GCP Defend#

Log sources GCP exposes for security analysis. Each source feeds a different piece of the picture, audit calls, app output, OS-level events, and network flows.

Cloud Audit Logs#

Google Cloud services write audit logs called Cloud Audit Logs. They answer “who did what, where, when”. Three types exist per project, folder, and organization, Admin Activity, Data Access, and System Event. These collectively show what administrative API calls were made, what data was accessed, and what system events occurred. Cloud Audit Logs for GKE also exposes Kubernetes Audit Logging, a chronological record of calls to the Kubernetes API server.

App logs#

Stackdriver Logging collects container standard output and error logs. Add more by using the Sidecar approach. For clusters with Istio and Stackdriver enabled, the Istio Stackdriver adapter collects and sends Istio-specific logs.

Infrastructure logs#

Infrastructure logs offer insight into events at the OS, cluster, and networking levels.

GKE audit logs#

GKE sends two types of audit logs, GKE audit logs and Kubernetes Audit Logging. Kubernetes writes audit logs to Cloud Audit Logs for calls made to the Kubernetes API server. These are useful for investigating suspicious API requests, collecting statistics, and creating monitoring alerts. GKE also writes its own audit logs that identify what occurs in a GKE cluster.

Compute Engine Cloud Audit Logs (GKE)#

GKE runs on top of Compute Engine nodes, which generate their own audit logs. auditd can be configured to capture Linux system logs. auditd provides error messages, login attempts, and binary executions for cluster nodes. Both Compute Engine audit logs and the auditd audit logs provide insight into activities happening at the underlying cluster infrastructure level.

Container logs#

For container and system logs, GKE deploys a per-node logging agent that reads container logs, adds helpful metadata, and stores the logs. The agent checks for container logs in these sources.

  • Standard output and standard error logs from containerized processes.

  • kubelet and container runtime logs.

  • Logs for system components, such as VM startup scripts.

For events, GKE uses a deployment in the kube-system namespace that automatically collects events and sends them to Logging. Logs are collected for clusters, nodes, pods, and containers.

Istio on Google Kubernetes Engine#

For clusters with Istio, the Istio Stackdriver adapter is installed during cluster creation. It sends metrics, logging, and trace data from the mesh to Stackdriver.

Auditd for Container-Optimized OS#

For Linux systems, the auditd daemon exposes OS-level commands and provides insight into events inside containers. On GKE, collect auditd logs and send them to Logging.

VPC Flow Logs#

VPC Flow Logs records a sample of network flows sent from and received by VM instances. Useful for analyzing network communication. VPC Flow Logs includes pod-to-pod traffic through the Intranode Visibility feature.

References#