Profile Applicability:

Level 2

Description:

Enabling logging for HTTP(S) Load Balancers in Google Cloud Platform (GCP) captures and provides visibility into all network traffic directed to your web applications. This includes information about the source, destination, and nature of the traffic.

Rationale:

HTTP(S) Load Balancer logging provides critical insights into the network activity of web applications, supporting:

  • Security monitoring.

  • Troubleshooting of connectivity issues.

  • Analytics for traffic patterns.

  • Forensic investigations.

Impact:

Enabling logging may generate large log files on high-traffic systems, particularly if the sampling rate is set to 100% (1.0). Careful configuration of the sampling rate is essential to avoid excessive storage costs.

Default Value:

Logging for HTTP(S) load balancers is disabled by default. When enabled, the default sample rate is set to 1.0 (100%). Adjust the sample rate to balance cost and logging requirements.

Audit Steps:

Using Google Cloud Console:

  1. Navigate to Network services via the Navigation Menu in the Google Cloud Console.

             

  1. Select the desired HTTPS load balancer.

             

  1. Click Edit and go to Backend Configuration.

           

           

  1. Edit the corresponding backend service.

               

  1. Verify that Enable Logging is selected and that the Sample Rate is set appropriately.

                 


Using Google Cloud CLI:

Run the following command:

gcloud compute backend-services describe <serviceName>

  1. Confirm the enable-logging property is set to true and that the logging-sample-rate is configured appropriately.

Remediation Steps:

Using Google Cloud Console:

  1. Navigate to Network services via the Navigation Menu.

                     

  1. Select the HTTPS load balancer requiring updates.

                   

  1. Click Edit and navigate to Backend Configuration.

                   

  1. Edit the associated backend service.

                 

  1. Enable the Logging option.

                   

  1. Set the Sample Rate to the desired percentage (e.g., 0.5 for 50%).

                 

  1. Save the configuration.

               

Using Google Cloud CLI:

Run the following command to enable logging and configure the sample rate:

gcloud compute backend-services update <serviceName> \
    --region=REGION \
    --enable-logging \
    --logging-sample-rate=<percentageAsDecimal>

References:

  1. Google Cloud Load Balancing Documentation

  2. gcloud Command Reference for Backend Services

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

8.2 Collect Audit Logs

Ensure audit logs are collected across enterprise assets to support security and forensic analysis.

6.2 Activate Audit Logging

Enable local logging for all systems and networking devices.