Before you begin, please review our Log Pipeline article if you have not already!
Setting up a GCP Google Storage Bucket
To add a GCP Google Cloud Storage bucket:
Click the Add New Destination button on the Log Pipeline / Log Destinations page.
Select GCP Bucket from the dropdown.
Provide a Display Name for your bucket, this will help you differentiate it from your other configured log destinations.
Provide your GCP Bucket Name and paste the contents of the corresponding GCP IAM JSON key file for your desired bucket.
Choose whether to send either or both Status Logs and Result Logs.
Log Path and Formatting
As noted in the Add New Destination modal, logs are written to a custom path of your choosing. When constructing a path, you can choose from the following variables:
{{device_id}} - The unique identifier for the Device sending the logs.
{{device_name}} - The display name of the device (usually its host name) or, if no device name is found, the string "NO DEVICE NAME".
{{device_serial}} - The device's hardware serial number or, if no serial is found, the string "NO DEVICE SERIAL".
{{request_id}} - A ULID associated with the HTTPS request made by the Osquery agent. (Note: it is possible for files to share the same ULID across queries)
{{random_ulid}} - A random ULID that is generated for each log written into the bucket.
{{pack_name}} - The name of the query pack (RESULT LOGS ONLY).
{{query_name}} - The name of the query inside the query pack (RESULT LOGS ONLY).
See the examples below on how to use these variables on how to construct these log paths.
Result Logs kolide/results/{{pack_name}}/{{query_name}}/device-{{device_id}}/{{request_id}}.json
Status Logskolide/status/device-{{device_id}}/{{request_id}}.json