> ## Documentation Index
> Fetch the complete documentation index at: https://docs.levelblue.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Manually Create and Configure an Export Sink for Your GCP Sensor

The export sink is what defines which logs are exported to a particular topic. You can create a single sink to export all the logs you want your Google Cloud Platform (GCP) Sensor to receive. Or you can create any number of individual sinks to group your exported logs by type, to maximize performance, or for any other reason that suits your specific implementation.

**To create an export sink for a project or organization**

1. Log in to your GCP environment and go to the organization or project for which you want to create this sink.
2. Go to the Logs Router page under Logging.
3. Click **Create Sink**.
4. Enter the following information:

   * **Sink details**: Enter an identifiable name for this export sink and a description, and then click **Next**.

   * **Sink Destination**: Using the drop-down list, select the topic you created for this sink. Select a Cloud Pub/Sub topic, and then click **Next**.

     <Note>
       **Note:** If you haven't yet created a topic for this sink, you can select **Create a topic** to create one from this page and immediately use it for your sink. If you do so, you must remember to go to that topic and create a subscription for it or your sensor will not receive any logs from it.
     </Note>

   * **Choose logs to include in sink**: Create an inclusion filter to determine which logs are included in logs routing sink, and then click **Next**.

   * (Optional) **Choose logs to filter out of sink**: Create exclusion filters to determine which logs are excluded from logs routing sink. And then configure a filter for this sink, following the guidelines in [Configuring Export Sink Filters](manually-create-sink#configuring-export-sink-filters).
5. Click Create Sink.

<Warning>
  **Important:** If your sink and topic are in different GCP projects, or if you are exporting organization-level logs to a Google Cloud Pub/Sub topic in a project, you must complete some additional steps. See the following sections for detailed instructions regarding those two cases.
</Warning>

**To create a sink that publishes to a Cloud Pub/Sub topic in a different project**

<Note>
  **Note:** If you have not already granted your service account permission to this second project, first use the instructions in [Preparing Your GCP Environment for Sensor Deployment](preparing-gcp-env-for-deployment) to grant permission to this project now. Be sure to restart the sensor app before proceeding on to step one.
</Note>

1. Log in to your GCP environment and go to the project for which you want to create this sink.
2. Go to the Logs Router page under Logging.
3. Click **Create Sink**.
4. Enter the following information:

   * **Sink details**: Enter an identifiable name for this export sink and a description, and then click **Next**.

   * **Sink Destination**: Using the drop-down list, select **Cloud Pub/Sub topic**, and select a Cloud Pub/Sub topic, and then click **Next**.

     <Note>
       **Note:** If you haven't yet created a topic for this sink, you can select **Create a topic** to create one from this page and immediately use it for your sink. If you do so, you must remember to go to that topic and create a subscription for it or your sensor will not receive any logs from it.
     </Note>

     When you make your selection in Sink Destination, the menu item transforms into a text field. Use that field to enter the following, substituting your relevant information where there are variables:

     `pubsub.googleapis.com/projects/\<project-id>/topics/\<topic_name>`

     Where the \<project-id> you reference is the project your topic resides in.

   * **Choose logs to include in sink**: Create an inclusion filter to determine which logs are included in logs routing sink, and then click **Next**.

   * (Optional) **Choose logs to filter out of sink**: Create exclusion filters to determine which logs are excluded from logs routing sink. And then configure a filter for this sink, following the guidelines in [Configuring Export Sink Filters](manually-create-sink#configuring-export-sink-filters).
5. Click Create Sink.

**To create a sink to publish from an organization to a topic in a project**

<Warning>
  **Important:** Unlike the previous methods, it is not possible to use the web user interface (UI) to create an export sink to publish from the organization level to a topic at the project level. Instead, use the Google Cloud Shell Editor native to your GCP environment to enter the following commands.
</Warning>

1. Access the Cloud Shell editor in your GCP environment by clicking the **Activate Cloud Shell** button.

   This opens a new window at the bottom of your screen, which may take a few minutes to finish loading.

   <Frame>
     <img src="https://mintlify.s3.us-west-1.amazonaws.com/levelblue-5324744e/images/usm-anywhere/deployment-guide/gcp/cloud%20shell%20button%20annotated_725x227.webp" />
   </Frame>

2. Use the following command to create a new sink for your organization:

   ```
   gcloud logging sinks create \
       <sink-name> \
       --organization=<organization-id> \
       --include-children \
       pubsub.googleapis.com/projects/<project-name>/topics/<topic-name> \
       --log-filter "logName=(\"organizations/<organization-id>/logs/cloudaudit.
           googleapis.com%2Factivity\" OR \"organizations/<organization-id>/logs/
           cloudaudit.googleapis.com%2Fdata_access\" OR \"organizations/<organization-id>
           /logs/cloudaudit.googleapis.com%2Fsystem_event\")"
   ```

   This returns the following message. Make note of the service account name (highlighted here in bold) to enter in the next step.

   ```
   Created [https://logging.googleapis.com/v2/organizations/&lt;organization_id&gt;/sinks/&lt;sink_name&gt;].
   Please remember to grant 
   serviceAccount:&lt;name-of-sensor-service-account&gt;@&lt;name-of-project&gt;.iam.gserviceaccount.com
   the Pub/Sub Publisher role on the topic.
   More information about sinks can be found at:
   https://cloud.google.com/logging/docs/export/configure_export
   ```

3. Use the following command to grant the service account the permissions it requires:

   ```
   gcloud organizations add-iam-policy-binding <organization_id> \
       --member=<name-of-sensor-service-account>@<name-of-project>.iam.
           gserviceaccount.com> \
       --role=roles/pubsub.publisher
   ```

## Configuring Export Sink Filters

The filter configured for your export sink determines which logs that sink exports to your topic.

**To configure the filters for your sink**

1. Go to the export sink for which you wish to create a filter.

   You can do this either when you first created the export sink or by opening it any time after that for editing.

2. Click the carrot in the text box of your export filter and select **Convert to advanced filter**.

   <Frame>
     <img src="https://mintlify.s3.us-west-1.amazonaws.com/levelblue-5324744e/images/usm-anywhere/deployment-guide/gcp/export%20sink%20filter%20annotated%20trimmed_625x279.webp" />
   </Frame>

3. Use the specifications described in the following table to define which filters will be exported by this sink, separating each filter specification with "OR" (as seen in the preceding image).

<Note>
  **Note:** Any logs included in your filter but not supported by the GCP Sensor will be ignored by the sensor. LevelBlue recommends including syslog in your filter to collect these unsupported logs.

  The GCP Sensor relies on hints to parse syslog logs, meaning that any logs that can be assigned to a plugin will be, while the remainder will be parsed as generic events. See BlueApps and Data Sources for more information about how hints help USM Anywhere parse logs to plugins.
</Note>

**Log Types Supported by the GCP Sensor**

<table>
  <thead>
    <tr>
      <th>Log Type</th>
      <th>Filter to Capture This Log</th>
      <th>Notes</th>
    </tr>
  </thead>

  <tbody>
    <tr>
      <td>Audit Logs at the Organization Level</td>
      <td>organizations/\<organization-id>/logs/cloudaudit.googleapis.com</td>

      <td>
        <p>To filter these logs further, append the following:</p>

        <ul>
          <li>%2Factivity: For activity logs</li>
          <li>%2Fdata\_access: For data access logs</li>
          <li>%2Fsystem\_event: For system events</li>
        </ul>
      </td>
    </tr>

    <tr>
      <td>
        <p>Audit Logs at the Project Level</p>
      </td>

      <td>
        <p>projects/\<project-id>/logs/cloudaudit.googleapis.com</p>
      </td>

      <td>
        <p>To filter these logs further, append the following:</p>

        <ul>
          <li>%2Factivity: For activity logs</li>
          <li>%2Fdata\_access: For data access logs</li>
          <li>%2Fsystem\_event: For system events</li>
        </ul>
      </td>
    </tr>

    <tr>
      <td>VPC Flow Logs</td>
      <td>projects/\<project-id>/logs/compute.googleapis.com%2Fvpc\_flows</td>

      <td />
    </tr>

    <tr>
      <td>Firewall Logs</td>
      <td>projects/\<project-id>/logs/compute.googleapis.com%2Ffirewall</td>

      <td />
    </tr>

    <tr>
      <td>Syslog</td>
      <td>projects/\<project-id>/logs/syslog</td>
      <td>These logs are delivered via the Stackdriver logging agent</td>
    </tr>

    <tr>
      <td>Apache Logs</td>
      <td>projects/\<project-id>/logs/apache</td>

      <td>
        <p>To filter these logs further, append the following:</p>

        <ul>
          <li>-access: For access logs</li>
          <li>-error: For error logs</li>
        </ul>
      </td>
    </tr>

    <tr>
      <td>Nginx Logs</td>
      <td>projects/\<project-id>/logs/nginx</td>

      <td>
        <p>To filter these logs further, append the following:</p>

        <ul>
          <li>-access: For access logs</li>
          <li>-error: For error logs</li>
        </ul>
      </td>
    </tr>
  </tbody>
</table>