Solved: Forwarder audit logs

Rached1996 · 01-03-2025 07:24 AM

Hello community , how i can identify forwarder logs in the audit logs ?
thanks in advance

ashnaiku

You (or your Administrator) will need access to GCP to start with. Once the logs are forwarded you will see it in SIEM.

You will need to make change in GCP Console --> Security-->Google SecOps--> Ingestion

On this tab Enable -

1.Google Cloud logging

Ingest and analyze data from Google Cloud Logging.

2.Cloud Asset Metadata

Ingest and analyze data from Google Cloud Asset Inventory.

View solution in original post

rajukg

You may use this query in logs explorer and choose the time range:

resource.type="audited_resource"

resource.labels.service="chronicle.googleapis.com"

protoPayload.resourceName=~"<your_forwarder_id_uuid>"

hzmndt

use GCP cloud monitoring can check the forwarder metrics

https://cloud.google.com/chronicle/docs/ingestion/ingestion-notifications-for-health-metrics#forward...

To check the actual logs, you can use docker command:

sudo docker logs cfps

sudo docker logs cfps -f

docker logs cfps &> logs.txt

Rached1996

Hello ,
Thank you for your reply

how i can ingest forwarder metrics into chronicle , thanks

rajukg

I am not sure if I understood your question. The forwarder metrics automatically are sent to cloud monitoring. You don't have to setup anything. To monitor metrics then you can follow the instructions from Ash. The forwarder logs can be viewed in the Logs explorer as I mentioned above.

Rached1996

And if i don't have Access to GCP ? I have only access on the SIEM
These logs can be retrieved on the siem ? what configuration should be done from GCP team to send forwarder logs to the siem ?

ScottieJ

You may have a couple of options (disclaimer, I have not tested this and would welcome comments)

Possible Option 1:

Create a log sink that exports the specific logs you need to a Pub/Sub topic.
Configure SecOps SIEM to ingest logs from that Pub/Sub topic.
This would require creating a new Feed in SecOps to ingest the Pub/Sub topic
It's likely this would also require creating a custom Data Parser in SecOps
Reference: Integrate Pub/Sub with Google SecOps

Possible Option 2:

Modify the forwarder configuration file to include Docker logs using a file format
This will likely require creating a new Parser for the new data type
Reference: Manage forwarder configuration file manually | Google Security Operations

In either case, assuming the raw data is successfully converted to UDM, you would likely want to create a custom Yara-L rule for any event of interest for Alerting and possibly a custom SOAR playbook to take appropriate actions.

ashnaiku

You can do the below -

To set up notifications that monitor ingestion health metrics specific to Google SecOps, do the following:

In the Google Cloud console, select Monitoring.
In the navigation pane, select Alerting and then click Create policy.
On the Select a metric page, click Select a metric.

See this link for details https://cloud.google.com/chronicle/docs/ingestion/ingestion-notifications-for-health-metrics#forward...

ashnaiku