This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Notifications for metadata changes (SSH keys)

Posted on 11-30-2022 06:53 AM
gdsotirov
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hello,

Is there a way to get notified (email, SMS, etc.) for metadata changes on project level (e.g. SSH keys)?

 

Regards,

--

Georgi

Solved Solved
0 4 508
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
gdsotirov
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I was able to achieve it with a logs based alert having the following filter:

resource.type="gce_project"
protoPayload.@type="type.googleapis.com/google.cloud.audit.AuditLog"
(	protoPayload.metadata.projectMetadataDelta.addedMetadataKeys!=""
	OR protoPayload.metadata.projectMetadataDelta.deletedMetadataKeys!=""
	OR protoPayload.metadata.projectMetadataDelta.modifiedMetadataKeys!=""
)

Note: The fields addedMetadataKeys, deletedMetadataKeys and modifiedMetadataKeys seem to have been added earlier this year.

But I'll have to fine tune the alert now, because it does not provide information about what was done and what was changed. It should be possible with labels.

View solution in original post

Jump to Solution
4 REPLIES 4

Posted on --/--/---- --:-- AM
DamianS
Gold 2
Gold 2
Reply posted on --/--/---- --:-- AM

Hi,

log-based metrics with proper query and based on that, log-based alert ? This is the first thing which comes to my mind. 

best,
DamianS

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
DamianS
Gold 2
Gold 2
Reply posted on --/--/---- --:-- AM

Hi,

Sample query:
You can edit query and add something like regex where alert will be triggered only if  metadata for VM instance will be changed or deleted.

 

resource.type="gce_instance"
proto_payload.@type="type.googleapis.com/google.cloud.audit.AuditLog" AND
proto_payload.method_name="v1.compute.instances.setMetadata"

 

Example of alert send via email:

DamianS_0-1669828673716.png

best,

DamianS

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
gdsotirov
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Yes, I though about the same, but I'm interested in alerts for metadata changes on project level, not instance level and SSH keys in particular. So it should rather be something like:

resource.type="gce_project"
protoPayload.@type="type.googleapis.com/google.cloud.audit.AuditLog"

 But I'd like to catch changes related only to SSH keys.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
gdsotirov
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I was able to achieve it with a logs based alert having the following filter:

resource.type="gce_project"
protoPayload.@type="type.googleapis.com/google.cloud.audit.AuditLog"
(	protoPayload.metadata.projectMetadataDelta.addedMetadataKeys!=""
	OR protoPayload.metadata.projectMetadataDelta.deletedMetadataKeys!=""
	OR protoPayload.metadata.projectMetadataDelta.modifiedMetadataKeys!=""
)

Note: The fields addedMetadataKeys, deletedMetadataKeys and modifiedMetadataKeys seem to have been added earlier this year.

But I'll have to fine tune the alert now, because it does not provide information about what was done and what was changed. It should be possible with labels.

Jump to Solution
Top Labels in this Space
Top Solution Authors
View all