Hello,
I have a requirement to send NetApp CVO Admin activity events from Server.log and authentication events to google secops. I am trying to send them first to cloud logging and then route them to SecOps from there. I can’t use Bindplane Agent, Chronicle Forwarder. For Fluentd i can’t normalize data on NetApp clusters.
Does anyone know what options there is to do this ?
Hi @Sam1212 ,
Since Bindplane, Chronicle Forwarder, and normalization on the NetApp side aren’t options, here’s an alternative approach:
Option: Use Cloud Logging API + Log Router + Pub/Sub + Cloud Function
Forward logs to Cloud Logging:
Export NetApp logs to a GCS bucket or use a custom script to push logs via the Cloud Logging API.
You may need a lightweight agent or cron job that reads server.log and sends entries via HTTP.
Create a Log Router:
Process and forward to SecOps:
Use a Cloud Function or Dataflow to consume logs from Pub/Sub.
Normalize/transform the data as needed.
Forward to Google SecOps (Chronicle) using its ingestion API (HTTPS endpoint).
This avoids the need for any third-party agents or cluster-side normalization.