Google SecOps
Choose this destination when your collectors should deliver logs straight into Google Security Operations (Chronicle)—either over gRPC to the regional ingestion endpoint most teams use by default, or over https when your SecOps rollout expects the v2 ImportLogs REST API.
Supported types: Logs
In the Praxis UI the node is labeled Google SecOps under Security (and related) groups. A single form covers both paths: HTTPS corresponds to what was previously a separate “Import API” destination.
Protocol
| Protocol | API | When to use |
|---|---|---|
| gRPC | Legacy gRPC / malachite-style ingestion to the regional ingestion host. | Default path; matches historical Google SecOps collector integrations that target malachiteingestion-*.googleapis.com. |
| https | Chronicle ImportLogs over HTTPS (REST), v1alpha or v1beta. | When your deployment uses the v2 import API with location, project, and optional forwarder in the request model. |
Required fields depend on the protocol; see the tables below. customer_id is always required. Set field_to_send to the OTTL field (for example body) that holds the raw log bytes.
Authentication
| Credential type | Description |
|---|---|
Google SecOps (google_secops) | Credential Type: JSON Creds or File Path for Google API–style application credentials. |
Chronicle Auth (chronicleauth) | Service account / workload-identity style credentials used with Chronicle, often for HTTPS and GCP-aligned flows. Credential source: inline JSON, file path, or workload identity as defined in the credential form. |
Select a credential type supported by your Google SecOps / Chronicle team for the chosen protocol and environment.
Basic configuration (shared)
| Parameter | Type | Description |
|---|---|---|
protocol | string | gRPC (default) or https. |
customer_id | string | Google SecOps customer / instance ID (UUID). Often found under Settings → Profile → Organization details. |
field_to_send | string | OTTL field path for the raw log (default body). Required for both protocols. |
fallback_log_type | string | Default Chronicle log_type when a record has none. Required if Google SecOps standardization does not set log_type. |
gRPC
| Parameter | Type | Default | Required | Description |
|---|---|---|---|---|
endpoint | string | malachiteingestion-pa.googleapis.com | Yes | Ingestion host (no https:// scheme). Use the host your Google documentation specifies for the region. |
HTTPS (ImportLogs REST)
| Parameter | Type | Default | Required | Description |
|---|---|---|---|---|
endpoint | string | chronicle.googleapis.com (per form defaults) | Yes | Ingestion host for HTTPS, typically the Chronicle/SecOps global endpoint host your team provides. |
location | string | — | Yes | Chronicle region, for example us or europe. |
project | string | — | Yes | GCP project ID for the Chronicle / SecOps instance. |
forwarder | string | — | No | Forwarder id used in the import payload. If empty, the collector may use the destination node name. |
Advanced configuration
| Parameter | Type | Default | Description |
|---|---|---|---|
timeout | int | 90 | Request timeout in seconds. |
namespace | string | — | Optional environment or domain namespace on each log entry (for example prod). |
compression | string | none | gzip or none for outgoing payloads. |
api_version | string | v1alpha | HTTPS only: v1alpha or v1beta for the ImportLogs REST API. |
ingestion_labels | object | — | String map of labels attached to every log (Chronicle ingestion labels). |
retry_on_failure | bool | true | Enable retries on failed exports. |
backpressure_queue | bool | true | Enable an internal (optionally disk-backed) queue. |
Retry and queue
When retry or backpressure queue is enabled, the same sub-objects apply as before:
- Retry:
initial_interval,max_interval,max_time_elapsed(seconds in the form). - Queue:
queue_size,number_of_consumers,enable_disk_backed_queue.
Example: gRPC
{
"protocol": "gRPC",
"endpoint": "malachiteingestion-pa.googleapis.com",
"customer_id": "00000000-0000-0000-0000-000000000000",
"field_to_send": "body",
"fallback_log_type": "WINEVTLOG",
"advanced": {
"compression": "none",
"namespace": "",
"timeout": 90,
"retry_on_failure": true,
"retry_on_failure_settings": {
"initial_interval": 5,
"max_interval": 30,
"max_time_elapsed": 300
},
"backpressure_queue": true,
"backpressure_queue_settings": {
"number_of_consumers": 40,
"queue_size": 5000,
"enable_disk_backed_queue": true
}
}
}
Example: HTTPS (ImportLogs)
{
"protocol": "https",
"endpoint": "chronicle.googleapis.com",
"location": "us",
"project": "my-gcp-project",
"forwarder": "my-forwarder",
"customer_id": "00000000-0000-0000-0000-000000000000",
"field_to_send": "body",
"fallback_log_type": "GCP_CLOUDAUDIT",
"advanced": {
"timeout": 90,
"compression": "gzip",
"api_version": "v1alpha",
"ingestion_labels": { "env": "production" },
"retry_on_failure": true,
"retry_on_failure_settings": {
"initial_interval": 5,
"max_interval": 30,
"max_time_elapsed": 300
},
"backpressure_queue": true,
"backpressure_queue_settings": {
"number_of_consumers": 40,
"queue_size": 5000,
"enable_disk_backed_queue": true
}
}
}
Metrics
| Metric | Description |
|---|---|
collector_destination_retries_total | Retries when sending log batches fails. |
collector_destination_records_dropped_total | Records dropped due to errors. |
collector_destination_queue_capacity | Configured queue size (when enabled). |
See also
- Google SecOps data processing pipeline (Praxis) — management-plane
logProcessingPipelinesintegration (not this collector destination) - Google SecOps standardization processor —
log_type, namespace, ingestion labels - SecOps Data Processing Pipelines (Google Cloud)