How should a customer reliably deliver Stackdriver logs from GCP to their on-premises SIEM system?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
When working with Google Cloud Platform (GCP), customers may need to export logs from various services to an on-premises Security Information and Event Management (SIEM) system. To reliably deliver Stackdriver logs from GCP to the on-premises SIEM system, there are several options available, but each comes with its own advantages and disadvantages.
Option A: Send all logs to the SIEM system via an existing protocol such as syslog. This option involves sending all logs from GCP to the SIEM system via an existing protocol such as syslog. This approach is relatively straightforward and can be implemented using standard open-source tools. However, it can become challenging to scale and manage as the volume of logs increases, and it may not be the most efficient method.
Option B: Configure every project to export all their logs to a common BigQuery DataSet, which will be queried by the SIEM system. This option involves configuring every project to export all their logs to a common BigQuery DataSet, which will be queried by the SIEM system. This method allows for efficient log storage and querying, and the BigQuery APIs can be used to retrieve data from the on-premises SIEM system. However, it requires setting up and maintaining a BigQuery DataSet and can be costly if logs are not cleaned up periodically.
Option C: Configure Organizational Log Sinks to export logs to a Cloud Pub/Sub Topic, which will be sent to the SIEM via Dataflow. This option involves configuring Organizational Log Sinks to export logs to a Cloud Pub/Sub Topic, which will be sent to the SIEM via Dataflow. This method provides high scalability and reliability and allows for real-time log processing. However, it requires setting up and maintaining a Pub/Sub Topic and Dataflow pipeline, which can be complex and may require additional resources.
Option D: Build a connector for the SIEM to query for all logs in real-time from the GCP RESTful JSON APIs. This option involves building a connector for the SIEM to query for all logs in real-time from the GCP RESTful JSON APIs. This method allows for real-time log retrieval and processing and provides fine-grained control over log queries. However, it requires custom development work to build the connector and may require additional resources to maintain and update it.
In conclusion, each of the options has its own advantages and disadvantages, and the best approach will depend on the customer's specific needs and requirements. However, option C may be the best approach for customers who require high scalability and reliability and real-time log processing.