Overview
This article provides guidance for passing GCP VPC Network and Route Logging tests in Secureframe. These tests verify that your Google Cloud Platform projects have the correct log metrics configured to monitor network changes.
GCP VPC Network and Route Logging tests require exact filter patterns to pass. Secureframe validates that log-based metrics exist with specific filters in your GCP projects.
Key Requirements
Log metrics must be created in ALL connected GCP projects, not just one
Filter patterns must match exactly as shown below
Do not add extra methodNames to the filters—this will cause tests to fail
VPC Network Route Logging (GCP)
This test verifies that log metrics exist to monitor changes to VPC routes.
Required Filter Pattern
resource.type="gce_route"AND ( protoPayload.methodName="beta.compute.routes.patch" OR protoPayload.methodName="beta.compute.routes.insert")
How to Create the Log Metric
Go to Logging → Log-based Metrics in the Google Cloud Console
Click Create Metric
Set the metric type to Counter
Enter the exact filter pattern shown above
Name the metric (e.g.,
vpc_route_changes)Click Create Metric
Repeat for each connected GCP project
VPC Network Logging and Alerting (GCP)
This test verifies that log metrics exist to monitor changes to VPC networks, including network creation, modification, deletion, and peering changes.
Required Filter Pattern
resource.type=gce_networkAND ( protoPayload.methodName="beta.compute.networks.insert" OR protoPayload.methodName="beta.compute.networks.patch" OR protoPayload.methodName="v1.compute.networks.delete" OR protoPayload.methodName="v1.compute.networks.removePeering" OR protoPayload.methodName="v1.compute.networks.addPeering")
How to Create the Log Metric
Go to Logging → Log-based Metrics in the Google Cloud Console
Click Create Metric
Set the metric type to Counter
Enter the exact filter pattern shown above
Name the metric (e.g.,
vpc_network_changes)Click Create Metric
Repeat for each connected GCP project
Common Issues
Test is still failing after creating the log metric
Verify the log metric exists in ALL connected GCP projects, not just one
Ensure the filter pattern matches exactly—even small differences (extra spaces, different quotes) can cause failures
Wait up to 24 hours for Secureframe to sync and detect the new metrics
Try triggering a manual sync from the Integrations page in Secureframe
Added extra methodNames and test is failing
Secureframe validates filters using exact matching
Adding additional method names (e.g.,
v1.compute.routes.delete) will cause the test to failUse only the method names shown in the required filter patterns above
Log metric exists but test shows "No log metrics found"
Ensure the Secureframe service account has the Logging Viewer role
Check that the metric is in the same project that is connected to Secureframe
Verify the metric is a counter type metric, not a distribution metric
Frequently Asked Questions (FAQ)
Do I need to create alerting policies as well?
The VPC Network Logging tests only check for the existence of log-based metrics with the correct filters. Alerting policies are not required for these specific tests, but are recommended as a security best practice.
Can I combine both filters into one metric?
No, you should create separate log-based metrics for VPC routes and VPC networks, as they monitor different resource types.
How often does Secureframe check for these metrics?
Secureframe syncs GCP resources periodically (typically every few hours). You can trigger a manual sync from the Integrations page to see updates faster.