Google Kubernetes Engine (via Codeless Connector Framework)
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
| Attribute | Value |
|---|---|
| Connector ID | GKECCPDefinition |
| Publisher | Microsoft |
| Used in Solutions | Google Kubernetes Engine |
| Collection Method | CCF |
| Connector Definition Files | GoogleKubernetesEngineLogs_ConnectorDefinition.json |
| CCF Configuration | GoogleKubernetesEngineLogs_PollingConfig.json |
| CCF Capabilities | GCP |
The Google Kubernetes Engine (GKE) Logs enable you to capture cluster activity, workload behavior, and security events, allowing you to monitor Kubernetes workloads, analyze performance, and detect potential threats across GKE clusters.
Tables Ingested
This connector ingests data into the following tables:
| Table | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|
GKEAPIServer |
✓ | ✓ | ? |
GKEApplication |
✓ | ✓ | ? |
GKEAudit |
✓ | ✓ | ? |
GKEControllerManager |
✓ | ✓ | ? |
GKEHPADecision |
✓ | ✓ | ? |
GKEScheduler |
✓ | ✓ | ? |
💡 Tip: Tables with Ingestion API support allow data ingestion via the Azure Monitor Data Collector API, which also enables custom transformations during ingestion.
Permissions
Resource Provider Permissions: - Workspace (Workspace): Read and Write permissions are required.
Setup Instructions
⚠️ Note: These instructions were automatically generated from the connector's user interface definition file using AI and may not be fully accurate. Please verify all configuration steps in the Microsoft Sentinel portal.
Please reference Ingest Google Cloud Platform log data into Microsoft Sentinel
- Set up your GCP environment You must have the following GCP resources defined and configured: topic, subscription for the topic, workload identity pool, workload identity provider, and service account with permissions to get and consume from the subscription.
To configure this data connector, execute the following Terraform scripts:
- Setup Authentication: Authentication tutorial. Note: If Authentication is already setup using another GCP data connector, kindly skip this step and use the existing service account and workload identity pool.
- Setup Required Resources: Configuration Guide
- Tenant ID: A unique identifier that is used as an input in the Terraform configuration within a GCP environment.:
TenantIdNote: The value above is dynamically provided when these instructions are presented within Microsoft Sentinel.
2. Enable Kubernetes Engine Logging
In your GCP account, navigate to the Kubernetes Engine section. Enable Cloud Logging for your clusters. Within Cloud Logging, ensure that the specific logs you want to ingest—such as API server, scheduler, controller manager, HPA decision, and application logs—are enabled for effective monitoring and security analysis.
3. Connect new collectors
To enable GKE Logs for Microsoft Sentinel, click the Add new collector button, fill in the required information in the context pane, and click Connect. GCP Collector Management
📊 View GCP Collectors: A management interface displays your configured Google Cloud Platform data collectors.
➕ Add New Collector: Click "Add new collector" to configure a new GCP data connection.
💡 Portal-Only Feature: This configuration interface is only available in the Microsoft Sentinel portal.
GCP Connection Configuration
When you click "Add new collector" in the portal, you'll be prompted to provide: - Project ID: Your Google Cloud Platform project ID - Service Account: GCP service account credentials with appropriate permissions - Subscription: The Pub/Sub subscription to monitor for log data
💡 Portal-Only Feature: This configuration form is only available in the Microsoft Sentinel portal.
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊