At least one project-level logging sink should be configured with an empty filter

Description

A Cloud Logging sink should be configured at the project level to export copies of all log entries across an entire project. The sink should have an empty filter to ensure all log entries are exported. This data can then be exported to a Security Information and Event Management (SIEM) platform.

Remediation Steps

Google Cloud Console

• Navigate to Logs Router Sinks.

• Select Create Sink.

• Enter a sink name.

• Enter a sink description, optionally.

• Select Next.

• Enter a sink service and destination.

• Select Next.

• In the Choose logs to include in sink section, leave the build inclusion filter empty.

• Select Next.

• Select Create Sink.

gcloud CLI

• To create a sink to export all log entries in a Google Cloud Storage bucket:

  • gcloud logging sinks create <sink-name> storage.googleapis.com/DESTINATION_BUCKET_NAME

• Sinks can be created for a folder or organization, which will include all projects.

  • gcloud logging sinks create <sink-name> storage.googleapis.com/DESTINATION_BUCKET_NAME --include-children --folder=FOLDER_ID | --organization=ORGANIZATION_ID

Documentation Links

Runtime

• Quotas and limits

• Overview of logs exports

• Aggregated sinks

• Exporting logs with the Google Cloud Console

• Command-line interface

• Using exported logs

• Exporting logs with the Google Cloud Console

• CLI:gcloud beta logging sinks list