📝 Google Logging Log Sink for All Log Entries is not configured 🟢

• Contextual name: 📝 Log Sink for All Log Entries is not configured 🟢
• ID: /ce/ca/google/logging/sinks-configuration
• Located in: 📁 Google Logging

Flags

• 🟢 Policy with categories
• 🟢 Policy with type
• 🟢 Production policy

Our Metadata

• Policy Type: COMPLIANCE_POLICY
• Policy Category:
  • SECURITY

Similar Policies

• Cloud Conformity
  • Export All Log Entries Using Sinks

Logic

• 🧠 prod.logic.yaml 🟢
  • 📕 Google Project
  • 🔌 Google Logging Log Sink - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

It is recommended to create a sink that will export copies of all the log entries. This can help aggregate logs from multiple projects and export them to a Security Information and Event Management (SIEM).

Rationale

Log entries are held in Cloud Logging. To aggregate logs, export them to a SIEM. To keep them longer, it is recommended to set up a log sink. Exporting involves writing a filter that selects the log entries to export, and choosing a destination in Cloud Storage, BigQuery, or Cloud Pub/Sub. The filter and destination are held in an object called a sink. To ensure all log entries are exported to sinks, ensure that there is no filter configured for a sink. Sinks can be created in projects, organizations, folders, and billing accounts.

Impact

There are no costs or limitations in Cloud Logging for exporting logs, but the export destinations charge for storing or transmitting the log data.

Audit

From Google Cloud Console

1. Go to Logs Router by visiting https://console.cloud.google.com/logs/router.

... see more

Remediation

Open File

Remediation

From Google Cloud Console

1. Go to Logs Router by visiting https://console.cloud.google.com/logs/router.
2. Click on the arrow symbol with CREATE SINK text.
3. Fill out the fields for Sink details.
4. Choose Cloud Logging bucket in the Select sink destination drop down menu.
5. Choose a log bucket in the next drop down menu.
6. If an inclusion filter is not provided for this sink, all ingested logs will be routed to the destination provided above. This may result in higher than expected resource usage.
7. Click Create Sink.

For more information, see https://cloud.google.com/logging/docs/export/configure_export_v2#dest-create.

From Google Cloud CLI

To create a sink to export all log entries in a Google Cloud Storage bucket:

gcloud logging sinks create <sink-name> storage.googleapis.com/DESTINATION_BUCKET_NAME

Sinks can be created for a folder or organization, which will include all projects.

gcloud logging sinks create <sink-name> storage.googleapis.com/DESTINATION_BUCKET_NAME --include-children --folder=FOLDER_ID | --organization=ORGANIZATION_ID

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 CIS GCP v3.0.0 → 💼 2.2 Ensure That Sinks Are Configured for All Log Entries - Level 1 (Automated)			1
💼 Cloudaware Framework → 💼 Logging and Monitoring Configuration			49