Cloud NAT 로그 수집
이 문서에서는 Google Security Operations에 대해 Google Cloud 원격 분석 수집을 사용 설정하여 Cloud NAT 로그를 수집하는 방법과 Cloud NAT 로그의 로그 필드가 Google Security Operations 통합 데이터 모델(UDM) 필드에 매핑되는 방법을 설명합니다.
자세한 내용은 Google Security Operations에 데이터 수집을 참조하세요.
일반적인 배포는 Google Security Operations에 대한 수집에 사용 설정된 Cloud NAT 로그로 구성됩니다. 각 고객 배포는 이 표현과 다를 수 있고 더 복잡할 수 있습니다.
배포에는 다음 구성요소가 포함됩니다.
Google Cloud: 로그를 수집하는 Google Cloud 서비스 및 제품입니다.
Cloud NAT 로그: Google Security Operations에 수집을 위해 사용 설정된 Cloud NAT 로그입니다.
Google Security Operations: Google Security Operations에서는 Cloud NAT의 로그를 보관하고 분석합니다.
수집 라벨은 원시 로그 데이터를 구조화된 UDM 형식으로 정규화하는 파서를 식별합니다. 이 문서의 정보는 GCP_CLOUD_NAT 수집 라벨이 있는 파서에 적용됩니다.
시작하기 전에
- 배포 아키텍처의 모든 시스템이 UTC 시간대로 구성되었는지 확인합니다.
Cloud NAT 로그를 수집하도록 Google Cloud 구성
Google Security Operations에 로그를 수집하는 방법에 대한 자세한 내용은 Google Security Operations에 Google Cloud 로그 수집을 참조하세요.
Cloud NAT 로그를 수집할 때 문제가 발생하면 Google Security Operations 지원팀에 문의하세요.
필드 매핑 참조
이 섹션에서는 Google Security Operations 파서가 Cloud NAT 필드를 Google Security Operations 통합 데이터 모델(UDM) 필드에 매핑하는 방법을 설명합니다.
| Log field | UDM mapping | Logic |
|---|---|---|
|
metadata.event_type |
The metadata.event_type UDM field is set to NETWORK_CONNECTION. |
|
metadata.product_name |
The metadata.product_name UDM field is set to GCP Cloud NAT. |
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Google Cloud Platform. |
receiveTimestamp |
metadata.collected_timestamp |
|
timestamp |
metadata.event_timestamp |
|
logName |
security_result.category_details |
|
insertId |
metadata.product_log_id |
|
|
network.direction |
The network.direction UDM field is set to OUTBOUND. |
|
network.ip_protocol |
If the jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to ICMP.
jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to IGMP.
jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to TCP.
jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to UDP.
jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to IP6IN4.
jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to GRE.
jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to ESP.
jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to EIGRP.
jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to ETHERIP.
jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to PIM.
jsonPayload.connection.protocol log field value contains one of the following values, then the network.ip_protocol UDM field is set to VRRP.
|
jsonPayload.connection.src_ip |
principal.ip |
|
jsonPayload.connection.src_port |
principal.port |
|
jsonPayload.connection.nat_ip |
principal.nat_ip |
|
jsonPayload.connection.nat_port |
principal.nat_port |
|
jsonPayload.vpc.project_id |
intermediary.resource_ancestors.name |
If the jsonPayload.vpc.project_id log field value is not empty, then the //cloudresourcemanager.googleapis.com/projects/%{jsonPayload.vpc.project_id} log field is mapped to the intermediary.resource_ancestors.name UDM field. |
|
intermediary.resource_ancestors.resource_type |
If the jsonPayload.vpc.project_id log field value is not empty, then the intermediary.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT. |
|
intermediary.resource_ancestors.attribute.cloud.environment |
If the jsonPayload.vpc.project_id log field value is not empty, then the intermediary.resource_ancestors.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
jsonPayload.vpc.vpc_name |
intermediary.resource_ancestors.name |
|
|
intermediary.resource_ancestors.resource_type |
If the jsonPayload.vpc.vpc_name log field value is not empty or the jsonPayload.vpc.subnetwork_name log field value is not empty, then the intermediary.resource_ancestors.resource_type UDM field is set to VPC_NETWORK. |
|
intermediary.resource_ancestors.attribute.cloud.environment |
If the jsonPayload.vpc.vpc_name log field value is not empty or the jsonPayload.vpc.subnetwork_name log field value is not empty, then the intermediary.resource_ancestors.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
jsonPayload.vpc.subnetwork_name |
intermediary.resource_ancestors.attribute.labels [vpc_subnetwork_name] |
|
jsonPayload.gateway_identifiers.gateway_name |
intermediary.resource.name |
|
|
intermediary.resource.resource_type |
If the jsonPayload.gateway_identifiers.gateway_name log field value is not empty or the resource.type log field value is not empty or the resource.labels.region log field value is not empty or the jsonPayload.gateway_identifiers.router_name log field value is not empty or the resource.labels.router_id log field value is not empty, then the intermediary.resource.resource_type UDM field is set to BACKEND_SERVICE. |
resource.type |
intermediary.resource.resource_subtype |
|
jsonPayload.gateway_identifiers.region |
intermediary.location.name |
|
|
intermediary.resource.attribute.cloud.environment |
If the jsonPayload.gateway_identifiers.gateway_name log field value is not empty or the resource.type log field value is not empty or the resource.labels.region log field value is not empty or the jsonPayload.gateway_identifiers.router_name log field value is not empty or the resource.labels.router_id log field value is not empty, then the intermediary.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
resource.labels.region |
intermediary.resource.attribute.cloud.availability_zone |
|
jsonPayload.gateway_identifiers.router_name |
intermediary.resource.attribute.labels [gateway_identifiers_router_name] |
|
resource.labels.router_id |
intermediary.resource.attribute.labels [resource_labels_router_id] |
|
jsonPayload.endpoint.project_id |
principal.resource_ancestors.name |
If the jsonPayload.endpoint.project_id log field value is not empty, then the //cloudresourcemanager.googleapis.com/projects/%{jsonPayload.endpoint.project_id} log field is mapped to the principal.resource_ancestors.name UDM field. |
|
principal.resource_ancestors.resource_type |
If the jsonPayload.endpoint.project_id log field value is not empty, then the principal.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT. |
|
principal.resource_ancestors.attribute.cloud.environment |
If the jsonPayload.endpoint.project_id log field value is not empty, then the principal.resource_ancestors.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
jsonPayload.endpoint.vm_name |
principal.hostname |
|
jsonPayload.endpoint.vm_name |
principal.asset.hostname |
|
jsonPayload.endpoint.vm_name |
principal.resource.name |
|
|
principal.resource.resource_type |
If the jsonPayload.endpoint.vm_name log field value is not empty or the jsonPayload.endpoint.zone log field value is not empty, then the principal.resource.resource_type UDM field is set to VIRTUAL_MACHINE. |
|
principal.resource.attribute.cloud.environment |
If the jsonPayload.endpoint.vm_name log field value is not empty or the jsonPayload.endpoint.zone log field value is not empty, then the principal.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
jsonPayload.endpoint.zone |
principal.resource.attribute.cloud.availability_zone |
|
jsonPayload.endpoint.region |
principal.location.name |
|
jsonPayload.connection.dest_ip |
target.ip |
|
jsonPayload.connection.dest_port |
target.port |
|
jsonPayload.destination.geo_location.city |
target.location.city |
|
jsonPayload.destination.geo_location.country |
target.location.country_or_region |
|
jsonPayload.destination.geo_location.region |
target.location.name |
|
jsonPayload.destination.geo_location.continent |
target.labels [destination_geo_location_continent] (deprecated) |
|
jsonPayload.destination.geo_location.continent |
additional.fields [destination_geo_location_continent] |
|
jsonPayload.destination.geo_location.asn |
network.asn |
|
jsonPayload.destination.instance.project_id |
target.resource_ancestors.name |
If the jsonPayload.destination.instance.project_id log field value is not empty, then the //cloudresourcemanager.googleapis.com/projects/%{jsonPayload.destination.instance.project_id} log field is mapped to the target.resource_ancestors.name UDM field. |
|
target.resource_ancestors.resource_type |
If the jsonPayload.destination.instance.project_id log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT. |
|
target.resource_ancestors.attribute.cloud.environment |
If the jsonPayload.destination.instance.project_id log field value is not empty, then the target.resource_ancestors.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
jsonPayload.destination.instance.vm_name |
target.hostname |
|
jsonPayload.destination.instance.vm_name |
target.asset.hostname |
|
jsonPayload.destination.instance.vm_name |
target.resource.name |
|
|
target.resource.resource_type |
If the jsonPayload.destination.instance.vm_name log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE. |
|
target.resource.attribute.cloud.environment |
If the jsonPayload.destination.instance.vm_name log field value is not empty, then the target.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
jsonPayload.destination.instance.zone |
target.resource.attribute.cloud.availability_zone |
|
jsonPayload.destination.instance.region |
target.location.name |
If the jsonPayload.destination.geo_location.region log field value is empty, then the jsonPayload.destination.instance.region log field is mapped to the target.location.name UDM field. |
|
security_result.action |
If the jsonPayload.allocation_status log field value is equal to OK, then the security_result.action UDM field is set to ALLOW.Else, if the jsonPayload.allocation_status log field value is equal to DROPPED, then the security_result.action UDM field is set to BLOCK. |
jsonPayload.allocation_status |
security_result.action_details |
|
labels |
about.resource.attribute.labels |
|
resource.labels.project_id |
about.resource.attribute.labels [resource_project_id] |
If the resource.labels.project_id log field value is not empty, then the //cloudresourcemanager.googleapis.com/projects/%{resource.labels.project_id} log field is mapped to the about.resource.attribute.labels.resource_project_id UDM field. |
resource.labels.gateway_name |
about.resource.attribute.labels [resource_gateway_name] |