Integrate with GCP
STEP 1: Enable data sharing
note
You must log in with a super administator account.
- In the Google Admin Console, go to Menu > Account > Account settings > Legal and compliance.
Scroll down to Share data with Google Cloud services and click to
Enablethe service. For more details, read this extended guide.
STEP 2: GCP configuration
- Create a new GCP project to host the Pub/Sub topics and subscriptions:
$ export ORGANIZATION_ID=<YOUR_ORGANIZATION_ID>
$ gcloud projects create audit-logs-slashid-export --organization=${ORGANIZATION_ID}
$ export PROJECT_ID=$(gcloud projects list --filter=name="audit-logs-slashid-export" --format="value(projectId)")
- Create a new Pub/Sub topic:
$ gcloud pubsub topics create gworkspace-audit-logs --project=${PROJECT_ID}
- Create an organization-level sink:
$ gcloud logging sinks create workspace-audit-sink \
pubsub.googleapis.com/projects/${PROJECT_ID}/topics/gworkspace-audit-logs \
--include-children --organization=${ORGANIZATION_ID} \
--log-filter='logName:"organizations/${ORGANIZATION_ID/logs/cloudaudit.googleapis.com"'
- Grant permissions to the sink, so it can write to the Pub/Sub topic:
$ gcloud pubsub topics add-iam-policy-binding gworkspace-audit-logs \
--member=$(gcloud logging sinks describe workspace-audit-sink --organization=${ORGANIZATION_ID} --format="value(writerIdentity)") \
--role=roles/pubsub.publisher --project=$PROJECT_ID
- Create a push subscription your HTTP endpoint:
$ gcloud pubsub subscriptions create gworkspace-audit-subscription \
--topic=gworkspace-audit-logs \
--push-endpoint='https://slashid.com/nhi/events?token=<YOUR_SLASHID_SECRET_INGESTION_TOKEN>' \
--ack-deadline=60 --project=$PROJECT_ID