What inclusion filter should I use in my GCS logging sink to only push Panther-supported GCP logs to Panther?
QUESTION
What inclusion filter should I use in my GCS logging sink to only push Panther-supported GCP logs to Panther?
ANSWER
- From the main dashboard of Google Cloud Platform click the menu on the left-hand side. Go to Logging > Log Router.
- Find the bucket that will be forwarding logs to your Panther Console. On the right, click the 3 dots icon then click Edit sink.
- Scroll down to the section "Choose logs to include in sink" and build an inclusion filter using the following command:
logName:"cloudaudit.googleapis.com" OR resource.type="http_load_balancer
- Click Done. Scroll to the bottom and click Update Sink.