Cloud NAT-Logs erfassen
In diesem Dokument wird beschrieben, wie Sie Cloud NAT-Logs erfassen können, indem Sie die Aufnahme von Google Cloud-Telemetriedaten in Google Security Operations aktivieren. Außerdem wird beschrieben, wie Logfelder der Cloud NAT-Logs den Feldern des einheitlichen Datenmodells von Google Security Operations (UDM) zugeordnet werden.
Weitere Informationen finden Sie unter Datenaufnahme in Google Security Operations.
Eine typische Bereitstellung besteht aus Cloud NAT-Logs, die für die Aufnahme in Google Security Operations aktiviert sind. Jede Kundenbereitstellung kann von dieser Darstellung abweichen und komplexer sein.
Das Deployment enthält die folgenden Komponenten:
Google Cloud: Die Google Cloud-Dienste und -Produkte, für die Sie Logs erfassen.
Cloud NAT-Logs: Die Cloud NAT-Logs, die ist für die Aufnahme in Google Security Operations aktiviert.
Google Security Operations: Google Security Operations speichert und analysiert die Logs von Cloud NAT.
Ein Aufnahmelabel gibt den Parser an, der Logrohdaten normalisiert
in das strukturierte UDM-Format. Die Informationen in diesem Dokument gelten für den Parser
mit dem Aufnahmelabel GCP_CLOUD_NAT.
Hinweise
- Achten Sie darauf, dass alle Systeme in der Bereitstellungsarchitektur in der UTC-Zeitzone konfiguriert sind.
Google Cloud für die Aufnahme von Cloud NAT-Logs konfigurieren
Weitere Informationen zum Aufnehmen von Logs in Google Security Operations finden Sie unter Google Cloud-Logs in Google Security Operations aufnehmen.
Wenn bei der Aufnahme von Cloud NAT-Logs Probleme auftreten, wenden Sie sich an den Google Security Operations-Support.
Feldzuordnungsreferenz
In diesem Abschnitt wird erläutert, wie der Google Security Operations-Parser die Cloud NAT-Felder den Google Security Operations Unified Data Model-Feldern (UDM) zuordnet.
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_CONNECTION. |
|
metadata.product_name |
The metadata.product_name UDM field is set to GCP Cloud NAT. |
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Google Cloud Platform. |
receiveTimestamp |
metadata.collected_timestamp |
|
timestamp |
metadata.event_timestamp |
|
logName |
security_result.category_details |
|
insertId |
metadata.product_log_id |
|
|
network.direction |
The network.direction UDM field is set to OUTBOUND. |
|
network.ip_protocol |
If the jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to ICMP.
jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to IGMP.
jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to TCP.
jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to UDP.
jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to IP6IN4.
jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to GRE.
jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to ESP.
jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to EIGRP.
jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to ETHERIP.
jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to PIM.
jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to VRRP.
|
jsonPayload.connection.src_ip |
principal.ip |
|
jsonPayload.connection.src_port |
principal.port |
|
jsonPayload.connection.nat_ip |
principal.nat_ip |
|
jsonPayload.connection.nat_port |
principal.nat_port |
|
jsonPayload.vpc.project_id |
intermediary.resource_ancestors.name |
If the jsonPayload.vpc.project_id log field value is not empty, then the //cloudresourcemanager.googleapis.com/projects/%{jsonPayload.vpc.project_id} log field is mapped to the intermediary.resource_ancestors.name UDM field. |
|
intermediary.resource_ancestors.resource_type |
If the jsonPayload.vpc.project_id log field value is not empty, then the intermediary.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT. |
|
intermediary.resource_ancestors.attribute.cloud.environment |
If the jsonPayload.vpc.project_id log field value is not empty, then the intermediary.resource_ancestors.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
jsonPayload.vpc.vpc_name |
intermediary.resource_ancestors.name |
|
|
intermediary.resource_ancestors.resource_type |
If the jsonPayload.vpc.vpc_name log field value is not empty or the jsonPayload.vpc.subnetwork_name log field value is not empty, then the intermediary.resource_ancestors.resource_type UDM field is set to VPC_NETWORK. |
|
intermediary.resource_ancestors.attribute.cloud.environment |
If the jsonPayload.vpc.vpc_name log field value is not empty or the jsonPayload.vpc.subnetwork_name log field value is not empty, then the intermediary.resource_ancestors.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
jsonPayload.vpc.subnetwork_name |
intermediary.resource_ancestors.attribute.labels [vpc_subnetwork_name] |
|
jsonPayload.gateway_identifiers.gateway_name |
intermediary.resource.name |
|
|
intermediary.resource.resource_type |
If the jsonPayload.gateway_identifiers.gateway_name log field value is not empty or the resource.type log field value is not empty or the resource.labels.region log field value is not empty or the jsonPayload.gateway_identifiers.router_name log field value is not empty or the resource.labels.router_id log field value is not empty, then the intermediary.resource.resource_type UDM field is set to BACKEND_SERVICE. |
resource.type |
intermediary.resource.resource_subtype |
|
jsonPayload.gateway_identifiers.region |
intermediary.location.name |
|
|
intermediary.resource.attribute.cloud.environment |
If the jsonPayload.gateway_identifiers.gateway_name log field value is not empty or the resource.type log field value is not empty or the resource.labels.region log field value is not empty or the jsonPayload.gateway_identifiers.router_name log field value is not empty or the resource.labels.router_id log field value is not empty, then the intermediary.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
resource.labels.region |
intermediary.resource.attribute.cloud.availability_zone |
|
jsonPayload.gateway_identifiers.router_name |
intermediary.resource.attribute.labels [gateway_identifiers_router_name] |
|
resource.labels.router_id |
intermediary.resource.attribute.labels [resource_labels_router_id] |
|
jsonPayload.endpoint.project_id |
principal.resource_ancestors.name |
If the jsonPayload.endpoint.project_id log field value is not empty, then the //cloudresourcemanager.googleapis.com/projects/%{jsonPayload.endpoint.project_id} log field is mapped to the principal.resource_ancestors.name UDM field. |
|
principal.resource_ancestors.resource_type |
If the jsonPayload.endpoint.project_id log field value is not empty, then the principal.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT. |
|
principal.resource_ancestors.attribute.cloud.environment |
If the jsonPayload.endpoint.project_id log field value is not empty, then the principal.resource_ancestors.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
jsonPayload.endpoint.vm_name |
principal.hostname |
|
jsonPayload.endpoint.vm_name |
principal.asset.hostname |
|
jsonPayload.endpoint.vm_name |
principal.resource.name |
|
|
principal.resource.resource_type |
If the jsonPayload.endpoint.vm_name log field value is not empty or the jsonPayload.endpoint.zone log field value is not empty, then the principal.resource.resource_type UDM field is set to VIRTUAL_MACHINE. |
|
principal.resource.attribute.cloud.environment |
If the jsonPayload.endpoint.vm_name log field value is not empty or the jsonPayload.endpoint.zone log field value is not empty, then the principal.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
jsonPayload.endpoint.zone |
principal.resource.attribute.cloud.availability_zone |
|
jsonPayload.endpoint.region |
principal.location.name |
|
jsonPayload.connection.dest_ip |
target.ip |
|
jsonPayload.connection.dest_port |
target.port |
|
jsonPayload.destination.geo_location.city |
target.location.city |
|
jsonPayload.destination.geo_location.country |
target.location.country_or_region |
|
jsonPayload.destination.geo_location.region |
target.location.name |
|
jsonPayload.destination.geo_location.continent |
target.labels [destination_geo_location_continent] (deprecated) |
|
jsonPayload.destination.geo_location.continent |
additional.fields [destination_geo_location_continent] |
|
jsonPayload.destination.geo_location.asn |
network.asn |
|
jsonPayload.destination.instance.project_id |
target.resource_ancestors.name |
If the jsonPayload.destination.instance.project_id log field value is not empty, then the //cloudresourcemanager.googleapis.com/projects/%{jsonPayload.destination.instance.project_id} log field is mapped to the target.resource_ancestors.name UDM field. |
|
target.resource_ancestors.resource_type |
If the jsonPayload.destination.instance.project_id log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT. |
|
target.resource_ancestors.attribute.cloud.environment |
If the jsonPayload.destination.instance.project_id log field value is not empty, then the target.resource_ancestors.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
jsonPayload.destination.instance.vm_name |
target.hostname |
|
jsonPayload.destination.instance.vm_name |
target.asset.hostname |
|
jsonPayload.destination.instance.vm_name |
target.resource.name |
|
|
target.resource.resource_type |
If the jsonPayload.destination.instance.vm_name log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE. |
|
target.resource.attribute.cloud.environment |
If the jsonPayload.destination.instance.vm_name log field value is not empty, then the target.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
jsonPayload.destination.instance.zone |
target.resource.attribute.cloud.availability_zone |
|
jsonPayload.destination.instance.region |
target.location.name |
If the jsonPayload.destination.geo_location.region log field value is empty, then the jsonPayload.destination.instance.region log field is mapped to the target.location.name UDM field. |
|
security_result.action |
If the jsonPayload.allocation_status log field value is equal to OK, then the security_result.action UDM field is set to ALLOW.Else, if the jsonPayload.allocation_status log field value is equal to DROPPED, then the security_result.action UDM field is set to BLOCK. |
jsonPayload.allocation_status |
security_result.action_details |
|
labels |
about.resource.attribute.labels |
|
resource.labels.project_id |
about.resource.attribute.labels [resource_project_id] |
If the resource.labels.project_id log field value is not empty, then the //cloudresourcemanager.googleapis.com/projects/%{resource.labels.project_id} log field is mapped to the about.resource.attribute.labels.resource_project_id UDM field. |
resource.labels.gateway_name |
about.resource.attribute.labels [resource_gateway_name] |