Table of contents

Monitor scan results in GCP

Do not depend on logs in your downstream workflow. Logs are subject to change without prior notice. Use the GCP Pub/Sub resource instead. If there is any necessary information that only exists in logs, please contact support with a feature request.

Pub/Sub Topic

You can configure the Scan Result Topic to notify you when a scan occurs. The Scan Result Topic is a GCP Cloud Pub/Sub resource.

Find the scan result topic resource name

  1. Go to the Deployment Manager console in GCP.

  2. Select the storage stack deployment.

  3. Find the Pub/Sub topic resource in the storage stack. The resource name ends with scan-result-topic.

Create a Pub/Sub subscription to the scan result topic

  1. Go to the Pub/Sub console in GCP.

  2. Select the scan result topic.

  3. Select CREATE SUBSCRIPTION.

  4. Configure the subscription-based on your use scenario.

  5. You can receive scan results from the subscription.

For more information on creating steps in GCP, see Create and use subscriptions

Here is a sample plug-in for creating a GCP Cloud Function to promote or quarantine the scanned files: Post-Scan Action: Promote or Quarantine.

Scanner Logs

View scan results in scanner logs

File Storage Security logs its scan results in the Scanner function's logs. These logs contain a bit more information than what's available in the fss-* tags.

To view the scan result logs in Scanner logs:

  1. In GCP, go to Cloud Function > your scanner function > LOGS.

  2. Input ”scan result" in the Filter field.

  3. Expand the event message that starts with scanner result: and reference the scan result format.

Search for scan results in Logs Explorer

You can search for scan results using GCP Logs Explorer. Below is an example of how to set up a query.

  1. In GCP, go to the Logging service.

  2. On the left, select Logs Explorer.

  3. Click the Show query button.

  4. Replace the contents of the text box with the following lines:

    resource.type="cloud_function"

    resource.labels.function_name="SCANNER_FUNCTION_NAME"

    "scan result"

    Replace SCANNER_FUNCTION_NAME with the scanner function's name. This query finds all scan results.

  5. Set the time or date range using the available buttons.

  6. Select Run query. A list of messages containing scan results appears.

  7. Expand a message to view the scan results. For help on understanding the scan results, see scan result format.