Google Cloud Load Balancing-Protokolle erfassen
In diesem Dokument wird beschrieben, wie Sie Google Cloud Load Balancing-Logs erfassen, indem Sie die Google Cloud Telemetrieaufnahme in Google Security Operations aktivieren. Außerdem wird erläutert, wie Logfelder den UDM-Feldern (Unified Data Model) von Google Security Operations zugeordnet werden. In diesem Dokument wird auch die unterstützte Google Cloud Load Balancing-Version aufgeführt.
Weitere Informationen finden Sie unter Datenaufnahme in Google Security Operations.
Eine typische Bereitstellung besteht aus Google Cloud Load Balancing-Logs, die für die Aufnahme in Google Security Operations aktiviert sind. Jede Kundenimplementierung kann von dieser Darstellung abweichen und komplexer sein.
Die Bereitstellung umfasst die folgenden Komponenten:
Google Cloud: Die Google Cloud Dienste und Produkte, von denen Sie Protokolle erfassen.
Google Cloud Load Balancing-Logs: Google Cloud Load Balancing-Logs, die für die Aufnahme in Google Security Operations aktiviert sind.
Google Security Operations: Google Security Operations speichert und analysiert die Logs von Google Cloud Load Balancing.
Mit einem Datenaufnahmelabel wird der Parser identifiziert, der Roh-Logdaten in das strukturierte UDM-Format normalisiert. Die Informationen in diesem Dokument beziehen sich auf den Parser mit dem Datenaufnahmelabel GCP_LOADBALANCING
Sie müssen Google Cloud Load Balancing Version 1 verwenden.
Alle Systeme in der Bereitstellungsarchitektur müssen in der Zeitzone UTC konfiguriert sein.
Google Cloud Google Cloud Load Balancing-Logs aufnehmen
Wenn Sie Google Cloud Load Balancing-Logs in Google Security Operations aufnehmen möchten, folgen Sie der Anleitung auf der Seite Logs in Google Security Operations aufnehmen Google Cloud .
Wenn beim Aufnehmen von Google Cloud Load Balancing-Protokollen Probleme auftreten, wenden Sie sich an den Google Security Operations-Support.
Referenz für die Feldzuordnung
In diesem Abschnitt wird beschrieben, wie der Google Security Operations-Parser Google Cloud Load Balancing-Felder den Feldern des Unified Data Model (UDM) von Google Security Operations zuordnet.
Referenz für die Feldzuordnung: GCP_LOADBALANCING-Logfelder zu UDM-Feldern
In der folgenden Tabelle sind die Protokollfelder des GCP_LOADBALANCING
-Protokolltyps und die zugehörigen UDM-Felder aufgeführt.
Log field | UDM mapping | Logic |
receiveTimestamp |
metadata.collected_timestamp |
timestamp |
metadata.event_timestamp |
metadata.event_type |
If the following values are not empty, then the metadata.event_type UDM field is set to NETWORK_CONNECTION .
Else, if the following values are not empty, then the metadata.event_type UDM field is set to STATUS_UNCATEGORIZED .
Else, the metadata.event_type UDM field is set to GENERIC_EVENT . |
logName |
metadata.product_event_type |
insertId |
metadata.product_log_id |
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Google Cloud Platform . |
httpRequest.protocol |
network.application_protocol |
If the httpRequest.requestUrl log field value matches the regular expression https or the httpRequest.protocol log field value matches the regular expression HTTPS , then the network.application_protocol UDM field is set to HTTPS .Else, if the httpRequest.requestUrl log field value matches the regular expression http or the httpRequest.protocol log field value matches the regular expression HTTP , then the network.application_protocol UDM field is set to HTTP . |
jsonPayload.clientLocation.asn |
network.asn |
httpRequest.requestMethod |
network.http.method |
httpRequest.referer |
network.http.referral_url |
httpRequest.status |
network.http.response_code |
httpRequest.userAgent |
network.http.user_agent |
jsonPayload.connection.protocol |
network.ip_protocol |
If the jsonPayload.connection.protocol log field value is equal to 0 , then the network.ip_protocol UDM field is set to UNKNOWN_IP_PROTOCOL .Else, if the jsonPayload.connection.protocol log field value is equal to 1 , then the network.ip_protocol UDM field is set to ICMP .Else, if the jsonPayload.connection.protocol log field value is equal to 2 , then the network.ip_protocol UDM field is set to IGMP .Else, if the jsonPayload.connection.protocol log field value is equal to 6 , then the network.ip_protocol UDM field is set to TCP .Else, if the jsonPayload.connection.protocol log field value is equal to 17 , then the network.ip_protocol UDM field is set to UDP .Else, if the jsonPayload.connection.protocol log field value is equal to 41 , then the network.ip_protocol UDM field is set to IP6IN4 .Else, if the jsonPayload.connection.protocol log field value is equal to 47 , then the network.ip_protocol UDM field is set to GRE .Else, if the jsonPayload.connection.protocol log field value is equal to 50 , then the network.ip_protocol UDM field is set to ESP .Else, if the jsonPayload.connection.protocol log field value is equal to 58 , then the network.ip_protocol UDM field is set to ICMP6 .Else, if the jsonPayload.connection.protocol log field value is equal to 88 , then the network.ip_protocol UDM field is set to EIGRP .Else, if the jsonPayload.connection.protocol log field value is equal to 97 , then the network.ip_protocol UDM field is set to ETHERIP .Else, if the jsonPayload.connection.protocol log field value is equal to 103 , then the network.ip_protocol UDM field is set to PIM .Else, if the jsonPayload.connection.protocol log field value is equal to 112 , then the network.ip_protocol UDM field is set to VRRP .Else, if the jsonPayload.connection.protocol log field value is equal to 132 , then the network.ip_protocol UDM field is set to SCTP . |
httpRequest.responseSize |
network.received_bytes |
jsonPayload.bytesReceived |
network.received_bytes |
jsonPayload.packetsReceived |
network.received_packets |
httpRequest.requestSize |
network.sent_bytes |
jsonPayload.packetsSent |
network.sent_packets |
jsonPayload.bytesSent |
network.sent_packets |
jsonPayload.rtt |
network.session_duration.seconds |
Grok: Extracted sec from the log field jsonPayload.rtt and mapped it to the network.session_duration.seconds UDM field. |
jsonPayload.rtt |
network.session_duration.nanos |
Grok: Extracted nano from the log field jsonPayload.rtt and mapped it to the network.session_duration.nanos UDM field. |
jsonPayload.tls.cipher |
network.tls.cipher |
jsonPayload.securityPolicyRequestData.tlsJa3Fingerprint |
network.tls.client.ja3 |
jsonPayload.tls.protocol |
network.tls.next_protocol |
httpRequest.remoteIp |
principal.ip |
If the httpRequest.remoteIp log field value is not empty, then Grok: Extracted ip and port from the log field httpRequest.remoteIp and mapped it to the principal.ip and principal.port UDM field respectively.
jsonPayload.remoteIp |
principal.ip |
If the jsonPayload.remoteIp log field value is not empty, then Grok: Extracted ip and port from the log field jsonPayload.remoteIp and mapped it to the principal.ip and principal.port UDM field respectively.
jsonPayload.connection.clientIp |
principal.ip |
clientInstance.vmIp |
principal.ip |
| | |
jsonPayload.clientLocation.regionCode |
principal.location.country_or_region |
jsonPayload.securityPolicyRequestData.remoteIpInfo.regionCode | |
jsonPayload.clientLocation.subRegion |
principal.location.state |
jsonPayload.connection.clientPort |
principal.port |
jsonPayload.clientGkeDetails.cluster.clusterLocation | |
jsonPayload.clientVpc.projectId | |
jsonPayload.clientVpc.vpc | |
jsonPayload.clientVpc.subnetwork | |
jsonPayload.clientGkeDetails.cluster.cluster | |
jsonPayload.clientGkeDetails.pod.pod | |
jsonPayload.clientGkeDetails.service.service | |
jsonPayload.clientInstance.projectId |
principal.resource_ancestors.product_object_id |
principal.resource_ancestors.resource_subtype |
If the jsonPayload.clientVpc.projectId log field value is not empty, then the principal.resource_ancestors.resource_subtype UDM field is set to clientVpc_projectId .If the jsonPayload.clientVpc.vpc log field value is not empty, then the principal.resource_ancestors.resource_subtype UDM field is set to clientVpc_vpc .If the jsonPayload.clientVpc.subnetwork log field value is not empty, then the principal.resource_ancestors.resource_subtype UDM field is set to clientVpc_subnetwork .If the jsonPayload.clientGkeDetails.cluster.cluster log field value is not empty, then the principal.resource_ancestors.resource_subtype UDM field is set to clientGkeDetails_cluster .If the jsonPayload.clientGkeDetails.pod.pod log field value is not empty, then the principal.resource_ancestors.resource_subtype UDM field is set to clientGkeDetails_pod .If the jsonPayload.clientGkeDetails.service.service log field value is not empty, then the principal.resource_ancestors.resource_subtype UDM field is set to clientGkeDetails_service . |
principal.resource_ancestors.resource_type |
If the jsonPayload.clientVpc.projectId log field value is not empty, then the principal.resource_ancestors.resource_type UDM field is set to VPC_NETWORK .If the jsonPayload.clientVpc.vpc log field value is not empty, then the principal.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE .If the jsonPayload.clientVpc.subnetwork log field value is not empty, then the principal.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE .If the jsonPayload.clientGkeDetails.cluster.cluster log field value is not empty, then the principal.resource_ancestors.resource_type UDM field is set to CLUSTER .If the jsonPayload.clientGkeDetails.pod.pod log field value is not empty, then the principal.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE .If the jsonPayload.clientGkeDetails.service.service log field value is not empty, then the principal.resource_ancestors.resource_type UDM field is set to BACKEND_SERVICE . | | |
jsonPayload.clientInstance.vm | |
principal.resource.resource_subtype |
If the jsonPayload.clientInstance.vm log field value is not empty, then the principal.resource.resource_subtype UDM field is set to client_instance_vm . |
principal.resource.resource_type |
If the jsonPayload.clientInstance.vm log field value is not empty, then the principal.resource.resource_type UDM field is set to VIRTUAL_MACHINE . |
security_result.action |
If the jsonPayload.enforcedSecurityPolicy.configuredAction log field value is equal to DENY , then the security_result.action UDM field is set to BLOCK .Else, if the jsonPayload.enforcedSecurityPolicy.configuredAction log field value is equal to ALLOW , then the security_result.action UDM field is set to ALLOW .If the jsonPayload.previewSecurityPolicy.configuredAction log field value is equal to DENY , then the security_result.action UDM field is set to BLOCK .Else, if the jsonPayload.previewSecurityPolicy.configuredAction log field value is equal to ALLOW , then the security_result.action UDM field is set to ALLOW .If the jsonPayload.enforcedEdgeSecurityPolicy.configuredAction log field value is equal to DENY , then the security_result.action UDM field is set to BLOCK .Else, if the jsonPayload.enforcedEdgeSecurityPolicy.configuredAction log field value is equal to ALLOW , then the security_result.action UDM field is set to ALLOW .If the jsonPayload.previewEdgeSecurityPolicy.configuredAction log field value is equal to DENY , then the security_result.action UDM field is set to BLOCK .Else, if the jsonPayload.previewEdgeSecurityPolicy.configuredAction log field value is equal to ALLOW , then the security_result.action UDM field is set to ALLOW . |
jsonPayload.enforcedSecurityPolicy.configuredAction |
security_result.action_details |
jsonPayload.previewSecurityPolicy.configuredAction |
security_result.action_details |
jsonPayload.enforcedEdgeSecurityPolicy.configuredAction |
security_result.action_details |
jsonPayload.previewEdgeSecurityPolicy.configuredAction |
security_result.action_details |
jsonPayload.enforcedSecurityPolicy.outcome |
security_result.outcomes[jsonpayload_enforcedsecuritypolicy_outcome] |
jsonPayload.enforcedSecurityPolicy.priority |
security_result.priority_details |
jsonPayload.previewSecurityPolicy.priority |
security_result.priority_details |
jsonPayload.enforcedEdgeSecurityPolicy.priority |
security_result.priority_details |
jsonPayload.previewEdgeSecurityPolicy.priority |
security_result.priority_details |
| |
security_result.rule_name |
jsonPayload.securityPolicyRequestData.recaptchaActionToken.score |
security_result.risk_score |
If the jsonPayload.securityPolicyRequestData.recaptchaActionToken.score log field value is not empty, then the jsonPayload.securityPolicyRequestData.recaptchaActionToken.score log field is mapped to the security_result.risk_score UDM field. |
jsonPayload.securityPolicyRequestData.recaptchaSessionToken.score |
security_result.risk_score |
If the jsonPayload.securityPolicyRequestData.recaptchaSessionToken.score log field value is not empty, then the jsonPayload.securityPolicyRequestData.recaptchaSessionToken.score log field is mapped to the security_result.risk_score UDM field. | |
security_result.rule_name |
| |
security_result.rule_name |
| |
security_result.rule_name |
security_result.severity |
If the severity log field value matches the regular expression DEFAULT or DEBUG or INFO or NOTICE , then the security_result.severity UDM field is set to LOW .Else, if the severity log field value matches the regular expression WARNING or ERROR , then the security_result.severity UDM field is set to MEDIUM .Else, if the severity log field value matches the regular expression CRITICAL or ALERT or EMERGENCY , then the security_result.severity UDM field is set to HIGH . |
severity |
security_result.severity_details |
jsonPayload.statusDetails |
security_result.summary |
jsonPayload.proxyStatus |
security_result.summary |
resource.labels.backend_service_name |
target.application |
resource.labels.backend_name | |
resource.labels.backend_group_name | |
httpRequest.serverIp |
target.ip |
jsonPayload.connection.serverIp |
target.ip |
serverInstance.vmIp |
target.ip |
jsonPayload.connection.serverPort |
target.port |
resource.labels.backend_scope | |
If the resource.labels.backend_target_name log field value is not empty, then the resource.labels.backend_scope log field is mapped to the UDM field. | | |
If the jsonPayload.serverInstance.vm log field value is not empty, then the log field is mapped to the UDM field. |
jsonPayload.serverGkeDetails.cluster.clusterLocation | |
If the jsonPayload.serverGkeDetails.cluster.cluster log field value is not empty, then the jsonPayload.serverGkeDetails.cluster.clusterLocation log field is mapped to the UDM field. |
resource.labels.backend_zone | |
If the resource.labels.backend_zone log field value is not empty, then the resource.labels.backend_zone log field is mapped to the UDM field. |
resource.labels.backend_target_name | |
jsonPayload.serverInstance.vm | |
jsonPayload.serverGkeDetails.cluster.cluster | |
jsonPayload.serverGkeDetails.pod.pod | |
jsonPayload.serverGkeDetails.service.service | |
resource.labels.network_name | |
resource.labels.project_id |
target.resource_ancestors.product_object_id |
jsonPayload.serverInstance.projectId |
target.resource_ancestors.product_object_id |
If the jsonPayload.serverInstance.vm log field value is not empty, then the jsonPayload.serverInstance.projectId log field is mapped to the target.resource_ancestors.product_object_id UDM field. |
resource.labels.project |
target.resource_ancestors.product_object_id |
resource.labels.backend_target_type |
target.resource_ancestors.resource_subtype |
If the resource.labels.backend_target_name log field value is not empty, then the resource.labels.backend_target_type log field is mapped to the target.resource_ancestors.resource_subtype UDM field.If the jsonPayload.serverInstance.vm log field value is not empty, then the target.resource_ancestors.resource_subtype UDM field is set to serverInstance_vm .If the jsonPayload.serverGkeDetails.cluster.cluster log field value is not empty, then the target.resource_ancestors.resource_subtype UDM field is set to serverGkeDetails_cluster .If the jsonPayload.serverGkeDetails.pod.pod log field value is not empty, then the target.resource_ancestors.resource_subtype UDM field is set to serverGkeDetails_pod .If the jsonPayload.serverGkeDetails.service.service log field value is not empty, then the target.resource_ancestors.resource_subtype UDM field is set to serverGkeDetails_service .If the resource.labels.network_name log field value is not empty, then the target.resource_ancestors.resource_subtype UDM field is set to network_name . |
target.resource_ancestors.resource_type |
If the resource.labels.backend_target_name log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to BACKEND_SERVICE .If the jsonPayload.serverInstance.vm log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE .If the jsonPayload.serverGkeDetails.cluster.cluster log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to CLUSTER .If the jsonPayload.serverGkeDetails.pod.pod log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE .If the jsonPayload.serverGkeDetails.service.service log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to BACKEND_SERVICE .If the resource.labels.network_name log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to VPC_NETWORK . |
resource.labels.region | |
resource.labels.endpoint_zone | |
| | |
| |
The UDM field is set to GOOGLE_CLOUD_PLATFORM . |
resource.labels.load_balancer_name | |
resource.type |
target.resource.resource_subtype |
target.resource.resource_type |
The target.resource.resource_type UDM field is set to DEVICE . |
httpRequest.requestUrl |
target.url |
jsonPayload.backendTargetProjectNumber |
about.labels[backend_target_project_number] (deprecated) |
jsonPayload.backendTargetProjectNumber |
additional.fields[backend_target_project_number] |
jsonPayload.cacheDecision |
about.labels[cache_decision] |
jsonPayload.cacheId |
about.labels[cache_id] (deprecated) |
jsonPayload.cacheId |
additional.fields[cache_id] |
jsonPayload.endTime |
about.labels[end_time] (deprecated) |
jsonPayload.endTime |
additional.fields[end_time] |
jsonPayload.@type |
about.labels[metadata_type] (deprecated) |
jsonPayload.@type |
additional.fields[metadata_type] |
spanId |
about.labels[span_id] (deprecated) |
spanId |
additional.fields[span_id] |
jsonPayload.startTime |
about.labels[start_time] (deprecated) |
jsonPayload.startTime |
additional.fields[start_time] |
traceSampled |
about.labels[trace_sampled] (deprecated) |
traceSampled |
additional.fields[trace_sampled] |
trace |
about.labels[trace] (deprecated) |
trace |
additional.fields[trace] |
jsonPayload.clientLocation.continent |
principal.labels[client_loacation_continent] (deprecated) |
jsonPayload.clientLocation.continent |
additional.fields[client_loacation_continent] |
jsonPayload.networkTier.networkTier |
principal.labels[network_tier] (deprecated) |
jsonPayload.networkTier.networkTier |
additional.fields[network_tier] |
jsonPayload.clientGkeDetails.pod.podNamespace |
principal.resource_ancestors.attribute.labels[pod_namespace] |
jsonPayload.clientGkeDetails.service.serviceNamespace |
principal.resource_ancestors.attribute.labels[service_namespace] |
jsonPayload.clientInstance.region |
principal.resource.attribute.labels[client_instance_region] |
resource.labels.forwarding_rule_name |
security_result.rule_labels[forwarding_rule_name] |
jsonPayload.enforcedSecurityPolicy.matchedFieldName |
security_result.rule_labels[matched_field_name] |
jsonPayload.enforcedSecurityPolicy.matchedFieldType |
security_result.rule_labels[matched_field_type] |
jsonPayload.enforcedSecurityPolicy.matchedFieldValue |
security_result.rule_labels[matched_field_value] |
jsonPayload.enforcedSecurityPolicy.matchedLength |
security_result.rule_labels[matched_length] |
jsonPayload.enforcedSecurityPolicy.preconfiguredExprIds |
security_result.rule_labels[preconfigured_expr_ids] |
jsonPayload.enforcedSecurityPolicy.threatIntelligence.categories |
security_result.rule_labels[threat_intelligence_category] |
resource.labels.backend_group_scope |[backend_group_scope] |
resource.labels.backend_group_type |[backend_group_type] |
resource.labels.backend_type |[backend_type] |
resource.labels.forwarding_rule_network_tier |
target.labels[forwarding_rule_network_tier] (deprecated)` |
resource.labels.forwarding_rule_network_tier |
additional.fields[forwarding_rule_network_tier] |
httpRequest.cacheFillBytes |
target.labels[http_request_cache_fill_bytes] (deprecated) |
httpRequest.cacheFillBytes |
additional.fields[http_request_cache_fill_bytes] |
httpRequest.cacheHit |
target.labels[http_request_cache_hit] (deprecated) |
httpRequest.cacheHit |
additional.fields[http_request_cache_hit] |
httpRequest.cacheLookup |
target.labels[http_request_cache_lookup] (deprecated) |
httpRequest.cacheLookup |
additional.fields[http_request_cache_lookup] |
httpRequest.cacheValidatedWithOriginServer |
target.labels[http_request_cache_validated_with_origin_server] (deprecated) |
httpRequest.cacheValidatedWithOriginServer |
additional.fields[http_request_cache_validated_with_origin_server] |
httpRequest.latency |
target.labels[http_request_latency] (deprecated) |
httpRequest.latency |
additional.fields[http_request_latency] |
resource.labels.primary_target_pool |
target.labels[primary_target_pool] (deprecated) |
resource.labels.primary_target_pool |
additional.fields[primary_target_pool] |
resource.labels.target_pool |
target.labels[target_pool] (deprecated) |
resource.labels.target_pool |
additional.fields[target_pool] |
resource.labels.target_proxy_name |
target.labels[target_proxy_name] (deprecated) |
resource.labels.target_proxy_name |
additional.fields[target_proxy_name] |
resource.labels.url_map_name |
target.labels[url_map_name] (deprecated) |
resource.labels.url_map_name |
additional.fields[url_map_name] |
resource.labels.backend_failover_configuration |
target.resource_ancestors.attribute.labels[backend_failover_configuration] |
resource.labels.backend_network_name |
target.resource_ancestors.attribute.labels[backend_network_name] |
resource.labels.backend_scope_type |
target.resource_ancestors.attribute.labels[backend_scope_type] |
resource.labels.backend_subnetwork_name |
target.resource_ancestors.attribute.labels[backend_subnetwork_name] |
jsonPayload.serverInstance.region |
target.resource_ancestors.attribute.labels[client_instance_region] |
jsonPayload.serverGkeDetails.pod.podNamespace |
target.resource_ancestors.attribute.labels[pod_namespace] |
jsonPayload.serverGkeDetails.service.serviceNamespace |
target.resource_ancestors.attribute.labels[service_namespace] |
resource.labels.matched_url_path_rule |
target.resource.attribute.labels[matched_url_path_rule] |
resource.labels.loadbalancing_scheme_name |
target.resource.attribute.labels[loadbalancing_scheme_name] |
jsonPayload.enforcedSecurityPolicy.rateLimitAction.key |
security_result.rule_labels[enforcedsecuritypolicy_ratelimitaction_key] |
jsonPayload.enforcedSecurityPolicy.rateLimitAction.outcome |
security_result.rule_labels[enforcedsecuritypolicy_ratelimitaction_outcome] |
jsonPayload.enforcedSecurityPolicy.adaptiveProtection.autoDeployAlertId |
security_result.rule_labels[adaptiveprotection_autodeployalertid] |
jsonPayload.previewSecurityPolicy.rateLimitAction.key |
security_result.rule_labels[previewsecuritypolicy_ratelimitaction_key] |
jsonPayload.previewSecurityPolicy.rateLimitAction.outcome |
security_result.rule_labels[previewsecuritypolicy_ratelimitaction_outcome] |
jsonPayload.previewSecurityPolicy.outcome |
security_result.outcomes[previewsecuritypolicy_outcome] |
jsonPayload.previewSecurityPolicy.preconfiguredExprIds |
security_result.rule_labels[previewsecuritypolicy_preconfigured_expr_ids] |
jsonPayload.enforcedEdgeSecurityPolicy.outcome |
security_result.outcomes[enforcededgesecuritypolicy_outcome] |
jsonPayload.previewEdgeSecurityPolicy.outcome |
security_result.outcomes[previewedgesecuritypolicy_outcome] |
Nächste Schritte
Benötigen Sie weitere Hilfe? Antworten von Community-Mitgliedern und Google SecOps-Experten erhalten