Hello community , how i can identify forwarder logs in the audit logs ?
thanks in advance
Page 1 / 1
You may use this query in logs explorer and choose the time range:
resource.type="audited_resource"
resource.labels.service="chronicle.googleapis.com"
protoPayload.resourceName=~"<your_forwarder_id_uuid>"
use GCP cloud monitoring can check the forwarder metrics
To check the actual logs, you can use docker command:
sudo docker logs cfps
sudo docker logs cfps -f
docker logs cfps &> logs.txt
use GCP cloud monitoring can check the forwarder metrics
To check the actual logs, you can use docker command:
sudo docker logs cfps
sudo docker logs cfps -f
docker logs cfps &> logs.txt
Hello ,
Thank you for your reply
how i can ingest forwarder metrics into chronicle , thanks
You can do the below -
To set up notifications that monitor ingestion health metrics specific to Google SecOps, do the following:
In the Google Cloud console, select Monitoring.
In the navigation pane, select Alerting and then click Create policy.
On the Select a metric page, click Select a metric.
See this link for details https://cloud.google.com/chronicle/docs/ingestion/ingestion-notifications-for-health-metrics#forwardermetricandfilters
Hello ,
Thank you for your reply
how i can ingest forwarder metrics into chronicle , thanks
I am not sure if I understood your question. The forwarder metrics automatically are sent to cloud monitoring. You don't have to setup anything. To monitor metrics then you can follow the instructions from Ash. The forwarder logs can be viewed in the Logs explorer as I mentioned above.
I am not sure if I understood your question. The forwarder metrics automatically are sent to cloud monitoring. You don't have to setup anything. To monitor metrics then you can follow the instructions from Ash. The forwarder logs can be viewed in the Logs explorer as I mentioned above.
And if i don't have Access to GCP ? I have only access on the SIEM
These logs can be retrieved on the siem ? what configuration should be done from GCP team to send forwarder logs to the siem ?
And if i don't have Access to GCP ? I have only access on the SIEM
These logs can be retrieved on the siem ? what configuration should be done from GCP team to send forwarder logs to the siem ?
You may have a couple of options (disclaimer, I have not tested this and would welcome comments)
Possible Option 1:
- Create a log sink that exports the specific logs you need to a Pub/Sub topic.
- Configure SecOps SIEM to ingest logs from that Pub/Sub topic.
- This would require creating a new Feed in SecOps to ingest the Pub/Sub topic
- It's likely this would also require creating a custom Data Parser in SecOps
- Reference: Integrate Pub/
Sub with Google SecOps
Possible Option 2:
- Modify the forwarder configuration file to include Docker logs using a file format
- This will likely require creating a new Parser for the new data type
- Reference: Manage forwarder configuration file manually | Google Security Operations
In either case, assuming the raw data is successfully converted to UDM, you would likely want to create a custom Yara-L rule for any event of interest for Alerting and possibly a custom SOAR playbook to take appropriate actions.
You (or your Administrator) will need access to GCP to start with. Once the logs are forwarded you will see it in SIEM.
You will need to make change in GCP Console --> Security-->Google SecOps--> Ingestion
On this tab Enable -
1.Google Cloud logging
Ingest and analyze data from Google Cloud Logging.
2.Cloud Asset Metadata
Ingest and analyze data from Google Cloud Asset Inventory.
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.