Home > Back-end >  GCP Audit Logs regex for path matching
GCP Audit Logs regex for path matching

Time:11-11

I am attempting to create a Pub/Sub log sink on GCP. Ideally, my Audit Log filter would pick up any CSV files in a specific GCS path, which is given in the logs as protoPayload.resourceName when an object is uploaded, the path looking like projects/_/buckets/<bucket_name>/objects/<path>/<to>/test.csv*. The file I'm dropping in the path is called test.csv, and the following regex audit log query (i.e. the exact file name) works at picking the upload event up:

protoPayload.resourceName =~ "projects/_/buckets/<bucket_name>/objects/<path>/<to>/test.csv"

however, the following actual regex wildcarding is not picking it up. Any help is appreciated.

protoPayload.resourceName =~ "projects/_/buckets/<bucket_name>/objects/<path>/<to>/*.csv"

*<bucket_name> and /<path>/<to>/ are correctly passed with their real values in query

CodePudding user response:

Try ading . before the wildcard (.*)

jsonPayload.resourceName =~ "projects/_/buckets/test_bucket/objects/paht/to/.*.csv"

Tried to recreate on my end and it works well.

Sample query i used:

jsonPayload.resourceName =~ "projects/_/buckets/test_bucket/objects/paht/to/.*.csv"
jsonPayload.resourceName =~ "projects/_/buckets/test_bucket/objects/paht/to/sample1.*.csv"
jsonPayload.resourceName =~ "projects/_/buckets/test_bucket/objects/paht/to/test.*.csv"

Regex 1 Regex 2 Regex 3

Let me know if this helped you.

  • Related