This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Aggregated log collection

Posted on 08-30-2022 06:42 AM
RobK
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

What line do I put in my inclusion filter from the log sink, if I want all the audit logs from all projects in an organisation? (the option "Include logs ingested by this organisation and all child resources" is selected)

0 4 579
Topic Labels
0 Likes
4 REPLIES 4

Posted on --/--/---- --:-- AM
mkoes
Staff
Reply posted on --/--/---- --:-- AM
You can use a substring match:

logName:"cloudaudit.googleapis.com"


There are some other useful sample filters in our docs:
https://cloud.google.com/logging/docs/view/query-library#security-filters
0 Likes

Posted on --/--/---- --:-- AM
RobK
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Thanks Mary, it looks like I had the one which is in the document 
log_id("cloudaudit.googleapis.com/activity")
For some reason the entry I'm looking for, which I can see via log explorer, I can't seem to find in our SIEM.

0 Likes

Posted on --/--/---- --:-- AM
RobK
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Is there any action to be taken when you want to export the protoPayload.methodName="google.iam.admin.v1.CreateServiceAccountKey" events via pub/sub?

0 Likes

Posted on --/--/---- --:-- AM
RobK
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

We located the issue. It was related to the amount of different fields in the GCP audit logs. 

0 Likes
Top Solution Authors
View all