Skip to main content
Sumo Logic

Collect Logs for Google Cloud IAM

Collect logs for the Google Cloud Identity and Access Management (Cloud IAM) app.

This page has instructions for configuring Google Cloud IAM to send logs to Sumo.

Configure Cloud IAM to export logs to Stackdriver

If you haven't already done so, set up Google Cloud IAM to export logs to Stackdriver. For more information, see Overview of Logs Export in GCP.

Set up a Google Cloud Platform source and Pub/Sub topic

In this step, you set up an Google Cloud Platform source in Sumo, register it with Google, and create a Pub/Sub topic to send data to the source source. Follow the instructions in Google Cloud Platform Source.

Create export of Cloud IAM logs from Stackdriver

  1. Click Logging in the STACKDRIVER section in the left hand pane of the GCP console.
    cloud-iam-7.png
  2. Go to Exports. Click Create Export.
    cloud-iam-8.png
  3. Create a sink for each GCP service whose logs you want to send to Sumo. We recommend you create sinks for the following services:  Google Project, IAM Role, and Service Account. To configure a sink:

    1. Select the service in the middle pane (Google Project, IAM Role, or Service Account).

    2. In the Edit Export window on the right:

      • Set the Sink Name. For example, "google-project".
      • Set Sink Service to “Cloud Pub/Sub”
      • Set Sink Destination to the newly created Pub/Sub topic. For example, "pub-sub-logs".
      • Click Create Sink.cloud-iam-9.png

Sample Log Message

{
 "message":{
   "data":{
     "insertId":"1b6mckoca48",
     "logName":"projects/bmlabs-loggen/logs/cloudaudit.googleapis.com%2Factivity",
     "protoPayload":{
       "@type":"type.googleapis.com/google.cloud.audit.AuditLog",
       "authenticationInfo":{
         "principalEmail":"player1@bmlabs.com"
       },
       "authorizationInfo":[{
         "granted":true,
         "permission":"iam.roles.undelete",
         "resource":"projects/bmlabs-loggen/roles/CustomRole655"
       }],
       "methodName":"google.iam.admin.v1.UndeleteRole",
       "request":{
         "@type":"type.googleapis.com/google.iam.admin.v1.UndeleteRoleRequest",
         "name":"projects/bmlabs-loggen/roles/CustomRole655"
       },
       "requestMetadata":{
         "callerIp":"73.110.42.127",
         "callerSuppliedUserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36,gzip(gfe)"
       },
       "resourceName":"projects/bmlabs-loggen/roles/CustomRole655",
       "response":{
         "@type":"type.googleapis.com/google.iam.admin.v1.Role",
         "description":"Created on: 2017-10-24",
         "etag":"BwVcY076Hf0=",
         "group_name":"custom",
         "group_title":"Custom",
         "included_permissions":["bigquery.datasets.create"],
         "name":"projects/bmlabs-loggen/roles/CustomRole655",
         "title":"Custom Role  3"
       },
       "serviceName":"iam.googleapis.com",
       "status":{
         
       }
     },
     "receiveTimestamp":"2017-11-20T10:54:01.590EST",
     "resource":{
       "labels":{
         "project_id":"bmlabs-loggen",
         "role_name":"projects/bmlabs-loggen/roles/CustomRole655"
       },
       "type":"iam_role"
     },
     "severity":"NOTICE",
     "timestamp":"2017-11-20T10:54:01.590EST"
   },
   "attributes":{
     "logging.googleapis.com/timestamp":"2017-11-20T10:54:01.590EST"
   },
   "message_id":"164347792499667",
   "messageId":"164347792499667",
   "publish_time":"2017-11-20T10:54:01.590EST",
   "publishTime":"2017-11-20T10:54:01.590EST"
 },
 "subscription":"projects/bmlabs-loggen/subscriptions/push-to-sumo"
}

Query Sample

Added roles over time

_collector="HTTP Source for GCP Pub/Sub" logName resource timestamp
| json "message.data.resource.type" as type
| parse regex "\s+\"logName\":\"(?<log_name>\S+)\""
| where type = "project" and log_name matches "projects/*/logs/cloudaudit.googleapis.com%2Factivity"
| timeslice 1h
| json "message.data.resource.labels", "message.data.resource.labels.project_id", "message.data.protoPayload.serviceData.policyDelta.bindingDeltas[*]" as labels, project, changes
| parse regex field=changes "\"role\":\"roles\\\/(?<role>[a-zA-Z.]+)\",\"member\":\".*\",\"action\":\"(?<action>[A-Z]+)\"" multi
| where action="ADD"
| count by _timeslice, role
| transpose row _timeslice column role