Search code examples
google-cloud-platformstackdriverfluentdgoogle-cloud-stackdriver

Production Access controls for GoogleCloud using Stackdriver

How have people implemented Production Access Controls (i.e. logging and reporting on access to compute instances by services and humans over SSH). Our goal is to forward all user logon entries to our SIEM consistently across projects and ideally avoid having project specific Stackdriver sinks (and associated setup and maintenance).

We've tried the following:

  • Enabled auth log forwarding in Fluentd as only syslog is done by default
  • Enabled organization level sinks that send to a topic (to forward on to SIEM via HTTP subscriber) that include all children
  • Can see syslog/auth at the project level for non-Container OS images (i.e. Ubuntu)

Issues we're seeing: - Limited documentation on filter format at org level (seems to differ from project level for things like logName). log_id function does appear to work - Some log types appear at the org level (things like cloudapis activity) but syslog does not appear to get processed - Container OS appears to not enable ssh/sudo forwarding by default in fluentd (or I haven't found which log type has this data). I do see this logged to journalctl on a test node

Does anyone have a consistent way to achieve this?

Solution

  • In case anyone else comes across this, we found the following:

    • It is possible to set up Stackdriver sinks at org level through CLI. Not visible through Cloud Console UI and also CLI does not allow you to list log types at org
    • Filters can be defined on the sinks in addition to logName but format can differ to project level filters
    • You need to enable auth log logging in fluentd which is platform specific (i.e. one process for google-fluentd on Ubuntu is different to stackdriver setup on Container OS)
    • SSHD for some reason does not log the initial log stating user and IP through syslog (and thus fluentd) and therefore is not visible to Stackdriver
    • Use or org sinks to topics is a child project with subscription to forward to your SIEM of choice, works well

    Still trying to get logs of gcloud ssh commands