Skip to main content
Panther Knowledge Base

What inclusion filter should I use in my GCS logging sink to only push Panther-supported GCP logs to Panther?

QUESTION

What inclusion filter should I use in my GCS logging sink to only push Panther-supported GCP logs to Panther?

ANSWER

  1.  From the main dashboard of Google Cloud Platform click the menu on the left-hand side. Go to Logging > Log Router.
    Screenshot 2023-01-27 at 4.03.45 PM.png

     
  2. Find the bucket that will be forwarding logs to your Panther Console. On the right, click the 3 dots icon then click Edit sink.

    Screenshot 2023-01-27 at 4.16.31 PM.png

     
  3. Scroll down to the section "Choose logs to include in sink" and build an inclusion filter using the following command:
    logName:"cloudaudit.googleapis.com" OR
    resource.type="http_load_balancer
    
  4. Click Done. Scroll to the bottom and click Update Sink.