Tetap teratur dengan koleksi
Simpan dan kategorikan konten berdasarkan preferensi Anda.
Halaman ini menjelaskan cara mengekspor log audit dan operasional di perlengkapan air-gapped Google Distributed Cloud (GDC) ke bucket jarak jauh menggunakan alat transfer penyimpanan.
Mendapatkan peran IAM
Untuk mendapatkan izin yang diperlukan untuk mengekspor log, minta Admin IAM Organisasi Anda untuk memberi Anda peran Logs Transfer Admin (logs-transfer-admin) di namespace obs-system di cluster infrastruktur dan peran Logs Bucket Viewer (logs-bucket-viewer)) di namespace obs-system di management plane.
Untuk mengetahui informasi selengkapnya tentang peran ini, lihat Siapkan izin IAM.
Mendapatkan endpoint dan nama bucket sumber yang sepenuhnya memenuhi syarat
[[["Mudah dipahami","easyToUnderstand","thumb-up"],["Memecahkan masalah saya","solvedMyProblem","thumb-up"],["Lainnya","otherUp","thumb-up"]],[["Sulit dipahami","hardToUnderstand","thumb-down"],["Informasi atau kode contoh salah","incorrectInformationOrSampleCode","thumb-down"],["Informasi/contoh yang saya butuhkan tidak ada","missingTheInformationSamplesINeed","thumb-down"],["Masalah terjemahan","translationIssue","thumb-down"],["Lainnya","otherDown","thumb-down"]],["Terakhir diperbarui pada 2025-09-04 UTC."],[],[],null,["# Export logs to a remote bucket\n\nThis page describes how to export the audit and operational logs in Google Distributed Cloud (GDC) air-gapped appliance to a remote bucket by using the storage transfer tool.\n\nObtain IAM roles\n----------------\n\nTo get the permissions that you need to export logs, ask your Organization IAM Admin to grant you the Logs Transfer Admin (`logs-transfer-admin`) role in the `obs-system` namespace in the infra cluster and the Logs Bucket Viewer (`logs-bucket-viewer)` role in the `obs-system` namespace in the management plane.\n\nFor more information about these roles, see [Prepare IAM permissions](/distributed-cloud/hosted/docs/latest/appliance/platform/pa-user/obs-iam-permissions).\n\nObtain the endpoint and fully qualified name of the source bucket\n-----------------------------------------------------------------\n\n1. Set `KUBECONFIG` to the Org Management API:\n\n export KUBECONFIG=\u003cvar translate=\"no\"\u003eMANAGEMENT_API_KUBECONFIG_PATH\u003c/var\u003e\n\n2. Get the endpoint of the source bucket:\n\n - For audit logs:\n\n kubectl get bucket audit-logs-loki-all -n obs-system -o json | jq '.status.endpoint'\n\n - For operational logs:\n\n kubectl get bucket ops-logs-loki-all -n obs-system -o json | jq '.status.endpoint'\n\n3. Get the fully qualified name of the source bucket:\n\n - For audit logs:\n\n kubectl get bucket audit-logs-loki-all -n obs-system -o json | jq '.status.fullyQualifiedName'\n\n - For operational logs:\n\n kubectl get bucket ops-logs-loki-all -n obs-system -o json | jq '.status.fullyQualifiedName'\n\nObtain source bucket's access credentials\n-----------------------------------------\n\n1. Set KUBECONFIG to the Org Infra cluster:\n\n export KUBECONFIG=\u003cvar translate=\"no\"\u003eINFRA_CLUSTER_KUBECONFIG_PATH\u003c/var\u003e\n\n2. Obtain the access key ID of the source bucket:\n\n - For audit logs:\n\n kubectl get secret audit-logs-loki-all-s3-auth -n obs-system -o json | jq -r '.data.\"access-key-id\"' | base64 -di\n\n - For operational logs:\n\n kubectl get secret ops-logs-loki-all-s3-auth -n obs-system -o json | jq -r '.data.\"access-key-id\"' | base64 -di\n\n3. Get the secret access key of the source bucket:\n\n - For audit logs:\n\n kubectl get secret audit-logs-loki-all-s3-auth -n obs-system -o json | jq -r '.data.\"secret-access-key\"' | base64 -di\n\n - For operational logs:\n\n kubectl get secret ops-logs-loki-all-s3-auth -n obs-system -o json | jq -r '.data.\"secret-access-key\"' | base64 -di\n\nTransfer logs\n-------------\n\n1. Set `KUBECONFIG` to the Org Infra cluster:\n\n export KUBECONFIG=\u003cvar translate=\"no\"\u003eINFRA_CLUSTER_KUBECONFIG_PATH\u003c/var\u003e\n\n2. Create a secret with the access credentials of the source bucket:\n\n kubectl create secret generic -n obs-system \u003cvar translate=\"no\"\u003eSRC_BUCKET_SECRET_NAME\u003c/var\u003e\n --from-literal=access-key-id=\u003cvar translate=\"no\"\u003eSRC_BUCKET_ACCESS_KEY_ID\u003c/var\u003e\n --from-literal=secret-access-key=\u003cvar translate=\"no\"\u003eSRC_BUCKET_SECRET_ACCESS_KEY\u003c/var\u003e\n\n3. Create a secret with the access credentials of the destination bucket:\n\n kubectl create secret generic -n obs-system \u003cvar translate=\"no\"\u003eDST_BUCKET_SECRET_NAME\u003c/var\u003e \n --from-literal=access-key-id=\u003cvar translate=\"no\"\u003eDST_BUCKET_ACCESS_KEY_ID\u003c/var\u003e \n --from-literal=secret-access-key=\u003cvar translate=\"no\"\u003eDST_BUCKET_SECRET_ACCESS_KEY\u003c/var\u003e\n\n4. Create a secret with certificate authority for authenticating the endpoint of the destination bucket:\n\n kubectl create secret generic -n obs-system \u003cvar translate=\"no\"\u003eDST_BUCKET_CA_SECRET_NAME\u003c/var\u003e \n --from-file=\"ca.crt\"=\u003cvar translate=\"no\"\u003eCA_FILE\u003c/var\u003e\n\n5. Create a log transfer job:\n\n apiVersion: batch/v1\n kind: Job\n metadata:\n name: \u003cvar translate=\"no\"\u003eJOB_NAME\u003c/var\u003e\n namespace: obs-system\n spec:\n template:\n spec:\n serviceAccountName: logs-transfer-sa\n containers:\n - name: storage-transfer-pod\n image: gcr.io/private-cloud-staging/storage-transfer:latest\n imagePullPolicy: Always\n command:\n - /storage-transfer\n args:\n - '--src_endpoint=\u003cvar translate=\"no\"\u003eSRC_BUCKET_ENDPOINT\u003c/var\u003e'\n - '--dst_endpoint=\u003cvar translate=\"no\"\u003eDST_BUCKET_ENDPOINT\u003c/var\u003e'\n - '--src_path=\u003cvar translate=\"no\"\u003eSRC_BUCKET_FULLY_QUALIFIED_NAME\u003c/var\u003e'\n - '--dst_path=\u003cvar translate=\"no\"\u003eDST_BUCKET_FULLY_QUALIFIED_NAME\u003c/var\u003e'\n - '--src_credentials=obs-system/\u003cvar translate=\"no\"\u003eSRC_BUCKET_SECRET_NAME\u003c/var\u003e'\n - '--dst_credentials=obs-system/\u003cvar translate=\"no\"\u003eDST_BUCKET_SECRET_NAME\u003c/var\u003e'\n - '--dst_ca_certificate_reference=obs-system/\u003cvar translate=\"no\"\u003eDST_BUCKET_CA_SECRET_NAME\u003c/var\u003e'\n - '--src_ca_certificate_reference=obs-system/trust-store-root-ext'\n - '--src_type=s3'\n - '--dst_type=s3'\n - '--bandwidth_limit=1G'\n restartPolicy: OnFailure.\n ---\n\n6. Wait for the transfer job to complete:\n\n kubectl wait --for=condition=complete job/\u003cvar translate=\"no\"\u003eJOB_NAME\u003c/var\u003e -n obs-system"]]
