Cloud Run has two types of logs, and these are automatically sent to Cloud Logging, and you can export these logs to any destination that Cloud Logging export supports.
Request logs: Logs of requests sent to Cloud Run services. These logs are created automatically.
Container logs: Logs emitted from the container instances, typically from your own code, written to supported locations as described in Writing container logs.
Ingesting GCP Cloud Run logs into Chronicle
- Login to Google Cloud account using credentials.
- On Welcome page, click Cloud Run icon.
- Next, search "Logging" in the search bar at the top and click Enter. By default, it navigates you to Log Explorer.
- In Log Explorer, you can see all logs that come from multiple sources. Filter the logs by choosing Cloud Run in Log Name at top right corner of screen and click Apply.
Note: The following is a list of fields that can be found in the log entry for Cloud Run:
5. Click More Actions and select Create Sink from the dropdown menu. It navigates you to Logs Router screen.
6. In Create logs Routing Sink window, fill the following details.
- Under Sink Details, enter Name & Description.
- Click Next
- Under Sink Destination, in Select sink service, select Cloud Storage Bucket and in Cloud Storage Bucket, select existing bucket or create a new bucket
- Click Next
- Under Choose Logs to include in Sink, a default log is populated once you select an option in Cloud Storage Bucket
- Click Next
- (Optional) Under Choose Logs to filter out of Sink, choose the logs that you would like not to sink
- Click Create Sink.
All logs will be sinked and stored in Cloud Storage Bucket
Viewing logs in Cloud Storage Bucket
To view the GCP Cloud Run logs that are synchronized in cloud storage bucket, first you must grant the Chronicle access. You must add an email You must add the email address 8911409095528497-0 email@example.com to the permissions of the relevant Google Cloud Storage object(s). You must also perform the following actions from the Cloud Storage section in the Google Cloud Console.
- To grant read permission to a specific file, you can "Edit access" on that file and grant the email "Reader" access. This can only be done if you have not enabled uniform bucket-level access.
- If you configure the feed to delete source files (see below for how to do this), you must add the email as a principle on your bucket and grant it the IAM role of Storage Object Admin.
- To grant read permission to multiple files you must grant access at the bucket level. Specifically, you must add the above email as a principle to your storage bucket and grant it the IAM role of Storage Object Viewer.
To enable permission to multiple files in a single bucket at a time, following steps help you achieve it.
- Click on the bucket that you would like enable permissions.
- Click cloudrun.googleapis.com --> GCP Cloud Run
A bucket details window appears
- In Permissions tab, click ADD
- In New Principals field, add the email address "8911409095528497-0 firstname.lastname@example.org"
- In Role, select Storage Object Viewer from the dropdown menu
- Click Save
A gsutil URL is generated for a storage bucket that you have enabled permissions
7. In order to ingest GCP Cloud Run logs into Chronicle, you must copy "gsutil URL" from the configuration tab of a storage bucket and paste it in the Input parameters of Chronicle Feeds
Configuring a feed in Chronicle Instance
To configure a feed in Chronicle,
- From your Chronicle instance page, select Settings from the main menu at top left of your screen
- Click on Feeds where you can find the data feeds that you have configured as well as the default feeds that Google provided
3. From the Feeds page, click ADD NEW at top of the screen
The ADD FEED window appears
4. In Set Properties tab, select SOURCE TYPE as Google Cloud Storage from the dropdown menu
5. Select the Log Type as GCP Cloud Run from the dropdown menu
6. Click Next
7. In Input Parameters tab, paste the gsutil URL that you copied from configuration tab of a storage bucket
8. Click Next
9. In Finalize tab, click Submit