Wazuh GCP - Google Cloud Platform Monitoring

Wazuh provides security monitoring for Google Cloud Platform through the gcp-pubsub module, which receives Cloud Audit Log events via Google Cloud Pub/Sub subscriptions. The module processes four types of audit logs: data access, privileged administrator actions, system events, and DNS queries. This integration centralizes GCP cloud threat analysis within the Wazuh platform.

Supported Data Sources

Cloud Audit Logs

Google Cloud Audit Logs capture all actions within GCP projects. Wazuh processes the following log types:

Log Type	Description	Example Events
Admin Activity	Privileged administrator operations	VM creation, IAM policy changes, network configuration
Data Access	User data access	Cloud Storage object reads, BigQuery queries
System Event	GCP system events	Autoscaling, VM live migration
Policy Denied	Requests denied by policies	Organization policy violations

Pub/Sub

Google Cloud Pub/Sub is a managed messaging service that serves as the transport mechanism between Cloud Audit Logs and the Wazuh module. Pub/Sub ensures reliable event delivery with automatic buffering.

Cloud Storage

The module also supports Cloud Storage bucket monitoring for collecting logs exported via Cloud Logging Sinks.

Service Account Setup

The module requires a GCP service account with appropriate roles and a generated JSON key.

Creating a Service Account

Navigate to IAM & Admin - Service Accounts in the Google Cloud Console
Select + CREATE SERVICE ACCOUNT
Provide a name (for example, wazuh-pubsub-reader) and description
Assign roles:

Role	Purpose
`Pub/Sub Subscriber`	Receive messages from a subscription
`Pub/Sub Publisher`	Publish processing acknowledgements
`Storage Object User`	Access Cloud Storage buckets (if needed)

Generating a JSON Key

Select the created service account
Navigate to the Keys tab
Select ADD KEY - Create new key - JSON
Save the downloaded file

Placing the Key on the Wazuh Server

sudo cp credentials.json /var/ossec/wodles/gcloud/gcp-credentials.json
sudo chown root:wazuh /var/ossec/wodles/gcloud/gcp-credentials.json
sudo chmod 640 /var/ossec/wodles/gcloud/gcp-credentials.json

JSON Key Structure

{
  "type": "service_account",
  "project_id": "my-gcp-project",
  "private_key_id": "key-id-example",
  "private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n",
  "client_email": "wazuh-pubsub-reader@my-gcp-project.iam.gserviceaccount.com",
  "client_id": "123456789012345678901",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/wazuh-pubsub-reader%40my-gcp-project.iam.gserviceaccount.com"
}

Pub/Sub Setup

Creating a Topic

Create a Pub/Sub topic to receive Cloud Audit Log events:

gcloud pubsub topics create wazuh-audit-logs \
  --project=my-gcp-project

Creating a Subscription

Create a subscription for the topic:

gcloud pubsub subscriptions create wazuh-audit-subscription \
  --topic=wazuh-audit-logs \
  --ack-deadline=60 \
  --message-retention-duration=7d \
  --project=my-gcp-project

Configuring a Cloud Logging Sink

Create a sink to export Cloud Audit Logs to the Pub/Sub topic:

gcloud logging sinks create wazuh-audit-sink \
  pubsub.googleapis.com/projects/my-gcp-project/topics/wazuh-audit-logs \
  --log-filter='logName:"cloudaudit.googleapis.com"' \
  --project=my-gcp-project

After creating the sink, grant the sink service account permission to publish to the topic:

gcloud pubsub topics add-iam-policy-binding wazuh-audit-logs \
  --member="serviceAccount:SINK_SERVICE_ACCOUNT" \
  --role="roles/pubsub.publisher" \
  --project=my-gcp-project

Module Configuration (gcp-pubsub)

The module is configured in ossec.conf on the Wazuh server or agent.

Basic Configuration

<wodle name="gcp-pubsub">
  <enabled>yes</enabled>
  <project_id>my-gcp-project</project_id>
  <subscription_name>wazuh-audit-subscription</subscription_name>
  <credentials_file>/var/ossec/wodles/gcloud/gcp-credentials.json</credentials_file>
  <interval>1m</interval>
  <max_messages>100</max_messages>
  <pull_on_start>yes</pull_on_start>
</wodle>

Configuration with Logging

<wodle name="gcp-pubsub">
  <enabled>yes</enabled>
  <project_id>my-gcp-project</project_id>
  <subscription_name>wazuh-audit-subscription</subscription_name>
  <credentials_file>/var/ossec/wodles/gcloud/gcp-credentials.json</credentials_file>
  <interval>5m</interval>
  <max_messages>200</max_messages>
  <pull_on_start>yes</pull_on_start>
  <logging>info</logging>
</wodle>

Multi-Project Monitoring

<wodle name="gcp-pubsub">
  <enabled>yes</enabled>
  <project_id>production-project</project_id>
  <subscription_name>wazuh-prod-subscription</subscription_name>
  <credentials_file>/var/ossec/wodles/gcloud/prod-credentials.json</credentials_file>
  <interval>1m</interval>
  <max_messages>100</max_messages>
  <pull_on_start>yes</pull_on_start>
</wodle>

<wodle name="gcp-pubsub">
  <enabled>yes</enabled>
  <project_id>staging-project</project_id>
  <subscription_name>wazuh-staging-subscription</subscription_name>
  <credentials_file>/var/ossec/wodles/gcloud/staging-credentials.json</credentials_file>
  <interval>5m</interval>
  <max_messages>50</max_messages>
  <pull_on_start>yes</pull_on_start>
</wodle>

Module Parameters

Parameter	Default	Description
`enabled`	yes	Enable or disable the module
`project_id`	-	GCP project identifier
`subscription_name`	-	Pub/Sub subscription name
`credentials_file`	-	Path to the service account JSON key file
`interval`	1m	Subscription polling interval (s/m/h/d)
`max_messages`	100	Maximum messages per polling cycle
`pull_on_start`	yes	Pull messages on module startup
`logging`	info	Logging level (debug, info, warning, error)

Alert Examples

IAM Policy Change

{
  "rule": {
    "id": "65032",
    "level": 7,
    "description": "GCP: IAM policy modified"
  },
  "data": {
    "gcp": {
      "logName": "projects/my-project/logs/cloudaudit.googleapis.com%2Factivity",
      "protoPayload": {
        "methodName": "google.iam.admin.v1.SetIamPolicy",
        "authenticationInfo": {
          "principalEmail": "admin@company.com"
        },
        "resourceName": "projects/my-project",
        "serviceName": "iam.googleapis.com"
      }
    }
  }
}

Firewall Rule Modification

{
  "rule": {
    "id": "65040",
    "level": 8,
    "description": "GCP: Firewall rule modified"
  },
  "data": {
    "gcp": {
      "protoPayload": {
        "methodName": "v1.compute.firewalls.insert",
        "authenticationInfo": {
          "principalEmail": "devops@company.com"
        },
        "request": {
          "name": "allow-all-ingress",
          "direction": "INGRESS",
          "allowed": [{"IPProtocol": "tcp", "ports": ["0-65535"]}],
          "sourceRanges": ["0.0.0.0/0"]
        }
      }
    }
  }
}

Cloud Storage Access

{
  "rule": {
    "id": "65050",
    "level": 5,
    "description": "GCP: Cloud Storage object accessed"
  },
  "data": {
    "gcp": {
      "protoPayload": {
        "methodName": "storage.objects.get",
        "authenticationInfo": {
          "principalEmail": "user@company.com"
        },
        "resourceName": "projects/_/buckets/sensitive-data/objects/credentials.csv",
        "serviceName": "storage.googleapis.com"
      }
    }
  }
}

Use Cases

Detecting IAM Changes

Adding new members to projects with privileged roles
Creating service accounts with the Owner role
Modifying IAM policies at the organization level
Creating custom roles with excessive permissions

Monitoring Firewall Changes

Creating rules that allow inbound traffic from 0.0.0.0/0
Deleting restrictive firewall rules
Modifying rules for critical subnets
Opening management ports (SSH, RDP) for public access

Controlling Storage Access

Access to buckets containing sensitive data
Modification of bucket ACLs or IAM policies
Bulk object downloads
Changes to bucket encryption settings

Troubleshooting

Module Not Receiving Messages

Verify that project_id and subscription_name are correct
Confirm the service account JSON key is valid
Check that the subscription is active: gcloud pubsub subscriptions describe wazuh-audit-subscription
Ensure the Cloud Logging Sink is created and routing logs to the topic
Review the log file: /var/ossec/logs/ossec.log

Permission Denied Error

Verify that the service account has Pub/Sub Subscriber and Publisher roles
Confirm the sink service account has access to the topic
Check that the key has not been revoked in the Google Cloud Console

Event Delivery Delays

Reduce the interval value (for example, to 30s)
Increase max_messages to process more events per cycle
Check that the subscription is not accumulating unread messages
Consider creating separate subscriptions for different log types

Python Dependencies

The module requires Python 3 and Google Cloud libraries:

/var/ossec/framework/python/bin/pip3 install google-cloud-pubsub google-cloud-storage

Related Sections

Cloud Security Monitoring - overview of cloud integrations
AWS Monitoring - Amazon Web Services integration
Wazuh Capabilities - platform security modules

Last updated on 8, April 2026

Wazuh Azure - Microsoft Azure Security Monitoring Wazuh GitHub - Organization Audit Monitoring