gcp-bucket

Main options

enabled

Enables or disables the module.

Default value	n/a
Allowed values	yes, no

logging

Deprecated since version 4.4.

This option has no effect. The module now uses the wazuh_modules.debug level to set its logging level.

bucket

Defines a bucket to process. It must have its type attribute defined. It supports multiple instances of this option.

<bucket type="access_logs">

</bucket>

Bucket options

Options	Allowed values	Mandatory/Optional
name	Any valid bucket name	Mandatory
credentials_file	Path to a credentials file. It can be absolute or relative to `WAZUH_HOME`	Mandatory
path	Any valid path	Optional
only_logs_after	Valid date in YYYY-MM-DD format	Optional
remove_from_bucket	A value to determine if each log file is deleted once it has been collected by the module	Optional

type (attribute)

Specifies the type of bucket.

Default value	N/A
Allowed values	access_logs

name

Name of the Google Cloud Storage bucket from which logs are read.

Default value	N/A
Allowed values	Any valid bucket name

credentials_file

Path to the Google Cloud credentials file. It can be an absolute path or relative to WAZUH_HOME.

Default value	n/a
Allowed values	Any path to a credentials file

For example <credentials_file>wodles/gcp-bucket/credentials.json</credentials_file>.

path

Bucket path or prefix.

Default value	N/A
Allowed values	Valid path

only_logs_after

Parse logs from a specific date onwards. It must follow the YYYY-MM-DD format.

Default value	Date of execution at `00:00:00`
Allowed values	Valid date [YYYY-MM-DD]

remove_from_bucket

Remove the logs from the Google Cloud Storage bucket once the module reads them.

Default value	no
Allowed values	yes, no

Scheduling options

run_on_start

Run the module on ThreatLockDown service start or restart.

Default value	yes
Allowed values	yes, no

interval

Time interval between module executions.

Default value	1h
Allowed values	A positive number that should contain a suffix character indicating a time unit, such as s (seconds), m (minutes), h (hours), d (days), w (weeks), M (months)

day

Day of the month to retrieve logs from GCP.

Default value	n/a
Allowed values	Day of the month [1..31]

Note

When the day option is set, the interval value must be a multiple of months. By default, the interval is set to a month.

wday

Day of the week to retrieve logs from GCP. This option is not compatible with the day option.

Default value	n/a
Allowed values	Day of the week: sunday/sun monday/mon tuesday/tue wednesday/wed thursday/thu friday/fri saturday/sat

Note

When the wday option is set, the interval value must be a multiple of weeks. By default, the interval is set to a week.

time

Time of the day to retrieve logs from GCP. It has to be represented in the format hh:mm. This option is compatible with day or wday options.

Default value	n/a
Allowed values	Time of day [hh:mm]

Note

When only the time option is set, the interval value must be a multiple of days or weeks. By default, the interval is set to a day.

Configuration example

Linux configuration:

<gcp-bucket>
    <run_on_start>yes</run_on_start>
    <interval>1m</interval>
    <bucket type="access_logs">
        <name>wazuh-test-bucket</name>
        <credentials_file>/var/ossec/wodles/gcloud/credentials.json</credentials_file>
        <only_logs_after>2021-JUN-01</only_logs_after>
        <path>access_logs/</path>
        <remove_from_bucket>no</remove_from_bucket>
    </bucket>
</gcp-bucket>