events being processed.
|Log Source Identifier Pattern||
When the Use As A Gateway Log Source option is selected, use this option to define a custom Log Source Identifier for events that are processed. If the Log Source Identifier Pattern is not configured, The QRadar product receives events as unknown generic .
The Log Source Identifier Pattern field accepts key-value pairs, such as key=value, to define the custom Log Source Identifier for events that are being processed and for to be automatically discovered when applicable. Key is the Identifier Format String which is the resulting source or origin value. Value is the associated regex pattern that is used to evaluate the current payload. The value (regex pattern) also supports capture groups which can be used to further customize the key (Identifier Format String).
Multiple key-value pairs can be defined by typing each pattern on a new line. When multiple patterns are used, they are evaluated in order until a match is found. When a match is found, a custom Log Source Identifier displays.
The following examples show the multiple key-value pair functionality:
Select this option for the QRadar product to connect to the GCP by using a proxy.
If the proxy requires authentication, configure the Proxy Server, Proxy Port, Proxy Username, and Proxy Password fields.If the proxy does not require authentication, configure the Proxy Server and Proxy Port fields.
|Proxy IP or Hostname||The IP or host name of the proxy server.|
|Proxy Port||The port number that is used to communicate with the proxy server.
The default is 8080.
|Proxy Username||Required only when the proxy requires authentication.|
|Proxy Password||Required only when the proxy requires authentication.|
The upper limit for the maximum number of events per second (EPS) that this data source should not exceed. The default is 5000.
If the Use As A Gateway Log Source option is selected, this value is optional.
If the EPS Throttle parameter value is left blank, no EPS limit is imposed by the QRadar product.