---
title: Google SecOps Destination
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Observability Pipelines > Destinations > Google SecOps Destination
---

# Google SecOps Destination

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). ().
{% /alert %}

{% /callout %}
Available for:
{% icon name="icon-logs" /%}
 Logs 
Use Observability Pipelines' Google SecOps destination to send logs to Google SecOps.

The Observability Pipelines Worker uses standard Google authentication methods. See [Authentication methods at Google](https://cloud.google.com/docs/authentication#auth-flowchart) for more information about choosing the authentication method for your use case.

## Setup{% #setup %}

Set up the Google SecOps destination and its environment variables when you [set up a pipeline](https://app.datadoghq.com/observability-pipelines). The information below is configured in the pipelines UI.

### Set up the destination{% #set-up-the-destination %}

To set up the Worker's Google SecOps destination:

1. Enter the identifier for your Google SecOps endpoint URL. If you leave it blank, the default is used.
   - **Note**: Only enter the identifier for the endpoint URL. Do **not** enter the actual URL.
1. Enter the customer ID for your Google SecOps instance.
1. If you have a credentials JSON file, enter the path to your credentials JSON file. The credentials file must be placed under `DD_OP_DATA_DIR/config`. Alternatively, you can use the `GOOGLE_APPLICATION_CREDENTIALS` environment variable to provide the credential path.
   - If you're using [workload identity](https://cloud.google.com/kubernetes-engine/docs/concepts/workload-identity) on Google Kubernetes Engine (GKE), the `GOOGLE_APPLICATION_CREDENTIALS` is provided for you.
   - The Worker uses standard [Google authentication methods](https://cloud.google.com/docs/authentication#auth-flowchart).
1. Select **JSON** or **Raw** encoding in the dropdown menu.
1. Enter the log type. See [template syntax](https://docs.datadoghq.com/observability_pipelines/destinations/#template-syntax) if you want to route logs to different log types based on specific fields in your logs.

#### Optional buffering{% #optional-buffering %}

Toggle the switch to enable **Buffering Options**. Enable a configurable buffer on your destination to ensure intermittent latency or an outage at the destination doesn't create immediate backpressure, and allow events to continue to be ingested from your source. Disk buffers can also increase pipeline durability by writing data to disk, ensuring buffered data persists through a Worker restart. See [Destination buffers](https://docs.datadoghq.com/observability_pipelines/scaling_and_performance/buffering_and_backpressure/#destination-buffers) for more information.

- If left unconfigured, your destination uses a memory buffer with a capacity of 500 events.
- To configure a buffer on your destination:
  1. Select the buffer type you want to set (**Memory** or **Disk**).
  1. Enter the buffer size and select the unit.
     1. Maximum memory buffer size is 128 GB.
     1. Maximum disk buffer size is 500 GB.
  1. In the **Behavior on full buffer** dropdown menu, select whether you want to **block** events or **drop new events** when the buffer is full.

**Note**: Logs sent to the Google SecOps destination must have ingestion labels. For example, if the logs are from a A10 load balancer, it must have the ingestion label `A10_LOAD_BALANCER`. See Google Cloud's [Support log types with a default parser](https://cloud.google.com/chronicle/docs/ingestion/parser-list/supported-default-parsers#with-default-parser) for a list of available log types and their respective ingestion labels.

### Set secrets{% #set-secrets %}

These are the defaults used for secret identifiers and environment variables.

**Note**: If you enter secret identifiers and then choose to use environment variables, the environment variable is the identifier entered and prepended with `DD_OP`. For example, if you entered `PASSWORD_1` for a password identifier, the environment variable for that password is `DD_OP_PASSWORD_1`.

{% tab title="Secrets Management" %}

- Google Chronicle endpoint URL identifier:
  - The default identifier is `DESTINATION_GOOGLE_CHRONICLE_UNSTRUCTURED_ENDPOINT_URL`.

{% /tab %}

{% tab title="Environment Variables" %}

- Google SecOps endpoint URL:
  - The default environment variable is `DD_OP_DESTINATION_GOOGLE_CHRONICLE_UNSTRUCTURED_ENDPOINT_URL`.

{% /tab %}

### How the destination works{% #how-the-destination-works %}

#### Event batching{% #event-batching %}

A batch of events is flushed when one of these parameters is met. See [event batching](https://docs.datadoghq.com/observability_pipelines/destinations/#event-batching) for more information.

| Maximum Events | Maximum Size (MB) | Timeout (seconds) |
| -------------- | ----------------- | ----------------- |
| None           | 1                 | 15                |