Manually configuring GCP topic, sink, and subscription - Adaptive Applications - BlueCat Gateway - 21.3.1

Cloud Discovery & Visibility Administration Guide

Locale
English (United States)
Product name
BlueCat Gateway
Version
21.3.1

If you GCP user account has write permissions to the GCP topic, sink, and subscription, the Enable Visibility after Discovery option attempts to create the GCP topic, sink, and subscription if they do not exist in GCP. If your GCP user account does not have the correct write permissions, you must manually configure the GCP topic, sink, and subscription rules. The following section outlines how to create the required rules for your account in GCP to enable visibility.

Cloud Discovery & Visibility creates a hash which is appended to the names of GCP topic, sink, and subscription strings. The hash is produced from a string that is a combination of the GCP Project ID, Address Manager URL, the Address Manager username, and the configuration name. In the following example, the string consists of the following information:
  • Project IDeng-dev-cloud-integration-01
  • Address Manager URL192.168.113.59
  • Address Manager username anh
  • Configuration nametest10

The example information produces the string eng-dev-cloud-integration-01192.168.113.59anhtest10. Cloud Discovery & Visibility produces the following hash from this information: b30f604746001d56a0890d4488e48159.

You can manually generate the hash of the string using the following command:
echo -n <string> | md5sum
If this fails due to the account having insufficient write permissions to those services, contact a GCP administrator to grant you temporary write access or have them configure the GCP topic, sink, and subscription as follows:
  • Create a topic with the name BC-CDV-PUBSUB-TOPIC-<hash string>. For example, the topic created is BC-CDV-PUBSUB-TOPIC-b30f604746001d56a0890d4488e48159.

  • Create a sink with a name in the following format: BC-CDV-LOGGING-SINK-<hash string>. For example, the sink created is BC-CDV-LOGGING-SINK-b30f604746001d56a0890d4488e48159.

  • Select the Cloud Pub/Sub topic sink service and choose the pub/sub topic created earlier. For example, BC-CDV-PUBSUB-TOPIC-b30f604746001d56a0890d4488e48159.

  • Select the logs to include in the sink by creating an inclusion filter to determine which logs are included in the logs routing sink. For example:
    (
    protoPayload.methodName =~ ("(?i)networks" OR "(?i)subnetworks" OR "(?i)instances" OR
    "(?i)backendServices" OR "(?i)targetPools" OR "(?i)urlMaps" OR
    "(?i)forwardingRules" OR "(?i)targetHttpProxies" OR
    "(?i)targetHttpsProxies" OR "(?i)targetSslProxies" OR "(?i)targetTcpProxies" OR
    "(?i)managedZones")
    AND severity="NOTICE" AND cloudaudit.googleapis.com%2Factivity AND protoPayload.response.status = "running"
    )
    OR
    (
    protoPayload.methodName="compute.instances.guestTerminate" AND severity="INFO"
    )
    OR
    (
    protoPayload.methodName =~ ("dns.managedZones.(?i)" OR "dns.changes.(?i)")
    AND severity="NOTICE" AND cloudaudit.googleapis.com%2Factivity
    )


  • Optionally, select the logs to filter out of the sink.
  • Create a Pub/Sub Subscription with a name in the following format: BC-CDV-PUBSUB-SUBSCRIPTION-<hash string>. For example, the subscription created is BC-CDV-PUBSUB-SUBSCRIPTIONb30f604746001d56a0890d4488e48159.
  • Select the Cloud Pub/Sub topic and choose the pub/sub topic created earlier. For example, BC-CDV-PUBSUB-TOPIC-b30f604746001d56a0890d4488e48159.

Once you have created the GCP topic, sink, and subscription, you can select the Enable Visibility after Discovery option. After the visibility task has run once and the GCP topic, sink, and subscription are defined, your GCP administrator can revert your GCP account permissions to read-only if you were granted temporary write access.