...
Make sure that
Loggingis enabled on the Load Balancer Backend Service ConfigurationCheck this link for more information on how to enable Logging on the Load Balancer Backend Service
Create a
...
First, create a Pub/Sub topic in a project that will be used by the logs routing sink:
...
Pub/Sub Topic For The Logs Routing Sink
| Info |
|---|
If creating a logs routing sink at the organization or folder level, this should be your Data Theorem integration project |
...
, otherwise it can be in the same project as where you plan to create the sink |
In the GCP console, switch to the project where you will create the Pub/Sub topic
Using the left-hand side menu, select Pub/Sub (in the Analytics section), and then select Topics
...
, Click on Create Topic
In Create Topic Flow
Use
datatheorem-logs-processingas the topic ID
...
Uncheck "Add a default subscription"
...
No other options are needed
...
Click Create to create the topic
...
an confirm not other boxes are checked
Click Create
...
Create The Cloud Logging Sink
| Info |
|---|
If creating the sink at the organization (or folder) level, switch from the project to your organization (or folder) |
Using the left-hand side menu, select Logging (in the Observability section), then within the Configure subsection, select Log router
Click
...
Create Sink
In the Sink details section, input
datatheorem-logs-processingas the sink name, and click NextYou will have to fill in the full ID of the sink destination. For a Pub/Sub topic, it must be formatted as (but replace the
[PROJECT_ID]and[TOPIC_ID]with the topic's information):pubsub.googleapis.com/projects/[PROJECT_ID]/topics/[TOPIC_ID]Click Next
...
Choose Logs to Include in Sink
| Info |
|---|
You can click on Preview logs to see which logs will be included |
...
In the Choose logs to include section, add the following inclusion filter:
resource.type="http_load_balancer"
You can click on Preview logs to see which logs will be included
...
Complete the sink creation by clicking on Create sink
Create a Service Account
...
Click Create sink
...
Create a Service Account To Authenticate Log Forwarding
In the GCP on console, switch back to the GCP project where the Pub/Sub topic was created
Then using the left-hand side menu, select IAM & Admin section, and then select Service Accounts
Click on Create Service Account at the top
In the Service account details section, input
datatheorem-logs-processingas the name
...
Click CREATE AND CONTINUE
Allow Service Account to Assume Role To Authenticate Log Forwarding
In the Grant this service account access to project section
...
Select a role
Filter for “token creator” in the role filter
Select
Service Account OpenID Connect Identity Token Creator
...
role to allow Pub/Sub to generate OIDC tokens that will be used to authenticate requests
Complete the service account creation by clicking on Done
...
Collect Service Account’s OAuth2 ClientId
On the service account listing, above the table, input
datatheorem-logs-processingto retrieve the newly created service accountCopy the value from the OAuth 2 Client ID column and register it below
...
Create a Pub/Sub
...
Subscription In The Same GCP project As The Pub/Sub
...
Topic
Using the left-hand side menu, select Pub/Sub (in the Analytics section), then within the PUB/SUB subsection, select Subscriptions
Click on CREATE SUBSCRIPTION at the top
Input
datatheorem-logs-processingas the subscription IDClick on Select a Cloud Pub/Sub topic and input
datatheoremto filter the previously created Pub/Sub topicIn the Delivery type section, select Push
In the Endpoint URL text box, input
https://api-protect-api.securetheorem.com/logs/v1/ingest/gcp_load_balancers
...
Check on the Enable Authentication checkbox below the Endpoint URL, and select the previously created service account
In the Retry policy section at the bottom, change the retry policy in the subscription to exponential backoff instead of immediate retry
...
Click CREATE
Kubernetes In-Cluster Helm Chart Integration
...