Analyzing Logs with SIEM Tools
Start course

This course shows you how to monitor your operations on GCP. It starts with monitoring dashboards. You'll learn what they are and how to create, list, view, and filter them. You'll also see how to create a custom dashboard right in the GCP console.

The course then moves on to monitoring and alerting, where you'll learn about SLI-based alerting policies and third-party integrations. You'll also learn about SLO monitoring and alerting, along with integrating GCP monitoring with products like Grafana. We’ll wrap things up by touching on SIEM tools that are used to analyze audit and flow logs.

This course contains a handful of demos that give you a practical look at how to apply these monitoring techniques on the GCP platform. If you have any feedback relating to this course, feel free to reach out to us at

Learning Objectives

  • Create, list, view, and filter dashboards
  • Configure notifications, including through third-party channels
  • Learn about SLI- and SLO-based alerting and monitoring
  • Integrate GCP operations monitoring with Grafana
  • Analyze logs with SIEM tools

Intended Audience

This course is intended for anyone who wishes to learn how to manage GCP Operations monitoring.


To get the most out of this course, you should already have some experience with Google Cloud Platform.





Hello and welcome to Analyzing Logs with SIEM Tools. In this lesson, we’ll talk about how you can leverage Pub/Sub and SIEM tools like Splunk to analyze GCP cloud logging data. 

Before we start, let’s get a level set on what Splunk is. Splunk is a third-party security information and event management solution, or SIEM. It supports many different ways of ingesting data that can then be analyzed. To receive streaming data out of Google Cloud, you can use the Splunk HTTP Event Collector or you can pull data from Google Cloud APIs via the Splunk Add-on for Google Cloud.

You can also leverage the Pub/Sub to Splunk Dataflow template in GCP to natively forward logs and events from a Pub/Sub topic in GCP to the Splunk HTTP Event Collector.

To enable GCP logging export to Splunk through Pub/Sub, you’ll need to complete several steps.

First, you’ll want to set up a Pub/Sub topic that will receive your exported logs. You’ll also have to add a subscription to the topic.

Next, you’ll need to turn on audit logging for all of your GCP services. 

Once you’ve enabled audit logging for all GCP services, configure the logging export.

Next, set IAM policy permissions for the Pub/Sub topic that you created.

After you’ve configured IAM policy permissions, it’s time to set up the Splunk data ingest. There are two ways to do this. You can stream your logs using Pub/Sub to Splunk Dataflow OR you can pull the logs using the Splunk Add-on for Google Cloud.

Once your logs have been ingested into Splunk, you can use Splunk to analyze the exported logs like any other data source. You can search the ingested logs, correlate events, and visualize the data via dashboards.

For complete, step-by-step instructions for exporting Cloud Logging data to Splunk, visit the URL that you see on your screen.

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.