メインコンテンツまでスキップ
Sumo Logic Japanese

Google Cloud Audit のログの収集

Google Cloud Audit 用 Sumo Logic アプリケーションのログ収集を設定する手順。

このページでは、Google Cloud Platform (GCP) サービスからログを取り込むための Sumo パイプラインについて説明し、Google Cloud Audit からログを収集する手順を紹介します。

Collection process for GCP services

The key components in the collection process for GCP services are:  Google Stackdriver, Google Cloud Pub/Sub, and Sumo’s Google Cloud Platform (GCP) source running on a hosted collector. 

The integration works like this: Google Stackdriver collects logs from GCP services. Once you’ve configured the pipeline shown below, the logs collected by Stackdriver will be published to a Google Pub/Sub topic. A Sumo GCP source on a hosted collector subscribed to that topic ingests the logs into Sumo.

monitor-gcp-services.png 

The configuration process is as follows. 

  1. Configure a GCP source on a hosted collector. You'll obtain the HTTP URL for the source, and then use Google Cloud Console to register the URL as a validated domain.  
  2. Create a topic in Google Pub/Sub and subscribe the GCP source URL to that topic.
  3. Create an export of GCP logs from Stackdriver. Exporting involves writing a filter that selects the log entries you want to export, and choosing a Pub/Sub as the destination. The filter and destination are held in an object called a sink. 

See the sections below for instructions.

Stackdriver からの Cloud Audit ログのエクスポートの作成 

  1. GCP で [Logging (ログ)] に移動します。
    gcp6.png
  2. [Exports (エクスポート)] に移動します。[Create Export (エクスポートの作成)] をクリックします。
    gcp7.png
  3. ドロップダウンで [Convert to advanced filter (高度なフィルタに変換)] をクリックして高度なフィルタを追加します。
    advanced-filter.png
  4. logName: "logs/cloudaudit.googleapis.com%2Factivity" の高度なフィルタを作成します。
    高度なフィルタの定義については、GCP ヘルプの「高度なログフィルタ」を参照してください。
    edit-export.png
    右側の [Edit Export (エクスポートの編集)] ウィンドウで次の操作を実行します。

    1. [Sink Name (Sink 名)] を設定します。たとえば、"gcp-all" です。
    2. [Sink Service (Sink サービス)] を「Cloud Pub/Sub」に設定します。
    3. [Sink Destination (Sink ターゲット)] を作成したばかりの Pub/Sub トピックに設定します。たとえば、"pub-sub-logs" です。
    4. [Create Sink (Sink の作成)] をクリックします。

ログ メッセージのサンプル

{
  "message": {
    "data": {
      "insertId": "55E06F0577741.AA05843.A90CA7B9",
      "logName": "projects/bmlabs-loggen/logs/cloudaudit.googleapis.com%2Factivity",
      "operation": {
        "id": "operation-1510758777595-55e06f047a479-fd74bd40-dc6cfc9b",
        "last": true,
        "producer": "compute.googleapis.com"
      },
      "protoPayload": {
        "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
        "authenticationInfo": {
          "principalEmail": "service-287993422434@dataflow-service-producer-prod.iam.gserviceaccount.com"
        },
        "methodName": "beta.compute.instanceTemplates.delete",
        "requestMetadata": {
          "callerIp": "10.106.32.130",
          "callerSuppliedUserAgent": "cloud_workflow_service"
        },
        "resourceName": "projects/bmlabs-loggen/global/instanceTemplates/dataflow-permissionlogs-johndoe-1-11150704-7cbb-harness",
        "serviceName": "compute.googleapis.com"
      },
      "receiveTimestamp": "2018-01-26T12:08:31.316UTC",
      "resource": {
        "labels": {
          "instance_template_id": "176548811930462611",
          "instance_template_name": "dataflow-permissionlogs-johndoe-1-11150704-7cbb-harness",
          "project_id": "bmlabs-loggen"
        },
        "type": "gce_instance_template"
      },
      "severity": "NOTICE",
      "timestamp": "2018-01-26T12:08:31.316UTC"
    },
    "attributes": {
      "logging.googleapis.com/timestamp": "2018-01-26T12:08:31.316UTC"
    },
    "message_id": "172054682231179",
    "messageId": "172054682231179",
    "publish_time": "2018-01-26T12:08:31.316UTC",
    "publishTime": "2018-01-26T12:08:31.316UTC"
  },
  "subscription": "projects/bmlabs-loggen/subscriptions/sumo-test"
}

クエリのサンプル

最近のファイアウォール変更

_collector="HTTP Source for GCP Pub/Sub" logName methodName principalEmail request resource timestamp | parse regex "\"logName\":\"(?<log_name>[^\"]+)\"" | where log_name matches "projects/*/logs/cloudaudit.googleapis.com%2Factivity" | json "message.data" as data | json field=data "resource.type" as type | where type = "gce_firewall_rule" | json field=data "timestamp", "resource.labels", "resource.labels.project_id", "protoPayload.authenticationInfo.principalEmail", "protoPayload.methodName", "protoPayload.request" as timestamp, labels, project, user, method, request | json field=request "direction", "alloweds[*]", "denieds[*]" as direction, alloweds, denieds nodrop | if(isNull(alloweds) OR alloweds="","deny","allow") as action | parse "\"sourceRanges\":[*]" as ranges nodrop | parse "\"destinationRanges\":[*]" as ranges | parse regex field=alloweds "\"IPProtocol\":\"(?<protocol>[a-zA-Z\.]+)\"[,\"a-z:]*\[?(?<ports>[0-9-\",]+)?\]?" multi nodrop | parse regex field=denieds "\"IPProtocol\":\"(?<protocol>[a-zA-Z\.]+)\"[,\"a-z:]*\[?(?<ports>[0-9-\",]+)?\]?" multi | count as operations by timestamp, user, method, ranges, direction, action, protocol, ports | fields timestamp, user, method, ranges, direction, action, protocol, ports | sort by timestamp
  • この記事は役に立ちましたか?