This page describes how to export logs from Google Distributed Cloud (GDC) air-gapped to an external Security Information and Event Management (SIEM) system. This integration allows for centralized log analysis and enhanced security monitoring.
The core of log export involves deploying a SIEMOrgForwarder custom resource.
This resource acts as a configuration file, specifying the details of the
external SIEM instance designated to receive the logs. By defining these
parameters within the SIEMOrgForwarder file, administrators can establish a
streamlined and secure log export pipeline.
Before you begin
To get the permissions that you need to manage SIEMOrgForwarder custom
resources, ask your Organization IAM Admin to grant you one of the associated
SIEM Export Org roles.
Depending on the level of access and permissions you need, you might obtain creator, editor, or viewer roles for this resource in your project namespace. For more information, see Prepare IAM permissions.
After obtaining the necessary permissions, complete these steps prior to exporting logs to an external SIEM system:
Establish connectivity: Ensure a connection exists between GDC and the external SIEM destination. If needed, collaborate with the Infrastructure Operator (IO) to establish an uplink connection to your customer network.
Set environment variables: Set the following environment variables to run the commands from this page:
The path of the kubeconfig file:
export KUBECONFIG=KUBECONFIG_PATHReplace
KUBECONFIG_PATHwith the path to the kubeconfig file for the Management API server.Your project namespace:
export PROJECT_NAMESPACE=PROJECT_NAMESPACE
Configure log export
Export logs to an external SIEM system:
Provide a token to connect the logging stack to the SIEM system. To perform this action, you must create a secret in your project namespace to store the token:
cat <<EOF | kubectl --kubeconfig=${KUBECONFIG} apply -f - apiVersion: v1 kind: Secret metadata: name: SECRET_NAME namespace: ${PROJECT_NAMESPACE} type: Opaque stringData: SECRET_FIELD: TOKEN EOFReplace the following:
SECRET_NAME: the name of your secret.SECRET_FIELD: the name of the field where you want to store the secret.TOKEN: your token.
Deploy the
SIEMOrgForwardercustom resource in your project namespace. You must specify the log type by choosing between audit or operational logs. To configure the log export for both log types, you must deploy aSIEMOrgForwarderresource for each type.The following example shows how to apply a configuration to a
SIEMOrgForwardercustom resource:cat <<EOF | kubectl --kubeconfig=${KUBECONFIG} apply -f - apiVersion: logging.gdc.goog/v1 kind: SIEMOrgForwarder metadata: name: SIEM_ORG_FORWARDER namespace: ${PROJECT_NAMESPACE} spec: source: LOG_TYPE splunkOutputs: - host: SIEM_HOST token: name: SECRET_NAME field: SECRET_FIELD tls: "TLS" netConnectTimeout: NET_CONNECT_TIMEOUT EOFReplace the following:
SIEM_ORG_FORWARDER: the name of theSIEMOrgForwarderdefinition file.LOG_TYPE: the log type you are exporting. Accepted values areauditandoperational.SIEM_HOST: the name of the SIEM host.SECRET_NAME: the name of your secret.SECRET_FIELD: the name of the field where you stored the secret.TLS: the status of the Transport Layer Security (TLS). Accepted values are"On"and"Off".NET_CONNECT_TIMEOUT: the maximum time in seconds to wait for a connection to be established. For example, a value of180means to wait 180 seconds.
Verify the status of the deployed
SIEMOrgForwardercustom resource:kubectl --kubeconfig=${KUBECONFIG} describe siemorgforwarder/SIEM_ORG_FORWARDER \ -n ${PROJECT_NAMESPACE}According to the log type, check for the following status:
- Audit logs: Check the
AuditLoggingReadystatus. Operational logs: Check the
OperationalLoggingReadystatus.
- Audit logs: Check the