This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Ingesting audit logs from Gitlab

Posted on 10-22-2024 06:53 AM
keso
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Hey, please, I'd like to ingest audit gitlab logs into Chronicle. There is already some documentation [1]. When following the steps and configuring a new feed type it is possible to select Gitlab as a Log Type. My question comes in the 2nd step. In the input parameters, which should be the -Storage bucket URI-? our gitlab runs in GKE. Is there a guide that shows how to integrate with another product ("log type") maybe? Thank you.

First step:

keso_1-1729605122924.png

Second step:

keso_0-1729604931333.png

[1] https://cloud.google.com/chronicle/docs/administration/feed-management#storage-example

 

0 4 379
Topic Labels
0 Likes
4 REPLIES 4

Posted on --/--/---- --:-- AM
Ben_T
Staff
Reply posted on --/--/---- --:-- AM

Hi Keso,

If the gitlab instance is running on GKE then I think the first steps might be to determine how GKE logs are currently configured to flow. If they're already routing to a bucket then you should be able to provide that path to the feed configuration in your screenshots. If not, it may be necessary to have the routing configure for that bucket destination.

I've included the relevant docs below.

https://cloud.google.com/kubernetes-engine/docs/concepts/about-logshttps://cloud.google.com/logging/...

0 Likes

Posted on --/--/---- --:-- AM
keso
Bronze 5
Bronze 5
In response to Ben_T
Reply posted on --/--/---- --:-- AM

Hi, the logs from gitlab are sent to cloud logging where it is possible to see them. But when I try to configure the filter in Chronicle to ingest them, there is an error that says "The provided filter can potentially allow unsupported log types." so it is not possible to consume in that way. By design the GKE logs end up in Cloud Logging. How could the logs be ingested in that scenario? 

0 Likes

Posted on --/--/---- --:-- AM
Ben_T
Staff
In response to keso
Reply posted on --/--/---- --:-- AM

Hi Keso, one things you could check for that issue are:

  1. it should be logName instead of log_name in the filter expression - and there should be a field logName in the log itself in logs explorer.
  2. Check that the regex works for the logName

Alternatively, you're there are other workaround options to get that data to SecOps such as:
Pub/Sub: You can set up a Pub/Sub topic to receive the filtered GitLab logs from Cloud Logging. Then, configure Chronicle to subscribe to that topic and ingest the logs.

Hope this helps.

0 Likes

Posted on --/--/---- --:-- AM
keso
Bronze 5
Bronze 5
In response to Ben_T
Reply posted on --/--/---- --:-- AM

Hey, yes, we are using           logname = "<name>"      in the filter and the log itself contains the logName field and it matches the <name>.

When checking the filter in cloud logging we are able to see the logs that we want to be ingested by Chronicle. But, when configuring the ingestion filter it fails with the error  "The provided filter can potentially allow unsupported log types."

By design we are sending the logs to a log bucket, so the logs are already there and we would like to use the ingestion filter to ingest them. Please, how could that be done? 

0 Likes
Top Solution Authors
View all