If you GCP user account has write permissions to the GCP topic, sink, and subscription, the Enable Visibility after Discovery option attempts to create the GCP topic, sink, and subscription if they do not exist in GCP. If your GCP user account does not have the correct write permissions, you must manually configure the GCP topic, sink, and subscription rules. The following section outlines how to create the required rules for your account in GCP to enable visibility.
- Project ID—eng-dev-cloud-integration-01
- Address Manager URL—192.168.113.59
- Address Manager username —anh
- Configuration name—test10
The example information produces the string eng-dev-cloud-integration-01192.168.113.59anhtest10. Cloud Discovery & Visibility produces the following hash from this information: b30f604746001d56a0890d4488e48159.
echo -n <string> | md5sum
- Create a topic with the name BC-CDV-PUBSUB-TOPIC-<hash
string>. For example, the topic created is
BC-CDV-PUBSUB-TOPIC-b30f604746001d56a0890d4488e48159.
- Create a sink with a name in the following format:
BC-CDV-LOGGING-SINK-<hash string>. For
example, the sink created is
BC-CDV-LOGGING-SINK-b30f604746001d56a0890d4488e48159.
- Select the Cloud Pub/Sub topic sink service and choose the pub/sub topic
created earlier. For example,
BC-CDV-PUBSUB-TOPIC-b30f604746001d56a0890d4488e48159.
- Select the logs to include in the sink by creating an inclusion filter to
determine which logs are included in the logs routing sink. For
example:
( protoPayload.methodName =~ ("(?i)networks" OR "(?i)subnetworks" OR "(?i)instances" OR "(?i)backendServices" OR "(?i)targetPools" OR "(?i)urlMaps" OR "(?i)forwardingRules" OR "(?i)targetHttpProxies" OR "(?i)targetHttpsProxies" OR "(?i)targetSslProxies" OR "(?i)targetTcpProxies" OR "(?i)managedZones") AND severity="NOTICE" AND cloudaudit.googleapis.com%2Factivity AND protoPayload.response.status = "running" ) OR ( protoPayload.methodName="compute.instances.guestTerminate" AND severity="INFO" ) OR ( protoPayload.methodName =~ ("dns.managedZones.(?i)" OR "dns.changes.(?i)") AND severity="NOTICE" AND cloudaudit.googleapis.com%2Factivity )
- Optionally, select the logs to filter out of the sink.
- Create a Pub/Sub Subscription with a name in the following format: BC-CDV-PUBSUB-SUBSCRIPTION-<hash string>. For example, the subscription created is BC-CDV-PUBSUB-SUBSCRIPTIONb30f604746001d56a0890d4488e48159.
- Select the Cloud Pub/Sub topic and choose the pub/sub topic created
earlier. For example,
BC-CDV-PUBSUB-TOPIC-b30f604746001d56a0890d4488e48159.
Once you have created the GCP topic, sink, and subscription, you can select the Enable Visibility after Discovery option. After the visibility task has run once and the GCP topic, sink, and subscription are defined, your GCP administrator can revert your GCP account permissions to read-only if you were granted temporary write access.