QUESTION

What inclusion filter should I use in my GCS logging sink to only push Panther-supported GCP logs to Panther?

ANSWER

  1.  From the main dashboard of Google Cloud Platform click the menu on the left-hand side. Go to Logging > Log Router.

    Screenshot 2023-01-27 at 4.03.45 PM.png

  2. Find the bucket that will be forwarding logs to your Panther Console. On the right, click the 3 dots icon then click Edit sink.

    Screenshot 2023-01-27 at 4.16.31 PM.png

  3. Scroll down to the section "Choose logs to include in sink" and build an inclusion filter using the following command:

    logName:"cloudaudit.googleapis.com" OR
resource.type="http_load_balancer

  4. Click Done. Scroll to the bottom and click Update Sink.