Profile Applicability:

Level 1

Description:

It is recommended to configure log sinks to export copies of all log entries. These sinks help aggregate logs across multiple projects and export them to destinations like Security Information and Event Management (SIEM) systems for extended retention and analysis.

Rationale:

Log entries in Cloud Logging are retained temporarily, but exporting them to external destinations ensures long-term storage and facilitates centralized analysis. Configuring log sinks achieves the following:

  1. Aggregation of logs across projects, folders, or organizations.

  2. Centralized export to destinations such as Cloud Storage, BigQuery, or Cloud Pub/Sub.

  3. Enhanced monitoring, security analysis, and compliance management.
    To ensure all logs are captured, sinks must be configured without filters and linked to valid destinations.

Impact:

While Cloud Logging does not charge for exporting logs, the selected destinations (e.g., Cloud Storage, BigQuery, Pub/Sub) may incur costs based on data storage or transmission.

Default Value:

By default, log sinks are not configured in Google Cloud projects.

Audit Steps:

Using Google Cloud Console:

  1. Navigate to the Logs Router: Logs Router Console.

 

  1. For each sink, click the three-dot menu and select View sink details.

                 

  1. Verify that at least one sink is configured with an empty inclusion filter.

                     

  1. Confirm that the configured destination (e.g., Cloud Storage, BigQuery, or Pub/Sub) exists and is accessible.

                 

Using Google Cloud CLI:

List sinks at the project, folder, or organization level:

gcloud logging sinks list --project=PROJECT_ID
gcloud logging sinks list --folder=FOLDER_ID
gcloud logging sinks list --organization=ORGANIZATION_ID

  1. Confirm that at least one sink has no inclusion filter by checking for an empty "filter" field.

  2. Ensure the destination exists and is valid.

Remediation Steps:

Using Google Cloud Console:

  1. Go to the Logs Router: Logs Router Console.

           

  1. Click + Create Sink.

  1. Fill in the Sink Details (e.g., name and description).

         

  1. Select a Sink Destination, such as a Cloud Storage bucket, BigQuery dataset, or Cloud Pub/Sub topic.

         

  1. Ensure no inclusion filter is applied to capture all logs.

  1. Click Create Sink.

Using Google Cloud CLI:

Create a sink to export all log entries to a Cloud Storage bucket:

gcloud logging sinks create <SINK_NAME> storage.googleapis.com/<DESTINATION_BUCKET_NAME>

For folder or organization-level sinks (including all child projects):

gcloud logging sinks create <SINK_NAME> storage.googleapis.com/<DESTINATION_BUCKET_NAME> --include-children --folder=FOLDER_ID | --organization=ORGANIZATION_ID

  1. Ensure the sink is configured without the --log-filter option to export all log entries.

Backout Plan:

1. Restore a Previous Log Sink (If Needed)

If a log sink was mistakenly deleted, recreate it using:

gcloud logging sinks create <SINK_NAME> storage.googleapis.com/<DESTINATION_BUCKET_NAME>

2. Restore IAM Policy from Backup

If necessary, restore a previous IAM policy:

gcloud projects set-iam-policy PROJECT_ID policy-backup.json

References:

  1. Cloud Logging Overview

  2. Configure Log Exports

  3. Cloud Logging Command-Line Reference

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

8.2 Collect Audit Logs

Enable logging across all enterprise systems for monitoring.

8.3 Ensure Adequate Audit Log Storage

Ensure sufficient storage for logging destinations to meet organizational retention requirements.

6.2 Activate Audit Logging

Enable logging across systems and networking devices.

6.4 Ensure Adequate Storage for Logs

Maintain adequate storage for logs to prevent loss of critical data.