Skip to main content

πŸ“ Google HTTP(S) Load Balancer Logging is not enabled 🟒

  • Contextual name: πŸ“ HTTP(S) Load Balancer Logging is not enabled 🟒
  • ID: /ce/ca/google/load-balancing/load-balancer-logging
  • Located in: πŸ“ Google Load Balancing

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Logic​

Description​

Open File

Description​

Logging enabled on a HTTPS Load Balancer will show all network traffic and its destination.

Rationale​

Logging will allow you to view HTTPS network traffic to your web applications.

Impact​

On high use systems with a high percentage sample rate, the logging file may grow to high capacity in a short amount of time. Ensure that the sample rate is set appropriately so that storage costs are not exorbitant.

Audit​

From Google Cloud Console​
  1. From Google Cloud home open the Navigation Menu in the top left.
  2. Under the Networking heading select Network services.
  3. Select the HTTPS load-balancer you wish to audit.
  4. Select Edit then Backend Configuration.
  5. Select Edit on the corresponding backend service.
  6. Ensure that Enable Logging is selected. Also ensure that Sample Rate is set to an appropriate level for your needs.
From Google Cloud CLI​

  1. Run the following command

         gcloud compute backend-services describe <serviceName>

  2. Ensure that enable-logging is enabled and sample rate is set to your desired level.

... see more

Remediation​

Open File

Remediation​

From Google Cloud Console​

  1. From Google Cloud home open the Navigation Menu in the top left.
  2. Under the Networking heading select Network services.
  3. Select the HTTPS load-balancer you wish to audit.
  4. Select Edit then Backend Configuration.
  5. Select Edit on the corresponding backend service.
  6. Click Enable Logging.
  7. Set Sample Rate to a desired value. This is a percentage as a decimal point. 1.0 is 100%.

From Google Cloud CLI​

  1. Run the following command

         gcloud compute backend-services update <serviceName> --region=REGION --enable-logging --logging-sample-rate=<percentageAsADecimal>

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό CIS GCP v3.0.0 β†’ πŸ’Ό 2.16 Ensure Logging is enabled for HTTP(S) Load Balancer - Level 2 (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Logging and Monitoring Configuration49