Event Streaming with GCP Pub/Sub

Follow these steps to start streaming audit logs from your GCP organization to SlashID.

Prerequisites

Before you begin, ensure you have:

A GCP Organization data source configured in the SlashID console. Note the Connection ID shown in the data source details — you will need it in the steps below.
The gcloud CLI installed and authenticated with an account that has organization-level permissions.

Setup

Set the following environment variables. Resource names (such as project, topic, and subscription names) can be modified to fit your naming conventions.

# The numeric ID of your GCP organization (found in the GCP console under IAM & Admin > Settings).
$ export ORGANIZATION_ID=<YOUR_GCP_ORGANIZATION_ID>

# The Connection ID for the GCP Organization data source you created in the SlashID console.
$ export CONNECTION_ID=<YOUR_SLASHID_CONNECTION_ID>

# The GCP project that will host the Pub/Sub topic and subscription.
# Use an existing project ID, or create a new one in step 1.
$ export PROJECT_ID=<YOUR_GCP_PROJECT_ID>

# Names for the Pub/Sub resources and log sink. You can change these to match your conventions.
$ export TOPIC_NAME=audit-logs
$ export SUBSCRIPTION_NAME=audit-logs-push-slashid
$ export SINK_NAME=audit-sink

1. (Optional) Create a dedicated GCP project

If you prefer to isolate the Pub/Sub resources from your existing projects, create a new project:

$ gcloud projects create <NEW PROJECT NAME> --organization=${ORGANIZATION_ID}
$ export PROJECT_ID=$(gcloud projects list --filter=name="<NEW PROJECT NAME>" --format="value(projectId)")

If you create a new project, enable the required APIs:

$ gcloud services enable pubsub.googleapis.com --project=${PROJECT_ID}
$ gcloud services enable logging.googleapis.com --project=${PROJECT_ID}

2. Create a Pub/Sub topic

$ gcloud pubsub topics create ${TOPIC_NAME} --project=${PROJECT_ID}

3. Create a push subscription to the SlashID events endpoint

The push subscription delivers messages to SlashID using an OIDC token signed by Google for authentication. The service account used for signing must be in the same project as the subscription and must have the roles/iam.serviceAccountTokenCreator role in that project.

$ gcloud pubsub subscriptions create ${SUBSCRIPTION_NAME} \
    --project=${PROJECT_ID} \
    --topic=${TOPIC_NAME} \
    --push-endpoint='https://api.slashid.com/nhi/events/v2/gcp_organization' \
    --ack-deadline=60 \
    --push-auth-token-audience=${CONNECTION_ID} \
    --push-auth-service-account=<YOUR_SERVICE_ACCOUNT_EMAIL> \
    --push-no-wrapper

4. Create an organization-level log sink

This creates an aggregated log sink that exports audit logs from across your GCP organization to the Pub/Sub topic.

$ gcloud logging sinks create ${SINK_NAME} \
    pubsub.googleapis.com/projects/${PROJECT_ID}/topics/${TOPIC_NAME} \
    --include-children \
    --organization=${ORGANIZATION_ID} \
    --log-filter='logName:"cloudaudit.googleapis.com"'

5. Grant the sink permission to publish to the topic

The log sink uses a dedicated service account managed by Google. Grant it the publisher role on the topic:

$ gcloud pubsub topics add-iam-policy-binding ${TOPIC_NAME} \
    --member=$(gcloud logging sinks describe ${SINK_NAME} --organization=${ORGANIZATION_ID} --format="value(writerIdentity)") \
    --role=roles/pubsub.publisher \
    --project=${PROJECT_ID}

Event Streaming with GCP Pub/Sub

Prerequisites​

Setup​

1. (Optional) Create a dedicated GCP project​

2. Create a Pub/Sub topic​

3. Create a push subscription to the SlashID events endpoint​

4. Create an organization-level log sink​

5. Grant the sink permission to publish to the topic​