GCP: Enable DNS Logs
To enable GCP DNS query logs, follow the below steps.
Procedure
Step 1 | Navigate to VPC network in GCP console. | ||
Step 2 | Open Google cloud shell and execute this command: gcloud dns policies create POLICY_NAME --networks=NETWORK --enable-logging | ||
Step 3 | Navigate to Cloud Storage section and create a storage bucket. You can leave everything as default when creating storage bucket.
| ||
Step 4 | Navigate to Logs Route section. | ||
Step 5 | Click on Create Sink. | ||
Step 6 | Provide a sink name. | ||
Step 7 | Select "Cloud Storage bucket" for sink service. | ||
Step 8 | Select the cloud storage bucket that was created above. | ||
Step 9 | In "Choose logs to include in sink" section, put in this string: Below steps are the same as mentioned in VPC flow log for GCP. If you are sharing cloud storage bucket, you only need to perform below steps once. | ||
Step 10 | Click Create Sink. | ||
Step 11 | Navigate to . | ||
Step 12 | Create a custom role with this permission: storage.buckets.list. | ||
Step 13 | Create another custom role with following permission: storage.buckets.get storage.objects.get storage.objects.list. | ||
Step 14 | Add both custom role to the service account created for Multicloud Defense Controller. When adding the second custom role, put this condition: | ||
Step 15 | Navigate to Pub/Subs. | ||
Step 16 | Click on Create Topic. | ||
Step 17 | Provide a Topic name and click create. | ||
Step 18 | Click on Subscriptions. You will find that there is a subscription created for the topic that was just created. | ||
Step 19 | Edit the subscription. | ||
Step 20 | Change Delivery type as Push. | ||
Step 21 | Once Push is selected, enter in the endpoint URL: | ||
Step 22 | Click Update. | ||
Step 23 | Create a cloud storage notification by opening a Google cloud shell and execute this command: |