Ensure That Sinks Are Configured for All Log Entries

It is recommended to create a sink that will export copies of all the log entries. This can help aggregate logs from multiple projects and export them to a Security Information and Event Management (SIEM). Log entries are held in Cloud Logging. To aggregate logs, export them to a SIEM. To keep them longer, it is recommended to set up a log sink. Exporting involves writing a filter that selects the log entries to export, and choosing a destination in Cloud Storage, BigQuery, or Cloud Pub/Sub. The filter and destination are held in an object called a sink. To ensure all log entries are exported to sinks, ensure that there is no filter configured for a sink. Sinks can be created in projects, organizations, folders, and billing accounts.

Risk Level: Low
Cloud Entity: Log Sink
CloudGuard Rule ID: D9.GCP.LOG.28
Covered by Spectral: No
Category: Management Tools

GSL LOGIC

LogSink should have filter isEmpty()

REMEDIATION

From Portal

  1. Go to Logs Router by visiting https://console.cloud.google.com/logs/router
  2. Click on the arrow symbol with CREATE SINK text.
  3. Fill out the fields for Sink details.
  4. Choose Cloud Logging bucket in the Select sink destination drop down menu.
  5. Choose a log bucket in the next drop down menu.
  6. If an inclusion filter is not provided for this sink, all ingested logs will be routed to the destination provided above. This may result in higher than expected resource usage.
  7. Click Create Sink.

From TF
To create a SINK without filter use resource google_logging_project_sink where you do not need to mention argument filter.
See below example;

resource "google_logging_project_sink" "my-sink" {
	name = "my-gcp-sink"
	destination  = "storage.googleapis.com/my-gcp-bucket"
}

From Command Line

  1. To create a Sink with empty filter matching all entries use;
gcloud logging sinks create SINK_NAME DESTINATION
  1. for example,To create a sink to export all log entries in a Google Cloud Storage bucket:
gcloud logging sinks create my-gcp-sink storage.googleapis.com/MY_GCP_BUCKET
  1. Sinks can be created for a folder or organization, which will include all projects.
gcloud logging sinks create <sink-name> storage.googleapis.com/DESTINATION_BUCKET_NAME --include-children --folder=FOLDER_ID | --organization=ORGANIZATION_ID
  1. A sink created by the command-line above will export logs in storage buckets. However, sinks can be configured to export logs into BigQuery, or Cloud Pub/Sub, or Custom Destination. While creating a sink, the sink option --log-filter is not used to ensure the sink exports all log entries. A sink can be created at a folder or organization level that collects the logs of all the projects underneath bypassing the option --include-children in the gcloud command.

References

  1. https://cloud.google.com/logging/docs/reference/tools/gcloud-logging
  2. https://cloud.google.com/logging/quotas
  3. https://cloud.google.com/logging/docs/routing/overview
  4. https://cloud.google.com/logging/docs/export/using_exported_logs
  5. https://cloud.google.com/logging/docs/export/configure_export_v2
  6. https://cloud.google.com/logging/docs/export/aggregated_exports
  7. https://cloud.google.com/sdk/gcloud/reference/beta/logging/sinks/list
  8. https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/logging_project_sink

Log Sink

Resource: LogSink Describes a sink used to export log entries to one of the following destinations in any project: a Cloud Storage bucket, a BigQuery dataset, a Pub/Sub topic or a Cloud Logging log bucket. A logs filter controls which log entries are exported. The sink must be created within a project, organization, billing account, or folder.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CIS Controls V 8
  • GCP CIS Foundations v. 1.0.0
  • GCP CIS Foundations v. 1.1.0
  • GCP CIS Foundations v. 1.2.0
  • GCP CIS Foundations v. 1.3.0
  • GCP CIS Foundations v. 2.0
  • GCP CloudGuard Best Practices
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 5
  • GCP PCI-DSS 4.0