Use cases

In this section, we explore how to use the Wazuh module for Pub/Sub to collect and monitor different types of logs from your Google Cloud environment, such as cloud audit logs, DNS queries, VPC Flow Logs, Firewall Rules Logging, and HTTP(S) load balancing.

Cloud audit logs

Google Cloud provides four types of audit logs for each project, folder, and organization in your environment:

  • Admin Activity audit logs contain log entries for API calls or other administrative actions that modify the configuration or metadata of resources. This is useful for tracking administrative activities and changes made to the configuration of resources.

  • Data Access audit logs contain API calls that read the configuration or metadata of resources and user-driven API calls that create, modify, or read user-provided resource data. This is valuable for monitoring access to data, including who is reading or modifying resource configurations and user-provided data.

  • System Event audit logs contain log entries for Google Cloud administrative actions that modify the configuration of resources. The Google system generates these audit logs, which helps track system-level administrative actions that impact the configuration of resources.

  • Policy Denied audit logs are recorded when a Google Cloud service denies access to a user or service account because of a security policy violation.

These audit logs provide a comprehensive view of activities and events within a Google Cloud environment, supporting security, compliance, and operational needs.

Configuring Google Cloud audit logs collection

To collect Google Cloud audit logs, it is necessary to first ingest the audit logs into a Pub/Sub topic defining a custom log router.

Note

Before you perform the steps below make sure that you have already configured the Google Cloud Pub/Sub integration and the Wazuh module for Google Cloud Pub/Sub.

  1. Visit the Google Cloud Logging section and click on Create sink.

    Create sink
  2. Provide a descriptive name for the sink and click on NEXT.

    Sink details
  3. You need to select the sink destination after providing the name of the sink. Under Select sink service, select Cloud Pub/Sub topic, and then create or choose a topic to be used as a destination. Then click on NEXT.

    Sink destination
  4. Under Choose logs to include in sink, use the following query to collect all the audit logs from every project. It is possible to edit it to only collect audit logs from a particular project:

    logName=~("projects/.*/logs/cloudaudit.googleapis.com%2F(activity|data_access|system_event|policy)")
    
  5. If it is not necessary to filter any logs out of the sink, click on CREATE SINK.

    Create sink

Once this process is finished, you can configure the Wazuh module for Google Cloud Pub/Sub to process the audit logs of the selected resources as usual.

Visualizing the events on the Wazuh dashboard

After configuring the Wazuh Google Cloud Pub/Sub module to fetch the audit logs from Google Cloud, it is possible to visualize the alerts generated in the Wazuh dashboard.

Set the operator for data.gcp.logName field to exists.

Set logname filter

Available logs must appear as shown in the picture below.

Available logs in the wazuh dashboard

Visit the Google Cloud documentation to learn more about the different Google services capable of writing audit logs.

DNS queries

Wazuh has default rules for DNS queries made to a private DNS handled by the Google Cloud DNS service. Those logs can be collected using the Wazuh module for Google Cloud Pub/Sub. Details on how to configure the module can be found in the gcp-pubsub configuration reference.

Note

Before you perform the steps below make sure that you have already configured the Google Cloud Pub/Sub integration and the Wazuh module for Google Cloud Pub/Sub.

Configuring Google DNS logs collection

To collect the DNS queries made to the Google DNS service, we use DNS policies to enable or disable logging for your networks. When you enable query logging, every DNS query to a Cloud DNS private managed zone is logged.

  1. On Google Cloud Console, click the Shell button to activate Cloud Shell and authenticate your Google Cloud SDK.

    Activate Cloud shell
  2. Enable logging:

    To enable logging for a network that does not have a DNS policy, run the dns policies create command:

    gcloud dns policies create <POLICY_NAME> --networks=<NETWORK_NAME>  --enable-logging --description=<DESCRIPTION>
    

    Where:

    • <POLICY_NAME>: Contains the name of the DNS policy

    • <NETWORK>: One or more networks in a comma-separated list

    • <DESCRIPTION>: A description of the policy

    Example:

    $ gcloud dns policies create enable-dns-logging --enable-logging --description="Enable DNS logging" --networks=wazuh-dev-net
    

    To enable logging for a network that has an existing DNS policy, run the dns policies update command:

    gcloud dns policies update <POLICY_NAME> --networks=<NETWORK_NAME>  --enable-logging
    

    Where:

    • <POLICY_NAME>: Takes the name of the DNS policy

    • <NETWORK>: one or more networks in a comma-separated list

    Example:

    $ gcloud dns policies update enable-dns-logging --enable-logging --networks=wazuh-dev-net
    

Exporting DNS queries logs to Pub/Sub

Once DNS Cloud logging is configured, the generated logs must be ingested into a Pub/Sub topic so that Wazuh can collect them using the Google Pub/Sub integration. To achieve that, it is necessary to define a custom log router.

  1. Visit the Google Cloud Logging section and click on CREATE SINK.

    Create sink
  2. Provide a descriptive name for the sink and click on NEXT.

    Sink details
  3. Once the name for the sink is chosen, it is necessary to select the sink destination. As a sink service, choose Cloud Pub/Sub topic, and then create or choose a topic to be used as a destination. Then click on NEXT.

    Sink destination
  4. Use the following query to collect all the DNS queries:

    resource.type = "dns_query"
    
  5. If it is not necessary to filter any logs out of the sink, click on Create sink.

    Choose logs to include in sink

You can confirm that logs are generated in your environment by running the query in the Logs Explorer, as shown in the picture below.

Query in the Logs explorer

Visualizing the events on the Wazuh dashboard

Once you configure the sink, apply the filter below on the Google Cloud module of the Wazuh dashboard to filter for DNS queries logs.

Set the value of data.gcp.logName field to projects/<YOUR_PROJECT_ID>/logs/compute.googleapis.com%2Fdns_queries.

Replace <YOUR_PROJECT_ID> with your project ID on Google Cloud.

Filter DNS query logs

Available logs must appear as shown in the picture below.

Available DNS query logs

VPC Flow Logs

VPC Flow Logs record a sample of network flows sent from and received by VM instances, including instances used as Google Kubernetes Engine nodes. VPC Flow Logs are aggregated by the connection from Compute Engine VMs and exported in real-time.

Note

Before you perform the steps below make sure that you have already configured the Google Cloud Pub/Sub integration and the Wazuh module for Google Cloud Pub/Sub.

Enabling VPC Flow Logs

VPC Flow Logs can be enabled on the VPC networks page in the Google Cloud Console. They can be enabled for both new and existing subnets. Follow the Google Virtual Private Cloud documentation for the most up-to-date instructions on how to enable this feature.

Exporting VPC Flow Logs to Pub/Sub

The Export logs via sink section explains how to create a sink to export logs to a Pub/Sub topic. However, this would export every single log available, not just the VPC Flow Logs. It is possible to configure the sink to export VPC Flow Logs only to a topic, ignoring logs coming from other services by adding a filtering condition to the sink. To do so, follow the same instructions as explained in the Export logs via sink section but add the following filter in Step 3 - Choose logs to include in sink:

resource.type="gce_subnetwork"
log_name="projects/<YOUR_PROJECT_ID>/logs/compute.googleapis.com%2Fvpc_flows"

Replace <YOUR_PROJECT_ID> with your project ID on Google Cloud.

Create logs routing sink

You can confirm that logs are generated in your environment by running the query in the Logs Explorer, as shown in the picture below.

VPC flow logs query

Visualizing the events on Wazuh dashboard

Once you configure the sink, apply the filter below on the Google Cloud module of the Wazuh dashboard to filter for VPC Flow Logs.

Set the value of data.gcp.logName field to projects/<YOUR_PROJECT_ID>/logs/compute.googleapis.com%2Fvpc_flows. Replace <YOUR_PROJECT_ID> with your Google Cloud project ID.

Filter VPC flow logs

Available logs must appear as shown in the picture below.

VPC flow available logs

Firewall Rules Logging

Firewall Rules Logging records traffic to and from Compute Engine virtual machine (VM) instances. This includes Google Cloud products built on Compute Engine VMs, such as Google Kubernetes Engine (GKE) clusters and App Engine flexible environment instances. To send Firewall Rules Logging logs to Wazuh, you must first configure Cloud Logging to export these logs to Pub/Sub.

Note

Before you perform the steps below make sure that you have already configured the Google Cloud Pub/Sub integration and the Wazuh module for Google Cloud Pub/Sub.

Enabling Firewall Rules Logging

Firewall Rules Logging can be enabled on the Firewall page in the Google Cloud Console. Follow the Google Virtual Private Cloud documentation for the most up-to-date instructions on how to enable this feature.

Exporting Firewall Rules logs to Pub/Sub

The Export logs via sink section explains how to create a sink to export logs to a Pub/Sub topic. However, this would export every single log available, not only the Firewall Rules Logging. It is possible to configure the sink to export Firewall Rules Logging logs only to a topic, ignoring logs from other services, by adding a filtering condition to the sink. To do so, follow the instructions as explained in the Export logs via sink section but add the following filter in Step 3 - Choose logs to include in sink:

(resource.type="gce_subnetwork"
log_name="projects/<YOUR_PROJECT_ID>/logs/compute.googleapis.com%2Ffirewall")

Replace <YOUR_PROJECT_ID> with your project ID on Google Cloud.

Export firewall rules

You can confirm that logs are generated in your environment by running the query in the Logs Explorer as shown in the picture below.

Query logs in the Logs explorer

Visualizing the events on the Wazuh dashboard

Once you configure the sink, apply the filter below on the Google Cloud module of the Wazuh dashboard to filter for Firewall Rules logs.

Set the value of data.gcp.logName field to projects/<YOUR_PROJECT_ID>/logs/compute.googleapis.com%2Ffirewall. Replace <YOUR_PROJECT_ID> with your own project ID on Google Cloud.

Filter firewall logs

Available logs must appear as shown in the picture below.

Available firewall logs

HTTP(S) Load Balancing Logging

HTTP(S) Load Balancing Logging allows the user to enable, disable, and view logs for an HTTP(S) Load Balancing backend service. To send HTTP(S) Load Balancing Logging logs to Wazuh, you must first configure Cloud Logging to export these logs to Pub/Sub.

Note

Before you perform the steps below make sure that you have already configured the Google Cloud Pub/Sub integration and the Wazuh module for Google Cloud Pub/Sub.

Enabling logging on HTTP(S) Load Balancer

HTTP(S) Load Balancer Logging can be enabled on the Load Balancing page in the Google Cloud Console. Follow the Google Cloud Load Balancing documentation for the most up-to-date instructions on how to enable this feature.

Exporting HTTP(S) Load Balancer logs to Pub/Sub

The Export logs via sink section explains how to create a sink to export logs to a Pub/Sub topic. However, this would export every single log available, not just the HTTP(S) Load Balancer logs. It is possible to configure the sink to export HTTP(S) Load Balancer logs only to a topic, ignoring logs from other services, by adding a filtering condition to the sink. To do so, follow the same instructions as explained in the Export logs via sink section but add the following filter in Step 3 - Choose logs to include in sink:

resource.type=http_load_balancer
Create logs routing sink – HTTP load balancer

You can confirm that logs are generated in your environment by running the query in the Logs Explorer, as shown in the picture below.

Query Logs Explorer – Load balancer

Visualizing the events on the Wazuh dashboard

Once you configure the sink, apply the filter below on the Wazuh dashboard to filter for Load balancer logs.

Set the value of the data.gcp.resource.type field to http_load_balancer.

Query Logs Explorer – Load balancer

Available logs must appear as shown in the picture below.

Load balancer log alerts in the Wazuh dashboard