Skip to main content
Solved

Forwarder audit logs

  • January 3, 2025
  • 8 replies
  • 106 views
R
Forum|alt.badge.img+8

Hello community , how i can identify forwarder logs in the audit logs ?
thanks in advance

Best answer by ashnaiku

 
You (or your Administrator) will need access to GCP to start with. Once the logs are forwarded you will see it in SIEM.
 
You will need to make change in GCP Console --> Security-->Google SecOps--> Ingestion
On this tab Enable - 
1.Google Cloud logging
Ingest and analyze data from Google Cloud Logging.
2.Cloud Asset Metadata
Ingest and analyze data from Google Cloud Asset Inventory.
 
 

 

8 replies

rajukg11
Staff
Forum|alt.badge.img+6
  • rajukg11
  • Staff
  • January 3, 2025

You may use this query in logs explorer and choose the time range:

resource.type="audited_resource"
resource.labels.service="chronicle.googleapis.com"
protoPayload.resourceName=~"<your_forwarder_id_uuid>"
    hzmndt
    Staff
    Forum|alt.badge.img+9
    • hzmndt
    • Staff
    • January 5, 2025

    use GCP cloud monitoring can check the forwarder metrics

     
    To check the actual logs, you can use docker command:

    sudo docker logs cfps

    sudo docker logs cfps -f

    docker logs cfps &> logs.txt

      R
      Forum|alt.badge.img+8
      • Rached1996Silver 2
      • Author
      • Silver 2
      • January 6, 2025

      use GCP cloud monitoring can check the forwarder metrics

       
      To check the actual logs, you can use docker command:

      sudo docker logs cfps

      sudo docker logs cfps -f

      docker logs cfps &> logs.txt


      Hello ,
      Thank you for your reply

      how i can ingest forwarder metrics into chronicle , thanks 

      A
      Staff
      Forum|alt.badge.img+3
      • ashnaiku
      • Staff
      • January 6, 2025

      You can do the below -

      To set up notifications that monitor ingestion health metrics specific to Google SecOps, do the following:

      1. In the Google Cloud console, select Monitoring.

      2. In the navigation pane, select Alerting and then click Create policy.

      3. On the Select a metric page, click Select a metric.

      See this link for details https://cloud.google.com/chronicle/docs/ingestion/ingestion-notifications-for-health-metrics#forwardermetricandfilters

      rajukg11
      Staff
      Forum|alt.badge.img+6
      • rajukg11
      • Staff
      • January 6, 2025

      Hello ,
      Thank you for your reply

      how i can ingest forwarder metrics into chronicle , thanks 


      I am not sure if I understood your question.  The forwarder metrics automatically are sent to cloud monitoring.  You don't have to setup anything.  To monitor metrics then you can follow the instructions from Ash.  The forwarder logs can be viewed in the Logs explorer as I mentioned above.

      R
      Forum|alt.badge.img+8
      • Rached1996Silver 2
      • Author
      • Silver 2
      • January 7, 2025

      I am not sure if I understood your question.  The forwarder metrics automatically are sent to cloud monitoring.  You don't have to setup anything.  To monitor metrics then you can follow the instructions from Ash.  The forwarder logs can be viewed in the Logs explorer as I mentioned above.


      And if i don't have Access to GCP ? I have only access on the SIEM 
      These logs can be retrieved on the siem ? what configuration should be done from GCP team to send forwarder logs to the siem ?

       

      ScottieJ
      Staff
      Forum|alt.badge.img+4
      • ScottieJ
      • Staff
      • January 7, 2025

      And if i don't have Access to GCP ? I have only access on the SIEM 
      These logs can be retrieved on the siem ? what configuration should be done from GCP team to send forwarder logs to the siem ?

       


      You may have a couple of options (disclaimer, I have not tested this and would welcome comments)

      Possible Option 1:

      • Create a log sink that exports the specific logs you need to a Pub/Sub topic.
      • Configure SecOps SIEM to ingest logs from that Pub/Sub topic.
      • This would require creating a new Feed in SecOps to ingest the Pub/Sub topic
      • It's likely this would also require creating a custom Data Parser in SecOps
      • Reference: Integrate Pub/Sub with Google SecOps

      Possible Option 2: 

      In either case, assuming the raw data is successfully converted to UDM, you would likely want to create a custom Yara-L rule for any event of interest for Alerting and possibly a custom SOAR playbook to take appropriate actions.

       

        A
        Staff
        Forum|alt.badge.img+3
        • ashnaiku
        • Staff
        • Answer
        • January 7, 2025
         
        You (or your Administrator) will need access to GCP to start with. Once the logs are forwarded you will see it in SIEM.
         
        You will need to make change in GCP Console --> Security-->Google SecOps--> Ingestion
        On this tab Enable - 
        1.Google Cloud logging
        Ingest and analyze data from Google Cloud Logging.
        2.Cloud Asset Metadata
        Ingest and analyze data from Google Cloud Asset Inventory.
         
         

         

        Terms & ConditionsCookie settingsAccessibility statement
        Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

        © 2025 Google. All rights reserved.