Enable Logging for HTTP(S) Load Balancing Backend Services

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)

Ensure that your Google Cloud Platform (GCP) load balancing backend services are configured to log HTTP(S) traffic.

Security

HTTP(S) load balancing log entries contain information useful for monitoring and debugging web traffic. Google Cloud exports this logging data to Cloud Monitoring service so that monitoring metrics can be created to evaluate a load balancer's configuration, usage, and performance, troubleshoot problems, and improve resource utilization and user experience.


Audit

To determine if your load balancing backend services are logging HTTP(S) traffic, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Cloud Load Balancing dashboard at https://console.cloud.google.com/net-services/loadbalancing.

04 On the Load balancing page, select Load balancers to access the list with the Google Cloud load balancers created for the selected project.

05 Click on the name of the HTTP(S) load balancer that you want to examine, select the Details tab, and check the Logging configuration attribute value set for the backend service listed in the Backend section. If the Logging attribute value is set to disabled, the HTTP(S) logging is not enabled for the backend service associated with the selected Google Cloud load balancer.

06 Repeat steps no. 5 for each GCP load balancer created for the selected project.

07 Repeat steps no. 2 – 6 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the Google Cloud Platform (GCP) projects available in your Google Cloud account:

gcloud projects list
    --format="table(projectId)"

02 The command output should return the requested GCP project identifiers (IDs):

PROJECT_ID
cc-project5-stack-123123
cc-bigdata-project-112233

03 Run compute url-maps list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as identifier parameter and custom query filters to describe the name of each load balancer (identified by an URL map) created for the selected project:

gcloud compute url-maps list
    --project cc-project5-stack-123123
    --format="table(name)"

04 The command output should return the name(s) of the existing load balancer(s):

NAME
cc-project5-web-load-balancer
cc-project5-int-load-balancer

05 Run compute url-maps describe command (Windows/macOS/Linux) using the name of the GCP load balancer that you want to examine as identifier parameter and custom query filters to describe the resource URL of the backend service associated with the selected load balancer:

gcloud compute url-maps describe cc-project5-web-load-balancer
    --format="value(defaultService)"

06 The command output should return the requested resource URL:

https://www.googleapis.com/compute/v1/projects/cc-project5-stack-123123/global/backendServices/cc-project5-web-backend-service

07 Run compute backend-services describe command (Windows/macOS/Linux) using the URL of the associated backend service that you want to examine as identifier parameter and custom output filtering to describe the logging configuration status available for the selected resource:

gcloud compute backend-services describe https://www.googleapis.com/compute/v1/projects/cc-project5-stack-123123/global/backendServices/cc-project5-web-backend-service
    --format="value(logConfig.enable)"

08 The command output should return the backend service logging configuration status:

False

If the compute backend-services describe command output returns null or False, as shown in the example above, the HTTP(S) logging is not enabled for the backend service associated with the selected Google Cloud load balancer.

09 Repeat steps no. 5 – 8 to perform the audit process for other load balancers created within the selected project.

10 Repeat steps no. 3 – 9 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To enable HTTP(S) logging for your Google Cloud load balancing backend services, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the GCP project that you want to access from the console top navigation bar.

03 Navigate to Cloud Load Balancing dashboard at https://console.cloud.google.com/net-services/loadbalancing.

04 On the Load balancing page, select Load balancers to access the list with the Google Cloud load balancers created for the selected project.

05 Choose the HTTP(S) load balancer that you want to reconfigure (see Audit section part I to identify the right resource), click on the 3-dot button to access the options menu, then select Edit.

06 On the Edit HTTP(S) load balancer page, select Backend configuration tab, and click on the Edit button (pencil icon) available next to the associated backend service, to enter the resource edit mode.

07 On the Edit backend service configuration panel, under Logging, select Enable logging checkbox and set the Sample rate fraction to a value between 0.0 and 1.0 (default). Note that enabling logging but setting the Sample rate to 0.0 is equivalent to disabling logging. For example, to cut the number of stored logs to 20%, set the value to 0.2. Click Update to apply the configuration changes.

08 On the Edit HTTP(S) load balancer page, click Update to save the changes and enable HTTP(S) logging for the selected Google Cloud load balancer.

09 Repeat steps no. 5 – 8 to enable logging for other load balancers created for the selected project.

10 Repeat steps no. 2 – 9 for each GCP project available within your Google Cloud account.

Using GCP CLI

01 Run compute backend-services update command (Windows/macOS/Linux) using the URL of the backend service that you want to reconfigure as identifier parameter, to enable HTTP(S) logging for the load balancer associated with the selected backend service. --logging-sample-rate parameter lets you configure the logging sampling rate as a value from 0.0 through 1.0, where 0.0 means no packets are logged and 1.0 means 100% of packets are logged. Note that enabling logging but setting the sample rate to 0.0 is equivalent to disabling logging:

gcloud compute backend-services update https://www.googleapis.com/compute/v1/projects/cc-project5-stack-123123/global/backendServices/cc-project5-web-backend-service
    --enable-logging
    --logging-sample-rate=1.0

02 The command output should return the URL of the reconfigured backend service:

Updated [https://www.googleapis.com/compute/v1/projects/cc-project5-stack-123123/global/backendServices/cc-project5-web-backend-service].

03 Repeat step no. 1 and 2 to enable logging for other load balancers available within the selected project.

04 Repeat steps no. 1 – 3 for each GCP project deployed in your Google Cloud account.

References

Publication date May 10, 2021

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Enable Logging for HTTP(S) Load Balancing Backend Services

Risk level: Medium