GCP: Enable DNS Logs
To enable GCP DNS query logs, follow the steps below.
Procedure
Step 1 | In the Security Cloud Control platform menu, choose . | ||
Step 2 | Navigate to VPC network in GCP console. | ||
Step 3 | Open Google cloud shell and execute this command: gcloud dns policies create POLICY_NAME --networks=NETWORK --enable-logging | ||
Step 4 | Navigate to Cloud Storage section and create a storage bucket. You can leave everything as default when creating storage bucket.
| ||
Step 5 | Navigate to Logs Route section. | ||
Step 6 | Click on Create Sink. | ||
Step 7 | Provide a sink name. | ||
Step 8 | Select "Cloud Storage bucket" for sink service. | ||
Step 9 | Select the cloud storage bucket that was created above. | ||
Step 10 | In "Choose logs to include in sink" section, put in this string: The following steps are the same as mentioned in the VPC flow log for GCP. If you are sharing cloud storage bucket, you only need to perform below steps once. | ||
Step 11 | Click Create Sink. | ||
Step 12 | Navigate to . | ||
Step 13 | Create a custom role with this permission: storage.buckets.list. | ||
Step 14 | Create another custom role with following permission: storage.buckets.get storage.objects.get storage.objects.list. | ||
Step 15 | Add both custom role to the service account created for Multicloud Defense Controller. When adding the second custom role, put this condition: | ||
Step 16 | Navigate to Pub/Subs. | ||
Step 17 | Click on Create Topic. | ||
Step 18 | Provide a Topic name and click create. | ||
Step 19 | Click on Subscriptions. You will find that there is a subscription created for the topic that was just created. | ||
Step 20 | Edit the subscription. | ||
Step 21 | Change Delivery type as Push. | ||
Step 22 | Once Push is selected, enter in the endpoint URL: | ||
Step 23 | Click Update. | ||
Step 24 | Create a cloud storage notification by opening a Google cloud shell and execute this command: |