Export logs to external SIEM system

This page describes the process for the Platform Administrator (PA) to export logs in Google Distributed Cloud (GDC) air-gapped to an external Security Information and Event Management (SIEM) system.

Before you begin

Before exporting logs to an external SIEM system, follow these steps:

  1. Verify that a connection between GDC and the external SIEM destination is established. If necessary, work with the Infrastructure Operator (IO) to set up an uplink connection to your customer network.

  2. Set the path of the kubeconfig file as an environment variable:

    export KUBECONFIG=KUBECONFIG_FILE
    

    Replace KUBECONFIG_FILE with the path to the kubeconfig file in your organization's admin cluster from where you want to export logs.

  3. Set your GDC username as an environment variable:

    export USER=YOUR_USERNAME
    
  4. Set your GDC project namespace as an environment variable:

    export PROJECT_NAMESPACE=PROJECT_NAMESPACE
    
  5. To get the permissions that you need to export logs to an external SIEM system, ask your Organization IAM Admin to grant you one of the following roles by defining a role binding for your project namespace:

    • The SIEM Export Org Creator (siemexport-org-creator) role.

      If no one has deployed the SIEMOrgForwarder CR in your project namespace, you need this role. The Organization IAM Admin creates a role binding to let you deploy the SIEMOrgForwarder CR:

      kubectl \
        create rolebinding siemexport-org-creator-rolebinding \
        --kubeconfig=IAM_ORG_KUBECONFIG \
        --user USERNAME \
        --role siemexport-org-creator \
        --namespace PROJECT_NAMESPACE
      
    • The SIEM Export Org Editor (siemexport-org-editor) role.

      If the SIEMOrgForwarder CR already exists in your project namespace, you need this role. The Organization IAM Admin creates a role binding to let you edit the SIEMOrgForwarder CR:

      kubectl \
        create rolebinding siemexport-org-editor-rolebinding \
        --kubeconfig=IAM_ORG_KUBECONFIG \
        --user USERNAME \
        --role siemexport-org-editor \
        --namespace PROJECT_NAMESPACE
      
    • The SIEM Export Org Viewer (siemexport-org-viewer) role.

      If the SIEMOrgForwarder CR already exists in your namespace and you only need to visualize it, you need this role. The Organization IAM Admin creates a role binding to let you view the SIEMOrgForwarder CR:

      kubectl \
        create rolebinding siemexport-org-viewer-rolebinding \
        --kubeconfig=IAM_ORG_KUBECONFIG \
        --user USERNAME \
        --role siemexport-org-viewer \
        --namespace PROJECT_NAMESPACE
      

    Replace the following:

    • IAM_ORG_KUBECONFIG: the path to the organization IAM administrator kubeconfig file in the org admin cluster.
    • USERNAME: the username that requires the role binding.
    • PROJECT_NAMESPACE: the project namespace that requires the role binding.

Configure logs export

To export logs to an external SIEM system, follow these steps:

  • Deploy a SIEM token as a secret in your project namespace:

    cat <<EOF | kubectl --kubeconfig=${KUBECONFIG} apply -f -
    apiVersion: v1
    kind: Secret
    metadata:
      name: SECRET_NAME
      namespace: ${PROJECT_NAMESPACE}
    type: Opaque
    stringData:
      SECRET_FIELD: TOKEN
    EOF
    

    Replace the following:

    • SECRET_NAME: the name of your secret.
    • SECRET_FIELD: the name of the field where you want to store the secret.
    • TOKEN: your SIEM token.

    You provide a SIEM token to connect the logging stack to the SIEM system.

    You can have different tokens for audit and operational logs. In this case, you must deploy two secrets, one with the token for audit logs and the other with the token for operational logs. You must reference the corresponding secret name in the SIEMOrgForwarder CR for audit and operational logs, as shown in the following step.

  • Deploy the SIEMOrgForwarder CR in your project namespace.

    Specify the log type by choosing between audit or operational logs. To configure the log export for both log types, you must deploy two SIEMOrgForwarder CRs, one for each type.

    Audit logs

    cat <<EOF | kubectl --kubeconfig=${KUBECONFIG} apply -f -
    apiVersion: logging.gdc.goog/v1
    kind: SIEMOrgForwarder
    metadata:
      name: SIEM_AUDIT_NAME
      namespace: ${PROJECT_NAMESPACE}
    spec:
      source: audit
      splunkOutputs:
        - host: SIEM_HOST
          token:
            name: SECRET_NAME
            field: SECRET_FIELD
          tls: "TLS"
          netConnectTimeout: NET_CONNECT_TIMEOUT
    EOF
    

    Replace the following:

    • SIEM_AUDIT_NAME: the name you want to give to the SIEMOrgForwarder CR for audit logs.
    • SIEM_HOST: the name of the SIEM host for audit logs.
    • SECRET_NAME: the name of your secret for audit logs.
    • SECRET_FIELD: the name of the field where you stored the secret for audit logs.
    • TLS: the status of the Transport Layer Security (TLS). Accepted values are "On" and "Off".
    • NET_CONNECT_TIMEOUT: the maximum time in seconds to wait for a connection to be established. For example, a value of 180 means to wait 180 seconds for a connection to be established.

    Operational logs

    cat <<EOF | kubectl --kubeconfig=${KUBECONFIG} apply -f -
    apiVersion: logging.gdc.goog/v1
    kind: SIEMOrgForwarder
    metadata:
      name: SIEM_OPS_NAME
      namespace: ${PROJECT_NAMESPACE}
    spec:
      source: operational
      splunkOutputs:
        - host: SIEM_HOST
          token:
            name: SECRET_NAME
            field: SECRET_FIELD
          tls: "TLS"
          netConnectTimeout: NET_CONNECT_TIMEOUT
    EOF
    

    Replace the following:

    • SIEM_OPS_NAME: the name you want to give to the SIEMOrgForwarder CR for operational logs.
    • SIEM_HOST: the name of the SIEM host for operational logs.
    • SECRET_NAME: the name of your secret for operational logs.
    • SECRET_FIELD: the name of the field where you stored the secret for operational logs.
    • TLS: the status of the Transport Layer Security (TLS). Accepted values are "On" and "Off".
    • NET_CONNECT_TIMEOUT: the maximum time in seconds to wait for a connection to be established. For example, a value of 180 means to wait 180 seconds for a connection to be established.
  • Verify the status of the deployed CRs for audit or operational logs.

    Audit logs

    Verify the AuditLoggingReady status:

    kubectl --kubeconfig=${KUBECONFIG} describe siemorgforwarder/SIEM_AUDIT_NAME -n ${PROJECT_NAMESPACE}
    

    Operational logs

    Verify the OperationalLoggingReady status:

    kubectl --kubeconfig=${KUBECONFIG} describe siemorgforwarder/SIEM_OPS_NAME -n ${PROJECT_NAMESPACE}