Skip to main content

Netskope Help

Enabling Log Ingestion at Project Level

This section describes the steps to enable log ingestion at the project level.

Step 1: Creating a Role

Netskope requires permissions to support log ingestion from a project successfully. Create a custom role using the cloud shell terminal provided by GCP.

  1. Log in to console.cloud.google.com.

  2. On the top-right, click the Activate Cloud Shell icon.

    Activate-Cloud-Shell.png

    The cloud shell terminal opens at the bottom of the page.

  3. On the shell prompt, type nano netskope_ueba.yaml and then press the enter/return key.

  4. Copy the code below and save the file. To save, press Ctrl O followed by the enter/return key.

    title: "Netskope_UEBA_Role"
    description: "Role for supporting Netskope for performing Audit Log Ingestion"
    stage: "ALPHA"
    includedPermissions:
      # get IAM roles to check the Netskope_UEBA_Role is present
      - iam.roles.get
      # get log sinks created for the project
      - logging.sinks.get
      # get project metadata and list projects under organization
      - resourcemanager.projects.get
  5. Execute the following command to create the Netskope_UEBA_Role and attach it to the project. Replace the <project-id> with the actual ID of the project.

    gcloud iam roles create Netskope_UEBA_Role --project=<project-id> --file=netskope_ueba.yaml

    To identify the project-id,

    1. At the top of the page, click the project selection drop-down list and select the folder.

      folder-selection-drown-down-list.png
    2. In the search box, type IAM and click IAM & Admin.

      Search_IAM.png
    3. On the left navigation, click Settings.

      The UI displays the Project ID.

  6. Ensure that the role is created by executing the command below. Replace the <project-id> with the actual ID of the project.

    gcloud iam roles describe --project=<project-id> Netskope_UEBA_Role

Step 2: Creating a Service Account

Navigate to the project where you intend to create the service account. Then, follow the steps as described in Step 2: Creating a Service Account.

Step 3: Creating a Logs Router

Create a logs router using the Google Cloud console. The logs router routes the logs from the project to the Netskope pub/sub topic. For additional information on Log Router, see this Google article.

  1. Log in to console.cloud.google.com.

  2. At the top of the page, click the project selection drop-down list and select the project.

    project-selection-drown-down-list.png
  3. In the search box, type Logs Router and select it.

    Search_Logs-Router.png
  4. On the Logs Router page, click Create Sink.

    The Create logs routing sink page opens.

  5. Under Sink details, enter the sink name as ns_ueba_sink. Click Next.

  6. Under Sink destination,

    • click the Select sink service drop-down list and select Cloud Pub/Sub topic.

    • click the Select a Cloud Pub/Sub topic drop-down list and click ENTER TOPIC MANUALLY. Enter the topic name in the following format:

      projects/ns-iaas-ueba-prod/topics/ns_ueba4gcp_dc_<dc_name>

      where,

      • dc_name: Based on the data center location of your tenant, enter the appropriate value:

        • AM2: nl-am2

        • FR4: de-fr4

        • SJC1: us-sjc1

        • SV5: us-sv5

        Note

        If you are not sure of the data center location of your tenant, contact your sales representative or Netskope support.

    sink-destination.png

    Click Next.

  7. Under Choose logs to include in sink, enter the following text in the edit box:

    protoPayload.@type:"type.googleapis.com/google.cloud.audit.AuditLog" AND NOT logName=~"vpc_flows$"

    Logs-to-include-in-sink.png

    Click Next and Create Sink.

    The new logs router will be listed on the Logs Router page.

  8. Identify the newly created logs router sink, click the ellipsis () More actions, and click View sink details.

    view-sink-details.png

    Note down the Writer identity value. This will be required during the Netskope instance setup.

Note

As soon as you create a logs router, Google starts pushing logs into the logs router. However, the logs router may not have the appropriate permissions to publish to the pub/sub topic hosted by Netskope. The administrator of the organization, folder, or project may receive an email notification with an error code topic_permission_denied. You can ignore the email notification. To resolve this issue, log in to your Netskope tenant, set up the GCP instance, and grant access.

Once you have enabled log ingestion, log in to your Netskope tenant and set up the GCP instance. For detailed documentation, see Configure Google Cloud Platform on Netskope UI.