1. Logsign Support Center
  2. Logsign Unified SecOps Platform
  3. Integration

Google Pub/Sub API Integration Guide

Updated

To collect Google Cloud logs in Logsign USO, logs are routed through Cloud Logging into a Pub/Sub topic, where Logsign reads them via a subscription. To set this up, the user must complete the configuration on the Google Cloud side and then provide the following information to Logsign:

  • GCP Project ID
  • Pub/Sub Subscription Name
  • Service Account JSON Key file

This guide explains the access (roles/APIs) required and how the user retrieves these values from the Google Cloud Console.

Required Access

Before starting, make sure the following APIs are enabled:

  • Cloud Logging API
  • Cloud Pub/Sub API

(Console → APIs & Services → Enable APIs)

The user performing the configuration must hold the following IAM roles:

  • roles/logging.admin to create the Log Sink
  • roles/pubsub.admin to manage the Topic and Subscription
  • roles/iam.serviceAccountAdmin to create the service account and key

The service account that Logsign uses to read logs only needs:

roles/pubsub.subscriber to pull messages from the subscription

Create a Pub/Sub Topic

  1. Log in to the Google Cloud Console.
  2. Go to Pub/Sub → Topics.
  3. Click Create Topic.
  4. Enter a Topic ID (e.g. logsign-logsink) and click Create.

Where to find it: Console → Pub/Sub → Topics

Create a Pub/Sub Subscription

  1. Go to Pub/Sub → Subscriptions and click Create Subscription.
  2. Enter a Subscription ID (e.g. logsign-siem-sub).
  3. Select the topic created in step 1.
  4. Set Delivery Type to Pull.
  5. Set Message retention duration to 7 days (maximum).
  6. Enable Retain acknowledged messages.

"Retain acknowledged messages" must be enabled otherwise the seek (rewind) feature will not work and historical logs cannot be re-read.

This Subscription Name is one of the values you must send to Logsign.

Create a Log Sink

The sink routes logs from Cloud Logging into the Pub/Sub topic.

  1. Go to Logging → Log Router and click Create Sink.
  2. Enter a Sink name (e.g. logsign-pubsub-sink).
  3. Set Sink service to Cloud Pub/Sub topic and select the topic from step 1.
  4. In the Inclusion filter, define which logs to forward.
  5. Click Create Sink.

After creation, the sink is automatically assigned a writer identity email address this is used in the next step.

Grant the Sink Permission to Publish

  1. Open the sink under Logging → Log Router and copy the writer identity email (e.g. service-XXXXXXXX@gcp-sa-logging.iam.gserviceaccount.com).
  2. Go to Pub/Sub → Topics and open the topic from step 1.
  3. Open the Permissions tab and click Add Principal.
  4. Paste the writer identity email and assign the role Pub/Sub Publisher.
  5. Click Save.

Create a Service Account for Logsign

1. Go to IAM & Admin → Service Accounts and click Create Service Account.
2. Enter a name (e.g. logsign-pubsub-reader) and click Create and Continue.
3. Assign the role Pub/Sub Subscriber and click Done.

Where to find it: Console → IAM & Admin → Service Accounts

Create the Service Account JSON Key

  1. Open the service account created in step 5.
  2. Go to the Keys tab and click Add Key → Create new key.
  3. Select JSON and click Create.
  4. The JSON file downloads automatically store it securely and do not share it with third parties.

This JSON file is one of the values you must send to Logsign.

Summary

To complete the Google Cloud Pub/Sub integration with Logsign USO, the user configures Cloud Logging to route logs into a Pub/Sub topic and creates a subscription Logsign can read from. After enabling the required APIs and confirming the necessary IAM roles, the user creates the topic, a Pull subscription with retention enabled, a log sink with the appropriate inclusion filter, and grants the sink permission to publish to the topic. Finally, the user creates a service account with the Pub/Sub Subscriber role and downloads its JSON key.

Once configured, provide Logsign with:

  • GCP Project ID
  • Pub/Sub Subscription Name
  • Service Account JSON Key file

After the source is added in Logsign USO using these values, logs begin arriving in raw form. The Logsign team then reviews the incoming logs, develops a Custom Plugin tailored to the structure of each log type, and attaches it to the integration through Include Patterns. Until this step is completed, logs are ingested as-is without normalization; once the plugin is connected via Include Patterns, the logs are parsed and normalized correctly.

By following these steps, the user supplies everything needed to add the source in Logsign USO.

Settings > Data Collection > API > Google Cloud Pub/Sub

Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more
Become a Certified Logsign User/Administrator
Sign-up for Logsign Academy and take the courses to learn about Logsign USO Platform in detail. Enjoy the courses, and get your badges and certificates. In these courses, you'll learn how to use Logsign in your work and add value to your career.
Visit Our Blog
Our Logsign USO Platform illustrate our expertise. So do the blog. Through our blog posts, deepen your knowledge on various SecOps topics or get updated about important news & modern approaches for cybersecurity. Get into the habit of reading valuable information provided by Logsign. Be a step ahead.