AlienVault® USM Anywhere™

Manually Create a Cloud Pub/Sub Topic for Your GCP  Sensor

In Google Cloud Pub/Sub, a topic receives the logs your Google Cloud Platform (GCP) environment exports. Those logs are then retrieved by your GCP Sensor via subscriptions. Depending on the needs of your particular implementation, you may only need to create a single topic to receive all of your exported logs from all of the export sinks you configure. However, you may find that it would be advantageous for your implementation to include multiple topics, in which case any number of topics are supported.

To create a Cloud Pub/Sub topic

  1. Log in to your GCP environment and go to the Topics page under Pub/Sub.
  2. Click Create Topic.
  3. Give this topic a name.
  4. Note: Make note of this name, as you will need to reference it when creating your export sinks.

  5. Under Encryption, be sure that Google-managed key is selected.
  6. Click Create Topic.
  7. Now you are ready to create a subscription for this topc.

To create a subscription for a Cloud Pub/Sub topic

  1. Go to the Topics page under Pub/Sub and open the topic for which you want to create a subscription.
  2. Scroll to the bottom of the page and click Create Subscription.
  3. Name your subscription using the Subscription ID field.
  4. Note: This is the name that will appear in the UI of your GCP Sensor under the Log Subscriptions tab.

  5. Enter the required information and settings for your subscription.
    1. Delivery type: Select Pull
    2. Subscription expiration: Select Never expire
    3. Acknowledgment deadline: You may leave this as its default, or adjust it to suit your needs
    4. Message retention duration: You may leave this as its default, or adjust it to suit your needs
  6. Click Create Subscription.
  7. At this point, you may go to the Sensor Details within your USM Anywhere Sensor and review the Log Subscriptions tab to verify that this subscription appears as expected.

  8. Click Enable to enable the subscription.
  9. Important: While your subscription is visible at this point, it will not begin reporting events until you have configured at least one export sink to publish to this topic.