---
title: GCP backend services for HTTP(S) Load Balancers should have logging enabled
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > GCP backend services for HTTP(S) Load
  Balancers should have logging enabled
---

# GCP backend services for HTTP(S) Load Balancers should have logging enabled
 
## Description{% #description %}

This rule fails when a GCP HTTP(S) Load Balancer backend service does not have request logging enabled, or when logging is enabled with `sample_rate` set to `0` (which captures zero requests and produces no logs). CIS recommends enabling logging on every HTTP(S) load balancer so that traffic patterns, errors, and security events can be observed and forensic data is available during incident response. Backend services that serve TCP, UDP, or SSL passthrough traffic are skipped; only those whose `protocol` is `HTTP`, `HTTPS`, or `HTTP2` are evaluated.

## Remediation{% #remediation %}

Enable logging on each flagged backend service. From the [GCP Load balancing console](https://console.cloud.google.com/net-services/loadbalancing), open the load balancer, choose **Edit → Backend configuration**, click the affected backend, expand **Logging**, and set **Enable logging** to **On**. The same change with `gcloud`:

```bash
gcloud compute backend-services update BACKEND_SERVICE_NAME \
    --enable-logging \
    --logging-sample-rate=1.0 \
    --global
```

Use a `--logging-sample-rate` of `1.0` to capture every request; lower values reduce log volume and cost but also reduce visibility.

## References{% #references %}

- [CIS Google Cloud Platform Foundation Benchmark v4.0.0 — control 2.16](https://www.cisecurity.org/benchmark/google_cloud_computing_platform)
- [HTTP(S) Load Balancer logging](https://cloud.google.com/load-balancing/docs/https/https-logging-monitoring)