To route admin logs from your Google Cloud project to the created Pub/Sub topic, you must create a log router.

For details, see Route Logs with Log Router.

You export your log entries by routing them to a Pub/Sub topic set as a destination. Then, authorize the third-party destination, Carbon Black Cloud console, to subscribe to the Pub/Sub topic.

Prerequisites

  • To create and manage a sink, verify that you have one of the following IAM roles for your project.
    • Logs Configuration Writer (roles/logging.configWriter)
    • Logging Admin (roles/logging.admin)
    • Owner (roles/owner)
  • To create and manage a push subscription, verify that you have the Pub/Sub Editor role (roles/pubsub.editor) on your topic or project.

Procedure

  1. In the Google Cloud console, search for log router, and select it from the related drop-down menu.
    The Log Router page displays under the Logging category.
  2. Click Create sink.
  3. In step 1, Sink details, enter a name and description for the logs routing sink and click Next.
    You cannot change the name of the sink once you create it.
  4. In step 2, Sink destination, click the Select sink service drop-down menu and select Cloud Pub/Sub topic.
  5. Select the topic to receive the routed logs from the Select a Cloud Pub/Sub topic drop-down menu.
  6. In step 3, Choose logs to include in sink, configure the sink to select only Cloud instance events by setting the following inclusion filter.
    You create inclusion filters by using the Logging query language. 
    (protoPayload.request.@type:"type.googleapis.com/compute.instances" OR
        protoPayload'request.@type:"type.googleapis.com/compute.instanceGroups") AND
        operation.last=true

    Set up inclusion filters to include cloud instance logs in sink.

  7. To save your changes, click Next and then, Create Sink.
    The newly created sink displays in the list of Log Router Sinks.
  8. To subscribe the Carbon Black Cloud console to receive admin log events, search for subscription and select it from the related drop-down menu.
    The Subscriptions page displays under the Pub/Sub category.
  9. Click Create Subscription.
  10. Enter a subscription ID and select the Pub/Sub topic you previously created to receive the broadcasted events.
    The Pub/Sub service delivers the stored messages to the push endpoint, which you define in the next step.
  11. Select Push as the delivery type and enter the endpoint URL.
    The server for the push endpoint must have a valid SSL certificate.
    For example, https://vmw-carbonblack-event-stream-krkdcawz5a-uc.a.run.app?__GCP_CloudEventsMode=CUSTOM_PUBSUB_projects/carbonblack-public-cloud-poc/topics/vmw-carbonblack-event-topic
  12. For the rest of the options keep the default and then click Create.