I have a Windows Server 2016 Instance in GCP,
I would like to to view the Event Viewer log or custom log in Google Cloud Logging.
I already install the OpsAgent, configure the default config in C:\Program Files\Google\Cloud Operations\Ops Agent\config\config.yaml and restart the service.
The VM also had Stackdriver Logging API: Write Only &
Stackdriver Monitoring API: Write Only permissions.
I try to restart the IIS, the log is appear in Event Viewer but not in Cloud Logging.
What i need to do to make the logging coming out in Cloud Logging ?
Thank you.
I able to solve my own issues.
Since my default Logs Router _Default is only allowing the log from container.
By create a new Log Router to incude resource.type="gce_instance" resources, I'm able to see the log coming from the Windows instance now.
Related
I´m trying to figure it out how to detect if someone deactivate the audit logs on GCP.
Right now I´m monitoring audit logs from GCP from different services and this logs are been sent to a SIEM, but if someone deactivate the audit logs option I can not detect it on my SIEM because it stops arriving.
I tried to detect it from the SIEM side and try to alert if the pipelines in this case were empty but it didn´t work. Is there a way to alert on GCP if this logs have been disabled? I searched on internet but I didn´t get anything clear.
Will put my answer here so it's helpful to other people.
Data Audit Logs can be enabled for each service independently. You can do that either from the console (IAM & Admin > Audit Logs > Select Service and Enable Logs).
What way to alert if logs are disabled is to use the API. You can query the Project and see which logs are enabled. Example below using gcloud
➜ ~ gcloud projects get-iam-policy $PROJECT
auditConfigs:
- auditLogConfigs:
- logType: ADMIN_READ
- logType: DATA_READ
- logType: DATA_WRITE
service: storage.googleapis.com
So this can be done either with gcloud wrapped in a script or using the GCP API.
Currently I am trying to create a custom metric to be tracked in the Google Cloud Monitoring dashboard.
Although the admin of the system has given me Monitoring Editor, Monitoring Writer, and Monitoring Admin roles, this error is still occurring.
permission based error
Which permission settings do I need to create a custom / log based metric?
I have tried creating a metric on the Google Cloud Monitoring dashboard with the following roles: Monitoring Editor, Monitoring Writer, and Monitoring Admin. Even with these roles in my IAM permission settings, the red alert error still shows up when creating a metric.
It's confusing.
Although Log-based metrics produce Cloud Monitoring metrics, they are functionality of the Cloud Logging API (and so they require Logging-specific roles/permissions).
Here's the list of permissions: https://cloud.google.com/iam/docs/permissions-reference
Search it (!) for logging.logMetrics.create and you'll get:
Owner (roles/owner)
Editor (roles/editor)
App Engine flexible environment Service Agent (roles/appengineflex.serviceAgent)
Cloud Composer API Service Agent (roles/composer.serviceAgent)
Cloud Dataflow Service Agent (roles/dataflow.serviceAgent)
Logging Admin (roles/logging.admin)
Logs Configuration Writer (roles/logging.configWriter)
Serverless VPC Access Service Agent (roles/vpcaccess.serviceAgent)
Get roles/logging.admin or roles/logging.confgWriter bound to your identity and try again.
I can see in one of the GCE Instance start up script as
userdel -r userid
due to this user is not able to SSH through browser.
My question is which logs how do we find who has added this startup script to the vm and when?
can we use some logs?
Yes , you can check logs for this in activity log.
you can use below url by replacing your project id.
https://console.cloud.google.com/home/activity?project=
If you want to know who adds a startup script to the VM, you can check the Admin Activity audit logs and the System Event audit logs.
Admin Activity audit logs contain log entries for API calls or other actions that modify the configuration or metadata of resources.
And, System Event audit logs contain log entries for Google Cloud actions that modify the configuration of resources.
Google Cloud services write audit logs that record administrative
activities and accesses within your Google Cloud resources. Audit logs
help you answer "who did what, where, and when?" within your Google
Cloud resources with the same level of transparency as in on-premises
environments. Cloud Audit Logs provides the following audit logs for
each Cloud project, folder, and organization:
Admin Activity audit logs
Data Access audit logs
System Event audit logs
Policy Denied audit logs
The Data Access audit logs can be very useful too, but are disabled by default, Data Access audit logs contain API calls that read the configuration or metadata of resources, as well as user-driven API calls that create, modify, or read user-provided resource data. If you want to enable it, please follow this link.
To view the Audits logs
In the Cloud console, go to the Logging> Logs Explorer page.
Select an existing Cloud project, folder, or organization.
In the Query builder pane, do the following:
In Resource type, select the Google Cloud resource whose audit logs
you want to see.
In Log name, select the audit log type that you want to see:
For Admin Activity audit logs, select activity.
For Data Access audit logs, select data_access.
For System Event audit logs, select system_event.
For Policy Denied audit logs, select policy.
If you don't see these options, then there aren't any audit logs of
that type available in the Cloud project, folder, or organization.
If you want to know more about Audit logs in GCP, please follow this link.
As the title says, there seems to be two ways to collect certain GCP audit logs.
Using The Google Workspace Admin SDK -- Specifying the "gcp" application name in the call.
Using the Google Cloud Logging API
What is the difference in logs collected? I'm still researching but hopefully someone on the google team sees this tag and knows exactly.
Does all of these logs get collected via worksapce admin sdk?
Admin Activity audit logs
Data Access audit logs
System Event audit logs
Policy Denied audit logs
The Admin Reports API only reports "OS login" events.
https://developers.google.com/admin-sdk/reports/v1/appendix/activity/gcp
I'm trying out AWS. I create a app that is running in an EC2 instance. I want to send debug/diagnostic logs to stdout or syslog and have some way to easily collect and let me read them.
Currently I use Stackdriver logging, I install a google-fluentd plugin in the EC2 instance and it picks up the syslog and send to Stackdriver. I'm wondering whether there is a similar offering in AWS so that I don't need to create a GCP project just for reading logs?
Thanks!
AWS allows you dump all your logs to cloud watch where you can store them click here to be redirected to the corresponding aws documentation. The documentation teaches you how to set up the ec2 machine in order to dump the logs to aws
You can install the AWS Cloudwatch agent in your EC2 Instance. The agent then allows you to ship custom log files to AWS Cloudwatch. From AWS cloudwatch you could analyze them. You could also ship system and application logs through the agent. Here is a blog post explaining how it could be done on a Windows machine not hosted in AWS, its pretty much the same approach for a EC2 instance.
You can use AWS Cloud watch Logs to monitor, store, and access your log files from Amazon Elastic Compute Cloud (Amazon EC2) instances, AWS CloudTrail, Route 53, and other sources. You can then retrieve the associated log data from CloudWatch Logs.