Export logs to external SIEM system

This page describes the process for the Platform Administrator (PA) to export logs in Google Distributed Cloud (GDC) air-gapped to an external Security Information and Event Management (SIEM) system.

Before you begin

Before exporting logs to an external SIEM system, follow these steps:

Set the path of the kubeconfig file as an environment variable:
```
export KUBECONFIG=KUBECONFIG_FILE
```
Replace KUBECONFIG_FILE with the path to the kubeconfig file in your organization's admin cluster from where you want to export logs.
Set your GDC username as an environment variable:
```
export USER=YOUR_USERNAME
```
Set your GDC project namespace as an environment variable:
```
export PROJECT_NAMESPACE=PROJECT_NAMESPACE
```
To get the permissions that you need to export logs to an external SIEM system, ask your Organization IAM Admin to grant you one of the following roles by defining a role binding for your project namespace:
- The SIEM Export Org Creator (siemexport-org-creator) role.
  
  If no one has deployed the SIEMOrgForwarder CR in your project namespace, you need this role. The Organization IAM Admin creates a role binding to let you deploy the SIEMOrgForwarder CR:
```
kubectl \
  create rolebinding siemexport-org-creator-rolebinding \
  --kubeconfig=IAM_ORG_KUBECONFIG \
  --user USERNAME \
  --role siemexport-org-creator \
  --namespace PROJECT_NAMESPACE
```
- The SIEM Export Org Editor (siemexport-org-editor) role.
  
  If the SIEMOrgForwarder CR already exists in your project namespace, you need this role. The Organization IAM Admin creates a role binding to let you edit the SIEMOrgForwarder CR:
```
kubectl \
  create rolebinding siemexport-org-editor-rolebinding \
  --kubeconfig=IAM_ORG_KUBECONFIG \
  --user USERNAME \
  --role siemexport-org-editor \
  --namespace PROJECT_NAMESPACE
```
- The SIEM Export Org Viewer (siemexport-org-viewer) role.
  
  If the SIEMOrgForwarder CR already exists in your namespace and you only need to visualize it, you need this role. The Organization IAM Admin creates a role binding to let you view the SIEMOrgForwarder CR:
```
kubectl \
  create rolebinding siemexport-org-viewer-rolebinding \
  --kubeconfig=IAM_ORG_KUBECONFIG \
  --user USERNAME \
  --role siemexport-org-viewer \
  --namespace PROJECT_NAMESPACE
```
Replace the following:
- IAM_ORG_KUBECONFIG: the path to the organization IAM administrator kubeconfig file in the org admin cluster.
- USERNAME: the username that requires the role binding.
- PROJECT_NAMESPACE: the project namespace that requires the role binding.

Configure logs export

To export logs to an external SIEM system, follow these steps:

Deploy a SIEM token as a secret in your project namespace:

cat <<EOF | kubectl --kubeconfig=${KUBECONFIG} apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: SECRET_NAME
  namespace: ${PROJECT_NAMESPACE}
type: Opaque
stringData:
  SECRET_FIELD: TOKEN
EOF

Replace the following:

SECRET_NAME: the name of your secret.
SECRET_FIELD: the name of the field where you want to store the secret.
TOKEN: your SIEM token.

You provide a SIEM token to connect the logging stack to the SIEM system.

You can have different tokens for audit and operational logs. In this case, you must deploy two secrets, one with the token for audit logs and the other with the token for operational logs. You must reference the corresponding secret name in the SIEMOrgForwarder CR for audit and operational logs, as shown in the following step.

Deploy the SIEMOrgForwarder CR in your project namespace.

Specify the log type by choosing between audit or operational logs. To configure the log export for both log types, you must deploy two SIEMOrgForwarder CRs, one for each type.

Audit logs

cat <<EOF | kubectl --kubeconfig=${KUBECONFIG} apply -f -
apiVersion: logging.gdc.goog/v1
kind: SIEMOrgForwarder
metadata:
  name: SIEM_AUDIT_NAME
  namespace: ${PROJECT_NAMESPACE}
spec:
  source: audit
  splunkOutputs:
    - host: SIEM_HOST
      token:
        name: SECRET_NAME
        field: SECRET_FIELD
      tls: "TLS"
      netConnectTimeout: NET_CONNECT_TIMEOUT
EOF

Replace the following:

SIEM_AUDIT_NAME: the name you want to give to the SIEMOrgForwarder CR for audit logs.
SIEM_HOST: the name of the SIEM host for audit logs.
SECRET_NAME: the name of your secret for audit logs.
SECRET_FIELD: the name of the field where you stored the secret for audit logs.
TLS: the status of the Transport Layer Security (TLS). Accepted values are "On" and "Off".
NET_CONNECT_TIMEOUT: the maximum time in seconds to wait for a connection to be established. For example, a value of 180 means to wait 180 seconds for a connection to be established.

Operational logs

cat <<EOF | kubectl --kubeconfig=${KUBECONFIG} apply -f -
apiVersion: logging.gdc.goog/v1
kind: SIEMOrgForwarder
metadata:
  name: SIEM_OPS_NAME
  namespace: ${PROJECT_NAMESPACE}
spec:
  source: operational
  splunkOutputs:
    - host: SIEM_HOST
      token:
        name: SECRET_NAME
        field: SECRET_FIELD
      tls: "TLS"
      netConnectTimeout: NET_CONNECT_TIMEOUT
EOF

Replace the following:

SIEM_OPS_NAME: the name you want to give to the SIEMOrgForwarder CR for operational logs.
SIEM_HOST: the name of the SIEM host for operational logs.
SECRET_NAME: the name of your secret for operational logs.
SECRET_FIELD: the name of the field where you stored the secret for operational logs.
TLS: the status of the Transport Layer Security (TLS). Accepted values are "On" and "Off".
NET_CONNECT_TIMEOUT: the maximum time in seconds to wait for a connection to be established. For example, a value of 180 means to wait 180 seconds for a connection to be established.

Verify the status of the deployed CRs for audit or operational logs.

Audit logs

Verify the AuditLoggingReady status:

kubectl --kubeconfig=${KUBECONFIG} describe siemorgforwarder/SIEM_AUDIT_NAME -n ${PROJECT_NAMESPACE}

Operational logs

Verify the OperationalLoggingReady status:

kubectl --kubeconfig=${KUBECONFIG} describe siemorgforwarder/SIEM_OPS_NAME -n ${PROJECT_NAMESPACE}