Usage logs & storage logs

Google Cloud Storage offers usage logs and storage logs, also known as access logs, in the form of CSV files that can be downloaded. Usage logs provide information for all of the requests made on a specified bucket and are created hourly. Storage logs provide information about the storage consumption of that bucket for the last day and are created daily. Once set up, usage logs and storage logs are automatically created as new objects in the specified bucket.

To process Storage and Access logs, ThreatLockDown makes use of the gcp-bucket module. Configure the gcp-bucket module either in the ThreatLockDown manager or the ThreatLockDown agent. To do so, modify the ossec.conf configuration file. Check the gcp-bucket configuration reference to learn more.

Setting up log delivery to a Google Cloud Storage bucket

The log delivery for any bucket must be set up manually using the gsutil tool, the XML API, or the JSON API. Follow the Google Cloud Storage documentation for the most up-to-date instructions on how to enable this feature.

Example of configuration

<gcp-bucket>
   <run_on_start>yes</run_on_start>
   <interval>1m</interval>
   <bucket type="access_logs">
       <name>wazuh-test-bucket</name>
       <credentials_file>credentials.json</credentials_file>
       <only_logs_after>2021-JUN-01</only_logs_after>
       <path>access_logs/</path>
       <remove_from_bucket>no</remove_from_bucket>
   </bucket>
</gcp-bucket>