GCP 日志记录查询问题
[英]GCP logging query issue
问题描述
I'm trying to collect logs to be handled as incidents / SCC audits in case any tampering with firewall rules are logged.
我正在尝试收集要作为事件/ SCC 审核处理的日志,以防记录任何篡改防火墙规则的行为。
Found out that something like this does the trick more or less:发现这样的事情或多或少地起到了作用:
resource.type=gce_firewall_rule AND protoPayload.methodName=v1.compute.firewalls.patch OR protoPayload.methodName=v1.compute.firewalls.insert OR protoPayload.methodName=v1.compute.firewalls.update
However, this only solves the issue partially, because methods on GCP may differ.但是,这只能部分解决问题,因为 GCP 上的方法可能会有所不同。 And rules that were added in the past and ones that will be added in the future may use different version suffixes:过去添加的规则和将来添加的规则可能会使用不同的版本后缀:
v1, beta, alpha, v2... etc. v1、beta、alpha、v2...等。
I unfortunately couldn't find any documentation that helps find a condition that can include everything at methodName value.不幸的是,我找不到任何有助于找到可以包含 methodName 值中所有内容的条件的文档。
Something like:就像是:
protoPayload.methodName="*.compute.firewalls.update" or "%compute.firewalls.update" protoPayload.methodName="*.compute.firewalls.update" 或 "%compute.firewalls.update"
Thank you!谢谢!
1 个解决方案
解决方案1
0 2022-09-09 23:30:04
Cloud Logging has a comprehensive query language . Cloud Logging 具有全面的查询语言。
You have various options:您有多种选择:
- If you have a definitive list
OR:protoPayload.methodName = ("v1" OR "v1beta1" OR...)如果您有明确的列表OR:protoPayload.methodName = ("v1" OR "v1beta1" OR...) - If you want to use a regular expression如果你想使用正则表达式
- If you want anything
protoPayload.methodName:*如果你想要任何东西protoPayload.methodName:*
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.