Collect Google Cloud Load Balancing logs
This document describes how you can collect Google Cloud Load Balancing logs by enabling Google Cloud telemetry ingestion to Google Security Operations and how log fields map to Google Security Operations Unified Data Model (UDM) fields. This document also lists the supported Google Cloud Load Balancing version.
For more information, see Data ingestion to Google Security Operations.
A typical deployment consists of Google Cloud Load Balancing logs enabled for ingestion to Google Security Operations. Each customer deployment might differ from this representation and might be more complex.
The deployment contains the following components:
Google Cloud: The Google Cloud services and products from which you collect logs.
Google Cloud Load Balancing logs: The Google Cloud Load Balancing logs that are enabled for ingestion to Google Security Operations.
Google Security Operations: Google Security Operations retains and analyzes the logs from Google Cloud Load Balancing.
An ingestion label identifies the parser which normalizes raw log data
to structured UDM format. The information in this document applies to the parser
with the GCP_LOADBALANCING ingestion label.
Before you begin
Ensure that you are using Google Cloud Load Balancing version 1.
Ensure that all systems in the deployment architecture are configured in the UTC time zone.
Configure Google Cloud to ingest Google Cloud Load Balancing logs
To ingest Google Cloud Load Balancing logs to Google Security Operations, follow the steps on the Ingest Google Cloud logs to Google Security Operations page.
If you encounter issues when you ingest Google Cloud Load Balancing logs, contact Google Security Operations support.
Field mapping reference
This section explains how the Google Security Operations parser maps Google Cloud Load Balancing fields to Google Security Operations Unified Data Model (UDM) fields.
Field mapping reference: GCP_LOADBALANCING log fields to UDM fields
The following table lists the log fields of the GCP_LOADBALANCING log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic |
|---|---|---|
receiveTimestamp |
metadata.collected_timestamp |
|
timestamp |
metadata.event_timestamp |
|
|
metadata.event_type |
If the following values are not empty, then the metadata.event_type UDM field is set to NETWORK_CONNECTION.
Else, if the following values are not empty, then the metadata.event_type UDM field is set to STATUS_UNCATEGORIZED.
Else, the metadata.event_type UDM field is set to GENERIC_EVENT. |
logName |
metadata.product_event_type |
|
insertId |
metadata.product_log_id |
|
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Google Cloud Platform. |
httpRequest.protocol |
network.application_protocol |
If the httpRequest.requestUrl log field value matches the regular expression https or the httpRequest.protocol log field value matches the regular expression HTTPS, then the network.application_protocol UDM field is set to HTTPS.Else, if the httpRequest.requestUrl log field value matches the regular expression http or the httpRequest.protocol log field value matches the regular expression HTTP, then the network.application_protocol UDM field is set to HTTP. |
jsonPayload.clientLocation.asn |
network.asn |
|
httpRequest.requestMethod |
network.http.method |
|
httpRequest.referer |
network.http.referral_url |
|
httpRequest.status |
network.http.response_code |
|
httpRequest.userAgent |
network.http.user_agent |
|
jsonPayload.connection.protocol |
network.ip_protocol |
If the jsonPayload.connection.protocol log field value is equal to 0, then the network.ip_protocol UDM field is set to UNKNOWN_IP_PROTOCOL.Else, if the jsonPayload.connection.protocol log field value is equal to 1, then the network.ip_protocol UDM field is set to ICMP.Else, if the jsonPayload.connection.protocol log field value is equal to 2, then the network.ip_protocol UDM field is set to IGMP.Else, if the jsonPayload.connection.protocol log field value is equal to 6, then the network.ip_protocol UDM field is set to TCP.Else, if the jsonPayload.connection.protocol log field value is equal to 17, then the network.ip_protocol UDM field is set to UDP.Else, if the jsonPayload.connection.protocol log field value is equal to 41, then the network.ip_protocol UDM field is set to IP6IN4.Else, if the jsonPayload.connection.protocol log field value is equal to 47, then the network.ip_protocol UDM field is set to GRE.Else, if the jsonPayload.connection.protocol log field value is equal to 50, then the network.ip_protocol UDM field is set to ESP.Else, if the jsonPayload.connection.protocol log field value is equal to 58, then the network.ip_protocol UDM field is set to ICMP6.Else, if the jsonPayload.connection.protocol log field value is equal to 88, then the network.ip_protocol UDM field is set to EIGRP.Else, if the jsonPayload.connection.protocol log field value is equal to 97, then the network.ip_protocol UDM field is set to ETHERIP.Else, if the jsonPayload.connection.protocol log field value is equal to 103, then the network.ip_protocol UDM field is set to PIM.Else, if the jsonPayload.connection.protocol log field value is equal to 112, then the network.ip_protocol UDM field is set to VRRP.Else, if the jsonPayload.connection.protocol log field value is equal to 132, then the network.ip_protocol UDM field is set to SCTP. |
httpRequest.responseSize |
network.received_bytes |
|
jsonPayload.bytesReceived |
network.received_bytes |
|
jsonPayload.packetsReceived |
network.received_packets |
|
httpRequest.requestSize |
network.sent_bytes |
|
jsonPayload.packetsSent |
network.sent_packets |
|
jsonPayload.bytesSent |
network.sent_packets |
|
jsonPayload.rtt |
network.session_duration.seconds |
Grok: Extracted sec from the log field jsonPayload.rtt and mapped it to the network.session_duration.seconds UDM field. |
jsonPayload.rtt |
network.session_duration.nanos |
Grok: Extracted nano from the log field jsonPayload.rtt and mapped it to the network.session_duration.nanos UDM field. |
jsonPayload.tls.cipher |
network.tls.cipher |
|
jsonPayload.securityPolicyRequestData.tlsJa3Fingerprint |
network.tls.client.ja3 |
|
jsonPayload.tls.protocol |
network.tls.next_protocol |
|
httpRequest.remoteIp |
principal.ip |
If the httpRequest.remoteIp log field value is not empty, then Grok: Extracted ip and port from the log field httpRequest.remoteIp and mapped it to the principal.ip and principal.port UDM field respectively.
|
jsonPayload.remoteIp |
principal.ip |
If the jsonPayload.remoteIp log field value is not empty, then Grok: Extracted ip and port from the log field jsonPayload.remoteIp and mapped it to the principal.ip and principal.port UDM field respectively.
|
jsonPayload.connection.clientIp |
principal.ip |
|
clientInstance.vmIp |
principal.ip |
|
jsonPayload.clientLocation.city |
principal.location.city |
|
jsonPayload.clientLocation.regionCode |
principal.location.country_or_region |
|
jsonPayload.securityPolicyRequestData.remoteIpInfo.regionCode |
principal.location.name |
|
jsonPayload.clientLocation.subRegion |
principal.location.state |
|
jsonPayload.connection.clientPort |
principal.port |
|
jsonPayload.clientGkeDetails.cluster.clusterLocation |
principal.resource_ancestors.attribute.cloud.availability_zone |
|
jsonPayload.clientVpc.projectId |
principal.resource_ancestors.name |
|
jsonPayload.clientVpc.vpc |
principal.resource_ancestors.name |
|
jsonPayload.clientVpc.subnetwork |
principal.resource_ancestors.name |
|
jsonPayload.clientGkeDetails.cluster.cluster |
principal.resource_ancestors.name |
|
jsonPayload.clientGkeDetails.pod.pod |
principal.resource_ancestors.name |
|
jsonPayload.clientGkeDetails.service.service |
principal.resource_ancestors.name |
|
jsonPayload.clientInstance.projectId |
principal.resource_ancestors.product_object_id |
|
|
principal.resource_ancestors.resource_subtype |
If the jsonPayload.clientVpc.projectId log field value is not empty, then the principal.resource_ancestors.resource_subtype UDM field is set to clientVpc_projectId.If the jsonPayload.clientVpc.vpc log field value is not empty, then the principal.resource_ancestors.resource_subtype UDM field is set to clientVpc_vpc.If the jsonPayload.clientVpc.subnetwork log field value is not empty, then the principal.resource_ancestors.resource_subtype UDM field is set to clientVpc_subnetwork.If the jsonPayload.clientGkeDetails.cluster.cluster log field value is not empty, then the principal.resource_ancestors.resource_subtype UDM field is set to clientGkeDetails_cluster.If the jsonPayload.clientGkeDetails.pod.pod log field value is not empty, then the principal.resource_ancestors.resource_subtype UDM field is set to clientGkeDetails_pod.If the jsonPayload.clientGkeDetails.service.service log field value is not empty, then the principal.resource_ancestors.resource_subtype UDM field is set to clientGkeDetails_service. |
|
principal.resource_ancestors.resource_type |
If the jsonPayload.clientVpc.projectId log field value is not empty, then the principal.resource_ancestors.resource_type UDM field is set to VPC_NETWORK.If the jsonPayload.clientVpc.vpc log field value is not empty, then the principal.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE.If the jsonPayload.clientVpc.subnetwork log field value is not empty, then the principal.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE.If the jsonPayload.clientGkeDetails.cluster.cluster log field value is not empty, then the principal.resource_ancestors.resource_type UDM field is set to CLUSTER.If the jsonPayload.clientGkeDetails.pod.pod log field value is not empty, then the principal.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE.If the jsonPayload.clientGkeDetails.service.service log field value is not empty, then the principal.resource_ancestors.resource_type UDM field is set to BACKEND_SERVICE. |
jsonPayload.clientInstance.zone |
principal.resource.attribute.cloud.availability_zone |
|
jsonPayload.clientInstance.vm |
principal.resource.name |
|
|
principal.resource.resource_subtype |
If the jsonPayload.clientInstance.vm log field value is not empty, then the principal.resource.resource_subtype UDM field is set to client_instance_vm. |
|
principal.resource.resource_type |
If the jsonPayload.clientInstance.vm log field value is not empty, then the principal.resource.resource_type UDM field is set to VIRTUAL_MACHINE. |
|
security_result.action |
If the jsonPayload.enforcedSecurityPolicy.configuredAction log field value is equal to DENY, then the security_result.action UDM field is set to BLOCK.Else, if the jsonPayload.enforcedSecurityPolicy.configuredAction log field value is equal to ALLOW, then the security_result.action UDM field is set to ALLOW.If the jsonPayload.previewSecurityPolicy.configuredAction log field value is equal to DENY, then the security_result.action UDM field is set to BLOCK.Else, if the jsonPayload.previewSecurityPolicy.configuredAction log field value is equal to ALLOW, then the security_result.action UDM field is set to ALLOW.If the jsonPayload.enforcedEdgeSecurityPolicy.configuredAction log field value is equal to DENY, then the security_result.action UDM field is set to BLOCK.Else, if the jsonPayload.enforcedEdgeSecurityPolicy.configuredAction log field value is equal to ALLOW, then the security_result.action UDM field is set to ALLOW.If the jsonPayload.previewEdgeSecurityPolicy.configuredAction log field value is equal to DENY, then the security_result.action UDM field is set to BLOCK.Else, if the jsonPayload.previewEdgeSecurityPolicy.configuredAction log field value is equal to ALLOW, then the security_result.action UDM field is set to ALLOW. |
jsonPayload.enforcedSecurityPolicy.configuredAction |
security_result.action_details |
|
jsonPayload.previewSecurityPolicy.configuredAction |
security_result.action_details |
|
jsonPayload.enforcedEdgeSecurityPolicy.configuredAction |
security_result.action_details |
|
jsonPayload.previewEdgeSecurityPolicy.configuredAction |
security_result.action_details |
|
jsonPayload.enforcedSecurityPolicy.outcome |
security_result.outcomes[jsonpayload_enforcedsecuritypolicy_outcome] |
|
jsonPayload.enforcedSecurityPolicy.priority |
security_result.priority_details |
|
jsonPayload.previewSecurityPolicy.priority |
security_result.priority_details |
|
jsonPayload.enforcedEdgeSecurityPolicy.priority |
security_result.priority_details |
|
jsonPayload.previewEdgeSecurityPolicy.priority |
security_result.priority_details |
|
jsonPayload.enforcedSecurityPolicy.name |
security_result.rule_name |
|
jsonPayload.securityPolicyRequestData.recaptchaActionToken.score |
security_result.risk_score |
If the jsonPayload.securityPolicyRequestData.recaptchaActionToken.score log field value is not empty, then the jsonPayload.securityPolicyRequestData.recaptchaActionToken.score log field is mapped to the security_result.risk_score UDM field. |
jsonPayload.securityPolicyRequestData.recaptchaSessionToken.score |
security_result.risk_score |
If the jsonPayload.securityPolicyRequestData.recaptchaSessionToken.score log field value is not empty, then the jsonPayload.securityPolicyRequestData.recaptchaSessionToken.score log field is mapped to the security_result.risk_score UDM field. |
jsonPayload.previewSecurityPolicy.name |
security_result.rule_name |
|
jsonPayload.enforcedEdgeSecurityPolicy.name |
security_result.rule_name |
|
jsonPayload.previewEdgeSecurityPolicy.name |
security_result.rule_name |
|
|
security_result.severity |
If the severity log field value matches the regular expression DEFAULT or DEBUG or INFO or NOTICE, then the security_result.severity UDM field is set to LOW.Else, if the severity log field value matches the regular expression WARNING or ERROR, then the security_result.severity UDM field is set to MEDIUM.Else, if the severity log field value matches the regular expression CRITICAL or ALERT or EMERGENCY, then the security_result.severity UDM field is set to HIGH. |
severity |
security_result.severity_details |
|
jsonPayload.statusDetails |
security_result.summary |
|
jsonPayload.proxyStatus |
security_result.summary |
|
resource.labels.backend_service_name |
target.application |
|
resource.labels.backend_name |
target.group.group_display_name |
|
resource.labels.backend_group_name |
target.group.group_display_name |
|
httpRequest.serverIp |
target.ip |
|
jsonPayload.connection.serverIp |
target.ip |
|
serverInstance.vmIp |
target.ip |
|
jsonPayload.connection.serverPort |
target.port |
|
resource.labels.backend_scope |
target.resource_ancestors.attribute.cloud.availability_zone |
If the resource.labels.backend_target_name log field value is not empty, then the resource.labels.backend_scope log field is mapped to the target.resource_ancestors.attribute.cloud.availability_zone UDM field. |
jsonPayload.serverInstance.zone |
target.resource_ancestors.attribute.cloud.availability_zone |
If the jsonPayload.serverInstance.vm log field value is not empty, then the jsonPayload.serverInstance.zone log field is mapped to the target.resource_ancestors.attribute.cloud.availability_zone UDM field. |
jsonPayload.serverGkeDetails.cluster.clusterLocation |
target.resource_ancestors.attribute.cloud.availability_zone |
If the jsonPayload.serverGkeDetails.cluster.cluster log field value is not empty, then the jsonPayload.serverGkeDetails.cluster.clusterLocation log field is mapped to the target.resource_ancestors.attribute.cloud.availability_zone UDM field. |
resource.labels.backend_zone |
target.resource_ancestors.attribute.cloud.availability_zone |
If the resource.labels.backend_zone log field value is not empty, then the resource.labels.backend_zone log field is mapped to the target.resource_ancestors.attribute.cloud.availability_zone UDM field. |
resource.labels.backend_target_name |
target.resource_ancestors.name |
|
jsonPayload.serverInstance.vm |
target.resource_ancestors.name |
|
jsonPayload.serverGkeDetails.cluster.cluster |
target.resource_ancestors.name |
|
jsonPayload.serverGkeDetails.pod.pod |
target.resource_ancestors.name |
|
jsonPayload.serverGkeDetails.service.service |
target.resource_ancestors.name |
|
resource.labels.network_name |
target.resource_ancestors.name |
|
resource.labels.project_id |
target.resource_ancestors.product_object_id |
|
jsonPayload.serverInstance.projectId |
target.resource_ancestors.product_object_id |
If the jsonPayload.serverInstance.vm log field value is not empty, then the jsonPayload.serverInstance.projectId log field is mapped to the target.resource_ancestors.product_object_id UDM field. |
resource.labels.project |
target.resource_ancestors.product_object_id |
|
resource.labels.backend_target_type |
target.resource_ancestors.resource_subtype |
If the resource.labels.backend_target_name log field value is not empty, then the resource.labels.backend_target_type log field is mapped to the target.resource_ancestors.resource_subtype UDM field.If the jsonPayload.serverInstance.vm log field value is not empty, then the target.resource_ancestors.resource_subtype UDM field is set to serverInstance_vm.If the jsonPayload.serverGkeDetails.cluster.cluster log field value is not empty, then the target.resource_ancestors.resource_subtype UDM field is set to serverGkeDetails_cluster.If the jsonPayload.serverGkeDetails.pod.pod log field value is not empty, then the target.resource_ancestors.resource_subtype UDM field is set to serverGkeDetails_pod.If the jsonPayload.serverGkeDetails.service.service log field value is not empty, then the target.resource_ancestors.resource_subtype UDM field is set to serverGkeDetails_service.If the resource.labels.network_name log field value is not empty, then the target.resource_ancestors.resource_subtype UDM field is set to network_name. |
|
target.resource_ancestors.resource_type |
If the resource.labels.backend_target_name log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to BACKEND_SERVICE.If the jsonPayload.serverInstance.vm log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE.If the jsonPayload.serverGkeDetails.cluster.cluster log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to CLUSTER.If the jsonPayload.serverGkeDetails.pod.pod log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE.If the jsonPayload.serverGkeDetails.service.service log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to BACKEND_SERVICE.If the resource.labels.network_name log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to VPC_NETWORK. |
resource.labels.region |
target.resource.attribute.cloud.availability_zone |
|
resource.labels.endpoint_zone |
target.resource.attribute.cloud.availability_zone |
|
resource.labels.zone |
target.resource.attribute.cloud.availability_zone |
|
|
target.resource.attribute.cloud.environment |
The target.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
resource.labels.load_balancer_name |
target.resource.name |
|
resource.type |
target.resource.resource_subtype |
|
|
target.resource.resource_type |
The target.resource.resource_type UDM field is set to DEVICE. |
httpRequest.requestUrl |
target.url |
|
jsonPayload.backendTargetProjectNumber |
about.labels[backend_target_project_number] |
|
jsonPayload.cacheDecision |
about.labels[cache_decision] |
|
jsonPayload.cacheId |
about.labels[cache_id] |
|
jsonPayload.endTime |
about.labels[end_time] |
|
jsonPayload.@type |
about.labels[metadata_type] |
|
spanId |
about.labels[span_id] |
|
jsonPayload.startTime |
about.labels[start_time] |
|
traceSampled |
about.labels[trace_sampled] |
|
trace |
about.labels[trace] |
|
jsonPayload.clientLocation.continent |
principal.labels[client_loacation_continent] |
|
jsonPayload.networkTier.networkTier |
principal.labels[network_tier] |
|
jsonPayload.clientGkeDetails.pod.podNamespace |
principal.resource_ancestors.attribute.labels[pod_namespace] |
|
jsonPayload.clientGkeDetails.service.serviceNamespace |
principal.resource_ancestors.attribute.labels[service_namespace] |
|
jsonPayload.clientInstance.region |
principal.resource.attribute.labels[client_instance_region] |
|
resource.labels.forwarding_rule_name |
security_result.rule_labels[forwarding_rule_name] |
|
jsonPayload.enforcedSecurityPolicy.matchedFieldName |
security_result.rule_labels[matched_field_name] |
|
jsonPayload.enforcedSecurityPolicy.matchedFieldType |
security_result.rule_labels[matched_field_type] |
|
jsonPayload.enforcedSecurityPolicy.matchedFieldValue |
security_result.rule_labels[matched_field_value] |
|
jsonPayload.enforcedSecurityPolicy.matchedLength |
security_result.rule_labels[matched_length] |
|
jsonPayload.enforcedSecurityPolicy.preconfiguredExprIds |
security_result.rule_labels[preconfigured_expr_ids] |
|
jsonPayload.enforcedSecurityPolicy.threatIntelligence.categories |
security_result.rule_labels[threat_intelligence_category] |
|
resource.labels.backend_group_scope |
target.group.attribute.labels[backend_group_scope] |
|
resource.labels.backend_group_type |
target.group.attribute.labels[backend_group_type] |
|
resource.labels.backend_type |
target.group.attribute.labels[backend_type] |
|
resource.labels.forwarding_rule_network_tier |
target.labels[forwarding_rule_network_tier] |
|
httpRequest.cacheFillBytes |
target.labels[http_request_cache_fill_bytes] |
|
httpRequest.cacheHit |
target.labels[http_request_cache_hit] |
|
httpRequest.cacheLookup |
target.labels[http_request_cache_lookup] |
|
httpRequest.cacheValidatedWithOriginServer |
target.labels[http_request_cache_validated_with_origin_server] |
|
httpRequest.latency |
target.labels[http_request_latency] |
|
resource.labels.primary_target_pool |
target.labels[primary_target_pool] |
|
resource.labels.target_pool |
target.labels[target_pool] |
|
resource.labels.target_proxy_name |
target.labels[target_proxy_name] |
|
resource.labels.url_map_name |
target.labels[url_map_name] |
|
resource.labels.backend_failover_configuration |
target.resource_ancestors.attribute.labels[backend_failover_configuration] |
|
resource.labels.backend_network_name |
target.resource_ancestors.attribute.labels[backend_network_name] |
|
resource.labels.backend_scope_type |
target.resource_ancestors.attribute.labels[backend_scope_type] |
|
resource.labels.backend_subnetwork_name |
target.resource_ancestors.attribute.labels[backend_subnetwork_name] |
|
jsonPayload.serverInstance.region |
target.resource_ancestors.attribute.labels[client_instance_region] |
|
jsonPayload.serverGkeDetails.pod.podNamespace |
target.resource_ancestors.attribute.labels[pod_namespace] |
|
jsonPayload.serverGkeDetails.service.serviceNamespace |
target.resource_ancestors.attribute.labels[service_namespace] |
|
resource.labels.matched_url_path_rule |
target.resource.attribute.labels[matched_url_path_rule] |
|
resource.labels.loadbalancing_scheme_name |
target.resource.attribute.labels[loadbalancing_scheme_name] |
|
jsonPayload.enforcedSecurityPolicy.rateLimitAction.key |
security_result.rule_labels[enforcedsecuritypolicy_ratelimitaction_key] |
|
jsonPayload.enforcedSecurityPolicy.rateLimitAction.outcome |
security_result.rule_labels[enforcedsecuritypolicy_ratelimitaction_outcome] |
|
jsonPayload.enforcedSecurityPolicy.adaptiveProtection.autoDeployAlertId |
security_result.rule_labels[adaptiveprotection_autodeployalertid] |
|
jsonPayload.previewSecurityPolicy.rateLimitAction.key |
security_result.rule_labels[previewsecuritypolicy_ratelimitaction_key] |
|
jsonPayload.previewSecurityPolicy.rateLimitAction.outcome |
security_result.rule_labels[previewsecuritypolicy_ratelimitaction_outcome] |
|
jsonPayload.previewSecurityPolicy.outcome |
security_result.outcomes[previewsecuritypolicy_outcome] |
|
jsonPayload.previewSecurityPolicy.preconfiguredExprIds |
security_result.rule_labels[previewsecuritypolicy_preconfigured_expr_ids] |
|
jsonPayload.enforcedEdgeSecurityPolicy.outcome |
security_result.outcomes[enforcededgesecuritypolicy_outcome] |
|
jsonPayload.previewEdgeSecurityPolicy.outcome |
security_result.outcomes[previewedgesecuritypolicy_outcome] |