Enabling Log Ingestion at Project Level
This section describes the steps to enable log ingestion at the project level.
Step 1: Creating a Role
Netskope requires permissions to support log ingestion from a project successfully. Create a custom role using the cloud shell terminal provided by GCP.
Log in to console.cloud.google.com.
On the top-right, click the Activate Cloud Shell icon.
The cloud shell terminal opens at the bottom of the page.
On the shell prompt, type nano netskope_ueba.yaml and then press the enter/return key.
Copy the code below and save the file. To save, press Ctrl O followed by the enter/return key.
title: "Netskope_UEBA_Role" description: "Role for supporting Netskope for performing Audit Log Ingestion" stage: "ALPHA" includedPermissions: # get IAM roles to check the Netskope_UEBA_Role is present - iam.roles.get # get log sinks created for the project - logging.sinks.get # get project metadata and list projects under organization - resourcemanager.projects.get
Execute the following command to create the Netskope_UEBA_Role and attach it to the project. Replace the <project-id> with the actual ID of the project.
gcloud iam roles create Netskope_UEBA_Role --project=<project-id> --file=netskope_ueba.yaml
To identify the
project-id
,At the top of the page, click the project selection drop-down list and select the folder.
In the search box, type
IAM
and click IAM & Admin.On the left navigation, click Settings.
The UI displays the Project ID.
Ensure that the role is created by executing the command below. Replace the
<project-id>
with the actual ID of the project.gcloud iam roles describe --project=<project-id> Netskope_UEBA_Role
Step 2: Creating a Service Account
Navigate to the project where you intend to create the service account. Then, follow the steps as described in Step 2: Creating a Service Account.
Step 3: Creating a Logs Router
Create a logs router using the Google Cloud console. The logs router routes the logs from the project to the Netskope pub/sub topic. For additional information on Log Router, see this Google article.
Log in to console.cloud.google.com.
At the top of the page, click the project selection drop-down list and select the project.
In the search box, type
Logs Router
and select it.On the Logs Router page, click Create Sink.
The Create logs routing sink page opens.
Under Sink details, enter the sink name as
ns_ueba_sink
. Click Next.Under Sink destination,
click the Select sink service drop-down list and select Cloud Pub/Sub topic.
click the Select a Cloud Pub/Sub topic drop-down list and click ENTER TOPIC MANUALLY. Enter the topic name in the following format:
projects/ns-iaas-ueba-prod/topics/ns_ueba4gcp_dc_<dc_name>
where,
dc_name: Based on the data center location of your tenant, enter the appropriate value:
AM2: nl-am2
FR4: de-fr4
SJC1: us-sjc1
SV5: us-sv5
Note
If you are not sure of the data center location of your tenant, contact your sales representative or Netskope support.
Click Next.
Under Choose logs to include in sink, enter the following text in the edit box:
protoPayload.@type:"type.googleapis.com/google.cloud.audit.AuditLog" AND NOT logName=~"vpc_flows$"
Click Next and Create Sink.
The new logs router will be listed on the Logs Router page.
Identify the newly created logs router sink, click the ellipsis (⋮) More actions, and click View sink details.
Note down the Writer identity value. This will be required during the Netskope instance setup.
Note
As soon as you create a logs router, Google starts pushing logs into the logs router. However, the logs router may not have the appropriate permissions to publish to the pub/sub topic hosted by Netskope. The administrator of the organization, folder, or project may receive an email notification with an error code topic_permission_denied. You can ignore the email notification. To resolve this issue, log in to your Netskope tenant, set up the GCP instance, and grant access.
Once you have enabled log ingestion, log in to your Netskope tenant and set up the GCP instance. For detailed documentation, see Configure Google Cloud Platform on Netskope UI.