Profile Applicability:
Level 1
Description:
It is recommended to configure log sinks to export copies of all log entries. These sinks help aggregate logs across multiple projects and export them to destinations like Security Information and Event Management (SIEM) systems for extended retention and analysis.
Rationale:
Log entries in Cloud Logging are retained temporarily, but exporting them to external destinations ensures long-term storage and facilitates centralized analysis. Configuring log sinks achieves the following:
Aggregation of logs across projects, folders, or organizations.
Centralized export to destinations such as Cloud Storage, BigQuery, or Cloud Pub/Sub.
Enhanced monitoring, security analysis, and compliance management.
To ensure all logs are captured, sinks must be configured without filters and linked to valid destinations.
Impact:
While Cloud Logging does not charge for exporting logs, the selected destinations (e.g., Cloud Storage, BigQuery, Pub/Sub) may incur costs based on data storage or transmission.
Default Value:
By default, log sinks are not configured in Google Cloud projects.
Audit Steps:
Using Google Cloud Console:
Navigate to the Logs Router: Logs Router Console.
For each sink, click the three-dot menu and select View sink details.
Verify that at least one sink is configured with an empty inclusion filter.
Confirm that the configured destination (e.g., Cloud Storage, BigQuery, or Pub/Sub) exists and is accessible.
Using Google Cloud CLI:
List sinks at the project, folder, or organization level:
gcloud logging sinks list --project=PROJECT_ID
gcloud logging sinks list --folder=FOLDER_ID
gcloud logging sinks list --organization=ORGANIZATION_ID
Confirm that at least one sink has no inclusion filter by checking for an empty "filter" field.
Ensure the destination exists and is valid.
Remediation Steps:
Using Google Cloud Console:
Go to the Logs Router: Logs Router Console.
Click + Create Sink.
Fill in the Sink Details (e.g., name and description).
Select a Sink Destination, such as a Cloud Storage bucket, BigQuery dataset, or Cloud Pub/Sub topic.
Ensure no inclusion filter is applied to capture all logs.
Click Create Sink.
Using Google Cloud CLI:
Create a sink to export all log entries to a Cloud Storage bucket:
gcloud logging sinks create <SINK_NAME> storage.googleapis.com/<DESTINATION_BUCKET_NAME>
For folder or organization-level sinks (including all child projects):
gcloud logging sinks create <SINK_NAME> storage.googleapis.com/<DESTINATION_BUCKET_NAME> --include-children --folder=FOLDER_ID | --organization=ORGANIZATION_ID
Ensure the sink is configured without the --log-filter option to export all log entries.
Backout Plan:
1. Restore a Previous Log Sink (If Needed)
If a log sink was mistakenly deleted, recreate it using:
gcloud logging sinks create <SINK_NAME> storage.googleapis.com/<DESTINATION_BUCKET_NAME>
2. Restore IAM Policy from Backup
If necessary, restore a previous IAM policy:
gcloud projects set-iam-policy PROJECT_ID policy-backup.json