Manually configuring GCP topic, sink, and subscription - Adaptive Applications - BlueCat Gateway - 22.1.1

Cloud Discovery & Visibility Administration Guide
Locale
English
Product name
BlueCat Gateway
Version
22.1.1

If you GCP user account has write permissions to the GCP topic, sink, and subscription, the Enable Visibility after Discovery option attempts to create the GCP topic, sink, and subscription if they do not exist in GCP. If your GCP user account does not have the correct write permissions, you must manually configure the GCP topic, sink, and subscription rules. The following section outlines how to create the required rules for your account in GCP to enable visibility.

Cloud Discovery & Visibility creates a hash which is appended to the names of GCP topic, sink, and subscription strings. The hash is produced from a string that is a combination of the GCP Project ID, Address Manager URL, the Address Manager username, and the configuration name. In the following example, the string consists of the following information:
  • Project IDeng-dev-cloud-integration-01
  • Address Manager URL192.168.113.59
  • Address Manager username anh
  • Configuration nametest10

The example information produces the string eng-dev-cloud-integration-01192.168.113.59anhtest10. Cloud Discovery & Visibility produces the following hash from this information: b30f604746001d56a0890d4488e48159.

You can manually generate the hash of the string using the following command:
echo -n <string> | md5sum
If this fails due to the account having insufficient write permissions to those services, contact a GCP administrator to grant you temporary write access or have them configure the GCP topic, sink, and subscription as follows:
  • Create a topic with the name BC-CDV-PUBSUB-TOPIC-<hash string>. For example, the topic created is BC-CDV-PUBSUB-TOPIC-b30f604746001d56a0890d4488e48159.

  • Create a sink with a name in the following format: BC-CDV-LOGGING-SINK-<hash string>. For example, the sink created is BC-CDV-LOGGING-SINK-b30f604746001d56a0890d4488e48159.

  • Select the Cloud Pub/Sub topic sink service and choose the pub/sub topic created earlier. For example, BC-CDV-PUBSUB-TOPIC-b30f604746001d56a0890d4488e48159.

  • Under Choose logs to include in sink, create an inclusion filter for the following logs to be included in the logs routing sink:
    Type Value
    Virtual Network 
    protoPayload.methodName =~ 
("(?i)networks" OR 
"(?i)subnetworks" OR 
"(?i)managedZones") AND 
severity="NOTICE" AND 
cloudaudit.googleapis.com%2Factivity AND 
protoPayload.response.status="running"
    Virtual Machine 
    • protoPayload.methodName=~ 
"(?i)instances" AND 
severity="NOTICE" AND 
cloudaudit.googleapis.com%2Factivity 
AND protoPayload.response.status="running"
    • protoPayload.methodName=
"compute.instances.guestTerminate" AND 
severity="INFO”
    Load Balancer 
    protoPayload.methodName=~ 
("(?i)backendServices" OR 
"(?i)targetPools" OR 
"(?i)urlMaps" OR 
"(?i)forwardingRules" OR 
"(?i)targetHttpProxies" OR 
"(?i)targetHttpsProxies" OR 
"(?i)targetSslProxies" OR 
"(?i)targetTcpProxies") AND 
severity="NOTICE" AND 
cloudaudit.googleapis.com%2Factivity AND 
protoPayload.response.status="running
    Cloud DNS 
    protoPayload.methodName =~ 
("dns.managedZones.(?i)" OR 
"dns.changes.(?i)") AND 
severity="NOTICE" AND 
cloudaudit.googleapis.com%2Factivity OR 
protoPayload.response.status="running
    Private Service Connect 
    protoPayload.methodName =~ 
"(?i)forwardingRules" AND 
severity="NOTICE" AND 
cloudaudit.googleapis.com%2Factivity AND 
protoPayload.response.status="running"
    Kubernetes 
    protoPayload.methodName =~ 
"(?i)ClusterManage" AND 
severity="NOTICE" AND 
operation.last=true


  • Optionally, select the logs to filter out of the sink.
  • Create a Pub/Sub Subscription with a name in the following format: BC-CDV-PUBSUB-SUBSCRIPTION-<hash string>. For example, the subscription created is BC-CDV-PUBSUB-SUBSCRIPTIONb30f604746001d56a0890d4488e48159.
  • Select the Cloud Pub/Sub topic and choose the pub/sub topic created earlier. For example, BC-CDV-PUBSUB-TOPIC-b30f604746001d56a0890d4488e48159.

Once you have created the GCP topic, sink, and subscription, you can select the Enable Visibility after Discovery option. After the visibility task has run once and the GCP topic, sink, and subscription are defined, your GCP administrator can revert your GCP account permissions to read-only if you were granted temporary write access.