This page describes the process for the Platform Administrator (PA) to export logs in Google Distributed Cloud (GDC) air-gapped to an external Security Information and Event Management (SIEM) system.
Before you begin
Before exporting logs to an external SIEM system, follow these steps:
Verify that a connection between GDC and the external SIEM destination is established. If necessary, work with the Infrastructure Operator (IO) to set up an uplink connection to your customer network.
Set the path of the kubeconfig file as an environment variable:
export KUBECONFIG=KUBECONFIG_FILE
Replace
KUBECONFIG_FILE
with the path to the kubeconfig file in your organization's admin cluster from where you want to export logs.Set your GDC username as an environment variable:
export USER=YOUR_USERNAME
Set your GDC project namespace as an environment variable:
export PROJECT_NAMESPACE=PROJECT_NAMESPACE
To get the permissions that you need to export logs to an external SIEM system, ask your Organization IAM Admin to grant you one of the following roles by defining a role binding for your project namespace:
The SIEM Export Org Creator (
siemexport-org-creator
) role.If no one has deployed the
SIEMOrgForwarder
CR in your project namespace, you need this role. The Organization IAM Admin creates a role binding to let you deploy theSIEMOrgForwarder
CR:kubectl \ create rolebinding siemexport-org-creator-rolebinding \ --kubeconfig=IAM_ORG_KUBECONFIG \ --user USERNAME \ --role siemexport-org-creator \ --namespace PROJECT_NAMESPACE
The SIEM Export Org Editor (
siemexport-org-editor
) role.If the
SIEMOrgForwarder
CR already exists in your project namespace, you need this role. The Organization IAM Admin creates a role binding to let you edit theSIEMOrgForwarder
CR:kubectl \ create rolebinding siemexport-org-editor-rolebinding \ --kubeconfig=IAM_ORG_KUBECONFIG \ --user USERNAME \ --role siemexport-org-editor \ --namespace PROJECT_NAMESPACE
The SIEM Export Org Viewer (
siemexport-org-viewer
) role.If the
SIEMOrgForwarder
CR already exists in your namespace and you only need to visualize it, you need this role. The Organization IAM Admin creates a role binding to let you view theSIEMOrgForwarder
CR:kubectl \ create rolebinding siemexport-org-viewer-rolebinding \ --kubeconfig=IAM_ORG_KUBECONFIG \ --user USERNAME \ --role siemexport-org-viewer \ --namespace PROJECT_NAMESPACE
Replace the following:
IAM_ORG_KUBECONFIG
: the path to the organization IAM administrator kubeconfig file in the org admin cluster.USERNAME
: the username that requires the role binding.PROJECT_NAMESPACE
: the project namespace that requires the role binding.
Configure logs export
To export logs to an external SIEM system, follow these steps:
Deploy a SIEM token as a secret in your project namespace:
cat <<EOF | kubectl --kubeconfig=${KUBECONFIG} apply -f -
apiVersion: v1
kind: Secret
metadata:
name: SECRET_NAME
namespace: ${PROJECT_NAMESPACE}
type: Opaque
stringData:
SECRET_FIELD: TOKEN
EOF
Replace the following:
SECRET_NAME
: the name of your secret.SECRET_FIELD
: the name of the field where you want to store the secret.TOKEN
: your SIEM token.
You provide a SIEM token to connect the logging stack to the SIEM system.
You can have different tokens for audit and operational logs. In this case, you must deploy two secrets, one with the token for audit logs and the other with the token for operational logs. You must reference the corresponding secret name in the SIEMOrgForwarder
CR for audit and operational logs, as shown in the following step.
Deploy the SIEMOrgForwarder
CR in your project namespace.
Specify the log type by choosing between audit or operational logs. To configure the log export for both log types, you must deploy two SIEMOrgForwarder
CRs, one for each type.
Audit logs
cat <<EOF | kubectl --kubeconfig=${KUBECONFIG} apply -f -
apiVersion: logging.gdc.goog/v1
kind: SIEMOrgForwarder
metadata:
name: SIEM_AUDIT_NAME
namespace: ${PROJECT_NAMESPACE}
spec:
source: audit
splunkOutputs:
- host: SIEM_HOST
token:
name: SECRET_NAME
field: SECRET_FIELD
tls: "TLS"
netConnectTimeout: NET_CONNECT_TIMEOUT
EOF
Replace the following:
SIEM_AUDIT_NAME
: the name you want to give to theSIEMOrgForwarder
CR for audit logs.SIEM_HOST
: the name of the SIEM host for audit logs.SECRET_NAME
: the name of your secret for audit logs.SECRET_FIELD
: the name of the field where you stored the secret for audit logs.TLS
: the status of the Transport Layer Security (TLS). Accepted values are"On"
and"Off"
.NET_CONNECT_TIMEOUT
: the maximum time in seconds to wait for a connection to be established. For example, a value of180
means to wait 180 seconds for a connection to be established.
Operational logs
cat <<EOF | kubectl --kubeconfig=${KUBECONFIG} apply -f -
apiVersion: logging.gdc.goog/v1
kind: SIEMOrgForwarder
metadata:
name: SIEM_OPS_NAME
namespace: ${PROJECT_NAMESPACE}
spec:
source: operational
splunkOutputs:
- host: SIEM_HOST
token:
name: SECRET_NAME
field: SECRET_FIELD
tls: "TLS"
netConnectTimeout: NET_CONNECT_TIMEOUT
EOF
Replace the following:
SIEM_OPS_NAME
: the name you want to give to theSIEMOrgForwarder
CR for operational logs.SIEM_HOST
: the name of the SIEM host for operational logs.SECRET_NAME
: the name of your secret for operational logs.SECRET_FIELD
: the name of the field where you stored the secret for operational logs.TLS
: the status of the Transport Layer Security (TLS). Accepted values are"On"
and"Off"
.NET_CONNECT_TIMEOUT
: the maximum time in seconds to wait for a connection to be established. For example, a value of180
means to wait 180 seconds for a connection to be established.
Verify the status of the deployed CRs for audit or operational logs.
Audit logs
Verify the AuditLoggingReady
status:
kubectl --kubeconfig=${KUBECONFIG} describe siemorgforwarder/SIEM_AUDIT_NAME -n ${PROJECT_NAMESPACE}
Operational logs
Verify the OperationalLoggingReady
status:
kubectl --kubeconfig=${KUBECONFIG} describe siemorgforwarder/SIEM_OPS_NAME -n ${PROJECT_NAMESPACE}