For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-89r.md. A documentation index is available at /llms.txt.

GCP backend services for HTTP(S) Load Balancers should have logging enabled

google_compute_backend_service

Description

This rule fails when a GCP HTTP(S) Load Balancer backend service does not have request logging enabled, or when logging is enabled with sample_rate set to 0 (which captures zero requests and produces no logs). CIS recommends enabling logging on every HTTP(S) load balancer so that traffic patterns, errors, and security events can be observed and forensic data is available during incident response. Backend services that serve TCP, UDP, or SSL passthrough traffic are skipped; only those whose protocol is HTTP, HTTPS, or HTTP2 are evaluated.

Remediation

Enable logging on each flagged backend service. From the GCP Load balancing console, open the load balancer, choose Edit → Backend configuration, click the affected backend, expand Logging, and set Enable logging to On. The same change with gcloud:

gcloud compute backend-services update BACKEND_SERVICE_NAME \
    --enable-logging \
    --logging-sample-rate=1.0 \
    --global

Use a --logging-sample-rate of 1.0 to capture every request; lower values reduce log volume and cost but also reduce visibility.

References