This page describes the process for the Platform Administrator (PA) to export logs in Google Distributed Cloud (GDC) air-gapped to an external Security Information and Event Management (SIEM) system.
Before you begin
Before exporting logs to an external SIEM system, follow these steps:
Verify that a connection between GDC and the external SIEM destination is established. If necessary, work with the Infrastructure Operator (IO) to set up an uplink connection to your customer network.
Set the path of the kubeconfig file as an environment variable:
export KUBECONFIG=KUBECONFIG_FILEReplace
KUBECONFIG_FILEwith the path to the kubeconfig file in your organization's admin cluster from where you want to export logs.Set your GDC username as an environment variable:
export USER=YOUR_USERNAMESet your GDC project namespace as an environment variable:
export PROJECT_NAMESPACE=PROJECT_NAMESPACETo get the permissions that you need to export logs to an external SIEM system, ask your Organization IAM Admin to grant you one of the following roles by defining a role binding for your project namespace:
The SIEM Export Org Creator (
siemexport-org-creator) role.If no one has deployed the
SIEMOrgForwarderCR in your project namespace, you need this role. The Organization IAM Admin creates a role binding to let you deploy theSIEMOrgForwarderCR:kubectl \ create rolebinding siemexport-org-creator-rolebinding \ --kubeconfig=IAM_ORG_KUBECONFIG \ --user USERNAME \ --role siemexport-org-creator \ --namespace PROJECT_NAMESPACEThe SIEM Export Org Editor (
siemexport-org-editor) role.If the
SIEMOrgForwarderCR already exists in your project namespace, you need this role. The Organization IAM Admin creates a role binding to let you edit theSIEMOrgForwarderCR:kubectl \ create rolebinding siemexport-org-editor-rolebinding \ --kubeconfig=IAM_ORG_KUBECONFIG \ --user USERNAME \ --role siemexport-org-editor \ --namespace PROJECT_NAMESPACEThe SIEM Export Org Viewer (
siemexport-org-viewer) role.If the
SIEMOrgForwarderCR already exists in your namespace and you only need to visualize it, you need this role. The Organization IAM Admin creates a role binding to let you view theSIEMOrgForwarderCR:kubectl \ create rolebinding siemexport-org-viewer-rolebinding \ --kubeconfig=IAM_ORG_KUBECONFIG \ --user USERNAME \ --role siemexport-org-viewer \ --namespace PROJECT_NAMESPACE
Replace the following:
IAM_ORG_KUBECONFIG: the path to the organization IAM administrator kubeconfig file in the org admin cluster.USERNAME: the username that requires the role binding.PROJECT_NAMESPACE: the project namespace that requires the role binding.
Configure logs export
To export logs to an external SIEM system, follow these steps:
Deploy a SIEM token as a secret in your project namespace:
cat <<EOF | kubectl --kubeconfig=${KUBECONFIG} apply -f -
apiVersion: v1
kind: Secret
metadata:
name: SECRET_NAME
namespace: ${PROJECT_NAMESPACE}
type: Opaque
stringData:
SECRET_FIELD: TOKEN
EOF
Replace the following:
SECRET_NAME: the name of your secret.SECRET_FIELD: the name of the field where you want to store the secret.TOKEN: your SIEM token.
You provide a SIEM token to connect the logging stack to the SIEM system.
You can have different tokens for audit and operational logs. In this case, you must deploy two secrets, one with the token for audit logs and the other with the token for operational logs. You must reference the corresponding secret name in the SIEMOrgForwarder CR for audit and operational logs, as shown in the following step.
Deploy the SIEMOrgForwarder CR in your project namespace.
Specify the log type by choosing between audit or operational logs. To configure the log export for both log types, you must deploy two SIEMOrgForwarder CRs, one for each type.
Audit logs
cat <<EOF | kubectl --kubeconfig=${KUBECONFIG} apply -f -
apiVersion: logging.gdc.goog/v1
kind: SIEMOrgForwarder
metadata:
name: SIEM_AUDIT_NAME
namespace: ${PROJECT_NAMESPACE}
spec:
source: audit
splunkOutputs:
- host: SIEM_HOST
token:
name: SECRET_NAME
field: SECRET_FIELD
tls: "TLS"
netConnectTimeout: NET_CONNECT_TIMEOUT
EOF
Replace the following:
SIEM_AUDIT_NAME: the name you want to give to theSIEMOrgForwarderCR for audit logs.SIEM_HOST: the name of the SIEM host for audit logs.SECRET_NAME: the name of your secret for audit logs.SECRET_FIELD: the name of the field where you stored the secret for audit logs.TLS: the status of the Transport Layer Security (TLS). Accepted values are"On"and"Off".NET_CONNECT_TIMEOUT: the maximum time in seconds to wait for a connection to be established. For example, a value of180means to wait 180 seconds for a connection to be established.
Operational logs
cat <<EOF | kubectl --kubeconfig=${KUBECONFIG} apply -f -
apiVersion: logging.gdc.goog/v1
kind: SIEMOrgForwarder
metadata:
name: SIEM_OPS_NAME
namespace: ${PROJECT_NAMESPACE}
spec:
source: operational
splunkOutputs:
- host: SIEM_HOST
token:
name: SECRET_NAME
field: SECRET_FIELD
tls: "TLS"
netConnectTimeout: NET_CONNECT_TIMEOUT
EOF
Replace the following:
SIEM_OPS_NAME: the name you want to give to theSIEMOrgForwarderCR for operational logs.SIEM_HOST: the name of the SIEM host for operational logs.SECRET_NAME: the name of your secret for operational logs.SECRET_FIELD: the name of the field where you stored the secret for operational logs.TLS: the status of the Transport Layer Security (TLS). Accepted values are"On"and"Off".NET_CONNECT_TIMEOUT: the maximum time in seconds to wait for a connection to be established. For example, a value of180means to wait 180 seconds for a connection to be established.
Verify the status of the deployed CRs for audit or operational logs.
Audit logs
Verify the AuditLoggingReady status:
kubectl --kubeconfig=${KUBECONFIG} describe siemorgforwarder/SIEM_AUDIT_NAME -n ${PROJECT_NAMESPACE}
Operational logs
Verify the OperationalLoggingReady status:
kubectl --kubeconfig=${KUBECONFIG} describe siemorgforwarder/SIEM_OPS_NAME -n ${PROJECT_NAMESPACE}