Reputation:
GCP logging query issue
I'm trying to collect logs to be handled as incidents / SCC audits in case any tampering with firewall rules are logged.
Found out that something like this does the trick more or less:
resource.type=gce_firewall_rule AND protoPayload.methodName=v1.compute.firewalls.patch OR protoPayload.methodName=v1.compute.firewalls.insert OR protoPayload.methodName=v1.compute.firewalls.update
However, this only solves the issue partially, because methods on GCP may differ. And rules that were added in the past and ones that will be added in the future may use different version suffixes:
v1, beta, alpha, v2... etc.
I unfortunately couldn't find any documentation that helps find a condition that can include everything at methodName value.
Something like:
protoPayload.methodName="*.compute.firewalls.update" or "%compute.firewalls.update"
Thank you!
Upvotes: 0
Views: 226
Answers (1)
Reputation: 40061
Cloud Logging has a comprehensive query language.
You have various options:
- If you have a definitive list
OR:protoPayload.methodName = ("v1" OR "v1beta1" OR ...) - If you want to use a regular expression
- If you want anything
protoPayload.methodName:*
Upvotes: 1
Related Questions
- GCP Cloud SQL Query Logging for Postgres
- GCP logger filter missing fields
- Saving console logs to GCP
- How to show filtered logs on GCP Monitoring Dashboard
- "Only numeric data" error on logs-base metric GCP
- Query GCP logger for distinct logs based on a field
- Regarding GCP logging
- GCP Project Internal Error Retrieving Logs
- GCP Logging Sink not exporting
- Not able to see logs in GCP logging?