Ensure That Sinks Are Configured for All Log Entries
It is recommended to create a sink that will export copies of all the log entries. This can help aggregate logs from multiple projects and export them to a Security Information and Event Management (SIEM). Log entries are held in Cloud Logging. To aggregate logs, export them to a SIEM. To keep them longer, it is recommended to set up a log sink. Exporting involves writing a filter that selects the log entries to export, and choosing a destination in Cloud Storage, BigQuery, or Cloud Pub/Sub. The filter and destination are held in an object called a sink. To ensure all log entries are exported to sinks, ensure that there is no filter configured for a sink. Sinks can be created in projects, organizations, folders, and billing accounts.
Risk Level: Low
Cloud Entity: Log Sink
CloudGuard Rule ID: D9.GCP.LOG.28
Covered by Spectral: No
Category: Management Tools
GSL LOGIC
LogSink should have filter isEmpty()
REMEDIATION
From Portal
- Go to Logs Router by visiting https://console.cloud.google.com/logs/router
- Click on the arrow symbol with CREATE SINK text.
- Fill out the fields for Sink details.
- Choose Cloud Logging bucket in the Select sink destination drop down menu.
- Choose a log bucket in the next drop down menu.
- If an inclusion filter is not provided for this sink, all ingested logs will be routed to the destination provided above. This may result in higher than expected resource usage.
- Click Create Sink.
From TF
To create a SINK without filter use resource google_logging_project_sink where you do not need to mention argument filter.
See below example;
resource "google_logging_project_sink" "my-sink" {
name = "my-gcp-sink"
destination = "storage.googleapis.com/my-gcp-bucket"
}
From Command Line
- To create a Sink with empty filter matching all entries use;
gcloud logging sinks create SINK_NAME DESTINATION
- for example,To create a sink to export all log entries in a Google Cloud Storage bucket:
gcloud logging sinks create my-gcp-sink storage.googleapis.com/MY_GCP_BUCKET
- Sinks can be created for a folder or organization, which will include all projects.
gcloud logging sinks create <sink-name> storage.googleapis.com/DESTINATION_BUCKET_NAME --include-children --folder=FOLDER_ID | --organization=ORGANIZATION_ID
- A sink created by the command-line above will export logs in storage buckets. However, sinks can be configured to export logs into BigQuery, or Cloud Pub/Sub, or Custom Destination. While creating a sink, the sink option --log-filter is not used to ensure the sink exports all log entries. A sink can be created at a folder or organization level that collects the logs of all the projects underneath bypassing the option --include-children in the gcloud command.
References
- https://cloud.google.com/logging/docs/reference/tools/gcloud-logging
- https://cloud.google.com/logging/quotas
- https://cloud.google.com/logging/docs/routing/overview
- https://cloud.google.com/logging/docs/export/using_exported_logs
- https://cloud.google.com/logging/docs/export/configure_export_v2
- https://cloud.google.com/logging/docs/export/aggregated_exports
- https://cloud.google.com/sdk/gcloud/reference/beta/logging/sinks/list
- https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/logging_project_sink
Log Sink
Resource: LogSink Describes a sink used to export log entries to one of the following destinations in any project: a Cloud Storage bucket, a BigQuery dataset, a Pub/Sub topic or a Cloud Logging log bucket. A logs filter controls which log entries are exported. The sink must be created within a project, organization, billing account, or folder.
Compliance Frameworks
- CloudGuard GCP All Rules Ruleset
- GCP CIS Controls V 8
- GCP CIS Foundations v. 1.0.0
- GCP CIS Foundations v. 1.1.0
- GCP CIS Foundations v. 1.2.0
- GCP CIS Foundations v. 1.3.0
- GCP CIS Foundations v. 2.0
- GCP CloudGuard Best Practices
- GCP MITRE ATT&CK Framework v12.1
- GCP NIST 800-53 Rev 5
- GCP PCI-DSS 4.0
Updated over 1 year ago