Skip to content

Exporting Alerts to Google Cloud Pub/Sub

Introduction

Pub/Sub is an asynchronous messaging service that decouples services that produce events from services that process events.

You can use Pub/Sub as messaging-oriented middleware or event ingestion and delivery for streaming analytics pipelines.

Setting up pub/sub to receive alerts

Login to the pub/sub project and create a topic to send the alerts following the below steps

  1. Click CREATE TOPIC and add the topic id. This id will be used in the sensor set up later.

Click on CREATE TOPIC

  1. The checkboxes can be left unchecked while creating a topic.

Setting up Sophos Linux Sensor to send the alerts to pub/sub

The following example output require an existing pubsub project and topic. It also requires that the a service account with pubsub.topics.publish

# Send alerts to alert topic in the pubsub in Sophos project with credentials
alert_output:
  outputs:
    - type: pubsub
      enabled: true
      project_name: sophos
      topic_id: alert
      credentials_json: /home/ubuntu/.gcp/credentials.json

Alternatively GOOGLE_APPLICATION_CREDENTIALS can be set to point to the credentials.json and then credentials_json can be omitted:

# Send alerts to alert topic in the pubsub in sophos project with credentials
alert_output:
  outputs:
    - type: pubsub
      enabled: true
      project_name: sophos
      topic_id: alert

Optionally with some additional permissions you can also turn on the option to check that the topic and project are valid at start-up.

alert_output:
  outputs:
    - type: pubsub
      enabled: true
      project_name: sophos
      topic_id: alert
      validate_topic: true

The additional permissions are:

  • pubsub.schemas.get
  • pubsub.schemas.list
  • pubsub.snapshots.get
  • pubsub.snapshots.list
  • pubsub.subscriptions.get
  • pubsub.subscriptions.list
  • pubsub.topics.get
  • pubsub.topics.list
  • resourcemanager.projects.get
  • serviceusage.quotas.get
  • serviceusage.services.get
  • serviceusage.services.list
Key Required Description
project_name Yes The id of the gcp project for which the pubsub is set up
topic_id Yes The topic id that was created in the pubsub set up<
credentials_json No The path to gcp profile credentials file. You can alternatively set the GOOGLE_APPLICATION_CREDENTIALS environment variable.
validate_topic No When set to true, validates the topic and project at startup. Note that it requires the extra pubsub.Viewer permission to work.
Back to top