You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Run any logging_log_metric_filter_and_alert_for_* check (Prowler ≥ 5.30.0) against the organization.
Every child project is reported FAIL, despite being fully metric-monitored and alerted through the central bucket.
Expected behavior
Child projects are credited. The CIS logging-metric filters all match Admin Activity audit entries (protoPayload.methodName=... on audited resource types), so an aggregated sink carrying the Admin Activity stream delivers every log entry those metrics can match.
Actual behavior
get_projects_covered_by_aggregated_metric skips every sink whose filter != "all" (the guard added in the #11488 review revision 0bd290b, "tighten aggregated metric sink coverage"). The crediting introduced by #11488 therefore never applies to audit-filtered aggregated sinks — which are the cost-sane default for this topology, since an unfiltered org-wide sink would duplicate every project's operational log entries into the central bucket.
Proposed fix
Credit a sink when it exports everything (filter == "all") or when its filter carries the Admin Activity stream (cloudaudit.googleapis.com/activity, in either the URL-encoded %2F or plain logName form). A sink filtered to unrelated streams — or to other cloudaudit streams that are not Admin Activity (e.g. data_access only) — is still not credited, so the change widens sink eligibility without inventing coverage. Verified against a live organization with an audit-filtered aggregated sink: the eight CIS checks move from every child project failing to every child project passing, while a check with no matching central metric correctly stays failing.
Steps to Reproduce
includeChildren=true) filtered to the cloudaudit streams (logName: .../cloudaudit.googleapis.com%2Factivity OR ...), whose destination log bucket holds bucket-scoped CIS metrics with alert policies.logging_log_metric_filter_and_alert_for_*check (Prowler ≥ 5.30.0) against the organization.FAIL, despite being fully metric-monitored and alerted through the central bucket.Expected behavior
Child projects are credited. The CIS logging-metric filters all match Admin Activity audit entries (
protoPayload.methodName=...on audited resource types), so an aggregated sink carrying the Admin Activity stream delivers every log entry those metrics can match.Actual behavior
get_projects_covered_by_aggregated_metricskips every sink whosefilter != "all"(the guard added in the #11488 review revision0bd290b, "tighten aggregated metric sink coverage"). The crediting introduced by #11488 therefore never applies to audit-filtered aggregated sinks — which are the cost-sane default for this topology, since an unfiltered org-wide sink would duplicate every project's operational log entries into the central bucket.Proposed fix
Credit a sink when it exports everything (
filter == "all") or when its filter carries the Admin Activity stream (cloudaudit.googleapis.com/activity, in either the URL-encoded%2For plainlogNameform). A sink filtered to unrelated streams — or to other cloudaudit streams that are not Admin Activity (e.g.data_accessonly) — is still not credited, so the change widens sink eligibility without inventing coverage. Verified against a live organization with an audit-filtered aggregated sink: the eight CIS checks move from every child project failing to every child project passing, while a check with no matching central metric correctly stays failing.PR with the fix + tests to follow.