[Feature Request] Documentation - Audit Logging

[aghassemlouei]

There are functional and documentation discrepancies with how SE handles audit logging aggregation for the audit logging project.

Documentation: Within 0-boostrap's README.md

The following is stated under Google Cloud Organization Level Logging:

By default, we provide log filters to capture Cloud Audit Logs, VPC Service Controls violations and Workspace Logs into logging buckets in the top-level audit logging Google Cloud Project. In addition, a log sink with an empty filter is included to comply with Center for Internet Security (CIS) Benchmarks related to log sinks.

The following is stated under Log Sinks and Log Destination

You can customize Google Cloud Organization level logs through the log_sinks variable in two ways

• creating additional log sinks to capture more logs
• changing the destination of captured logs
  By default, all logs are exported to a log bucket, but FAST can create sinks to BigQuery, GCS, or PubSub.

Functionality: Within 0-bootstrap's log-export.tf:

1. We create an audit-logs-0 project
2. We specify the creation of log exports depending on log_types (bigquery, storage, pubsub, or logging)

Within the terraform.tfvars.sample we only create log_sinks with the type of pubsub which only creates pubsub topics and no subscriptions.

Impact:

1. The documentation is incorrect as the default behavior of SE does not create logging buckets in the audit-logs project.
2. The default behavior sends organization logs to a pubsub topic in the audit-logs project without any subscription and any retention so those logs will be lost

Suggestions:

1. Update the default log_type to "logging" in the terraform.tf.vars.sample and add comments/documentation to add pubsub for downstream SIEM ingestion.
2. Update log-export.tf to control the retention for the log bucket and default it to 365 days.