At least one project-level logging sink should be configured with an empty filter

Description

A Cloud Logging sink should be configured at the project level to export copies of all log entries across an entire project. The sink should have an empty filter to ensure all log entries are exported. This data can then be exported to a Security Information and Event Management (SIEM) platform.

Remediation Steps

Google Cloud Console

  • Navigate to Logs Router Sink.

  • Click Create Sink.

  • Enter a Sink name.

  • Enter a Sink description, optionally.

  • Click Next.

  • Enter a Sink destination.

  • Choose the logs to include in the sink.

  • Choose logs to exclude from the sink, optionally.

  • Click Create Sink.

gcloud CLI

  • To create a sink to export all log entries in a Google Cloud Storage bucket:

    • gcloud logging sinks create <sink-name> storage.googleapis.com/DESTINATION_BUCKET_NAME

  • Sinks can be created for a folder or organization, which will include all projects.

    • gcloud logging sinks create <sink-name> storage.googleapis.com/DESTINATION_BUCKET_NAME --include-children --folder=FOLDER_ID | --organization=ORGANIZATION_ID