Google Cloud Storage offers usage logs and storage logs, also known as access logs, in the form of CSV files that can be downloaded. Usage logs provide information for all of the requests made on a specified bucket and are created hourly. Storage logs provide information about the storage consumption of that bucket for the last day and are created daily. Once set up, usage logs and storage logs are automatically created as new objects in the specified bucket.
To process Storage and Acces logs, Wazuh makes use of the gcp-bucket module. Information regarding the configuration of this module can be found in the gcp-bucket configuration reference.
The log delivery for any bucket must be set up manually using the gsutil tool, the XML API, or the JSON API. Follow the Google Cloud Storage documentation for the most up-to-date instructions on how to enable this feature.
<gcp-bucket> <run_on_start>yes</run_on_start> <interval>1m</interval> <logging>debug</logging> <bucket type="access_logs"> <name>wazuh-test-bucket</name> <credentials_file>credentials.json</credentials_file> <only_logs_after>2021-JUN-01</only_logs_after> <path>access_logs/</path> <remove_from_bucket>no</remove_from_bucket> </bucket> </gcp-bucket>