Skip to main content

πŸ›‘οΈ Google Logging Log Sink for All Log Entries is not configured🟒

  • Contextual name: πŸ›‘οΈ Log Sink for All Log Entries is not configured🟒
  • ID: /ce/ca/google/logging/sinks-configuration
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic​

Similar Policies​

Description​

Open File

Description​

It is recommended to create a sink that exports copies of all log entries. This can help aggregate logs from multiple projects and export them to a Security Information and Event Management (SIEM) system.

Rationale​

Log entries are held in Cloud Logging. To aggregate logs, export them to a SIEM. To retain them longer, set up a log sink. Exporting involves writing a filter that selects the log entries to export and choosing a destination in Cloud Storage, BigQuery, or Cloud Pub/Sub. The filter and destination are held in an object called a sink. To ensure all log entries are exported, make sure no filter is configured for the sink. Sinks can be created in projects, organizations, folders, and billing accounts.

Impact​

There are no costs or limitations in Cloud Logging for exporting logs, but the export destinations charge for storing or transmitting the log data.

Audit​

From Google Cloud Console​
  1. Go to Logs Router by visiting https://console.cloud.google.com/logs/router.
  2. For every sink, click the 3-dot button for Menu options and select View sink details.

... see more

Remediation​

Open File

Remediation​

From Google Cloud Console​

  1. Go to Logs Router by visiting https://console.cloud.google.com/logs/router.
  2. Click on the arrow symbol with CREATE SINK text.
  3. Fill out the fields for Sink details.
  4. Choose a Cloud Logging bucket in the Select sink destination drop-down menu.
  5. Choose a log bucket in the next drop-down menu.
  6. If an inclusion filter is not provided for this sink, all ingested logs will be routed to the destination provided above. This may result in higher than expected resource usage.
  7. Click Create Sink.

For more information, see https://cloud.google.com/logging/docs/export/configure_export_v2#dest-create.

From Google Cloud CLI​

To create a sink to export all log entries in a Google Cloud Storage bucket:

gcloud logging sinks create {{sink-name}} storage.googleapis.com/{{destination-bucket-name}}

Sinks can be created for a folder or organization, which will include all projects.

gcloud logging sinks create {{sink-name}} storage.googleapis.com/{{destination-bucket-name}} \

... [see more](remediation.md)

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό CIS GCP v1.2.0 β†’ πŸ’Ό 2.2 Ensure that sinks are configured for all log entries - Level 1 (Automated)1no data
πŸ’Ό CIS GCP v1.3.0 β†’ πŸ’Ό 2.2 Ensure That Sinks Are Configured for All Log Entries - Level 1 (Automated)1no data
πŸ’Ό CIS GCP v2.0.0 β†’ πŸ’Ό 2.2 Ensure That Sinks Are Configured for All Log Entries - Level 1 (Automated)1no data
πŸ’Ό CIS GCP v3.0.0 β†’ πŸ’Ό 2.2 Ensure That Sinks Are Configured for All Log Entries - Level 1 (Automated)1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Logging and Monitoring Configuration77no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-2 Event Logging (L)(M)(H)26no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-7 Audit Record Reduction and Report Generation (M)(H)119no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)273no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-2 Event Logging (L)(M)(H)26no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)73no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-2 Event Logging (L)(M)(H)26no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-7 Audit Record Reduction and Report Generation (M)(H)119no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)73no data
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.18.1.3 Protection of records14no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.15 Logging1834no data
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.20 Networks security514no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.AE-3: Event data are collected and correlated from multiple sources and sensors1838no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό ID.GV-3: Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed14no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.IP-4: Backups of information are conducted, maintained, and tested48no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy1633no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-03: Information is correlated from multiple sources65no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-07: Cyber threat intelligence and other contextual information are integrated into the analysis38no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events180no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events100no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events181no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό GV.OC-03: Legal, regulatory, and contractual requirements regarding cybersecurity - including privacy and civil liberties obligations - are understood and managed7no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-11: Backups of data are created, protected, maintained, and tested15no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.AN-03: Analysis is performed to establish what has taken place during an incident and the root cause of the incident17no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.AN-06: Actions performed during an investigation are recorded, and the records' integrity and provenance are preserved18no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.AN-07: Incident data and metadata are collected, and their integrity and provenance are preserved18no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-2 Event Logging426no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-7 Audit Record Reduction and Report Generation2119no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-12 Audit Record Generation44773no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 5.2 Ensure that all anti-virus mechanisms are maintained.9no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks.11no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 10.2 Implement automated audit trails for all system components.7633no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 10.2.1 All individual user accesses to cardholder data.414no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 10.2.2 All actions taken by any individual with root or administrative privileges.16no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 10.2.3 Access to all audit trails.9no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 10.2.4 Invalid logical access attempts.414no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 10.2.5 Use of and changes to identification and authentication mechanisms.116no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 10.2.6 Initialization, stopping, or pausing of the audit logs.9no data
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 10.3 Record audit trail entries for all system components for each event.610no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 5.3.1 The anti-malware solution(s) is kept current via automatic updates.9no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 5.3.2 The anti-malware solution performs periodic scans and active or real-time scans or performs continuous behavioral analysis of systems or processes.19no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 5.3.4 Audit logs for the anti-malware solution(s) are enabled and retained.9no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 6.4.1 For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these applications are protected against known attacks.11no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 6.4.2 For public-facing web applications, an automated technical solution is deployed that continually detects and prevents web-based attacks.10no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 10.2.1 Audit logs are enabled and active for all system components and cardholder data.732no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 10.2.1.1 Audit logs capture all individual user access to cardholder data.14no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 10.2.1.2 Audit logs capture all actions taken by any individual with administrative access, including any interactive use of application or system accounts.16no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 10.2.1.3 Audit logs capture all access to audit logs.9no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 10.2.1.4 Audit logs capture all invalid logical access attempts.14no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 10.2.1.5 Audit logs capture all changes to identification and authentication credentials.16no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 10.2.1.6 Audit logs capture all initialization of new audit logs, starting, stopping, or pausing of the existing audit logs.9no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 10.2.1.7 Audit logs capture all creation and deletion of system-level objects.9no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 10.2.2 Audit logs record the described details for each auditable event.9no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 5.3.1 The anti-malware solution(s) is kept current via automatic updates.9no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 5.3.2 The anti-malware solution performs periodic scans and active or real-time scans or performs continuous behavioral analysis of systems or processes.19no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 5.3.4 Audit logs for the anti-malware solution(s) are enabled and retained.9no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 6.4.1 For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these applications are protected against known attacks.11no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 6.4.2 For public-facing web applications, an automated technical solution is deployed that continually detects and prevents web-based attacks.10no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 10.2.1 Audit logs are enabled and active for all system components and cardholder data.7132no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 10.2.1.1 Audit logs capture all individual user access to cardholder data.114no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 10.2.1.2 Audit logs capture all actions taken by any individual with administrative access, including any interactive use of application or system accounts.16no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 10.2.1.3 Audit logs capture all access to audit logs.9no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 10.2.1.4 Audit logs capture all invalid logical access attempts.114no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 10.2.1.5 Audit logs capture all changes to identification and authentication credentials.16no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 10.2.1.6 Audit logs capture all initialization of new audit logs, starting, stopping, or pausing of the existing audit logs.9no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 10.2.1.7 Audit logs capture all creation and deletion of system-level objects.9no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 10.2.2 Audit logs record the described details for each auditable event.9no data