Recopila registros de Google Kubernetes Engine
En este documento, se describe cómo puedes recopilar registros de Google Kubernetes Engine si configuras un feed de operaciones de seguridad de Google y cómo se asignan los campos de registro a los campos del Modelo de datos unificados de operaciones de seguridad de Google (UDM). En este documento, también se enumeran los tipos de registros y eventos admitidos para Google Kubernetes Engine.
Para obtener más información, consulta Transferencia de datos a las operaciones de seguridad de Google.
Una implementación típica consiste en Google Kubernetes Engine y el feed de operaciones de seguridad de Google configurado para enviar registros a este tipo de operaciones. Cada implementación del cliente puede ser diferente y más compleja.
La implementación contiene los siguientes componentes:
Google Kubernetes Engine La plataforma de Google Kubernetes Engine a partir de la cual recopilas registros.
Feed de Google Security Operations. El feed de las operaciones de seguridad de Google que recupera registros de Google Kubernetes Engine y escribe registros en las operaciones de seguridad de Google
Operaciones de seguridad de Google. Las operaciones de seguridad de Google retienen y analizan los registros de Google Kubernetes Engine.
Una etiqueta de transferencia identifica el analizador que normaliza los datos de registro sin procesar al formato estructurado de UDM. La información de este documento se aplica al analizador de Google Kubernetes Engine con la siguiente etiqueta de transferencia: KUBERNETES_NODE
Antes de comenzar
Asegúrate de tener una cuenta de administrador de Google.
Verifica si tienes los permisos necesarios para realizar las siguientes tareas:
- Crear o acceder a un proyecto de Google Cloud
- Habilita la API de Google Kubernetes Engine.
- Habilitar el clúster de Google Kubernetes Engine
Para transferir registros de Google Cloud a las operaciones de seguridad de Google, realiza las siguientes tareas:
- Crear un bucket de Cloud Storage
- Para agregar registros del bucket de Cloud Storage a las operaciones de seguridad de Google, crea un receptor.
Asegúrate de que todos los sistemas de la arquitectura de implementación estén configurados en la zona horaria UTC.
Verifica los tipos de registro que admite el analizador de operaciones de seguridad de Google. Para obtener información sobre los tipos de recursos admitidos de Google Kubernetes Engine, consulta Tipos de recursos compatibles de Google Kubernetes Engine.
Configurar un feed en las operaciones de seguridad de Google para transferir registros de Google Kubernetes Engine
- En el menú de operaciones de seguridad de Google, selecciona Configuración y, luego, haz clic en Feeds.
- Haz clic en Agregar nueva.
- En Tipo de origen, selecciona Google Cloud Storage.
- Si quieres crear un feed para los registros de auditoría de Google Kubernetes Engine, selecciona Registros de auditoría de Google Kubernetes Engine como el Tipo de registro.
- Haz clic en Siguiente.
- Según la configuración de Cloud Storage que creaste, especifica valores para los siguientes campos:
- URI del bucket de almacenamiento
- El URI es un
- Opción de eliminación de origen
- Haz clic en Next y, luego, en Submit.
- Después de completar los pasos para crear un feed destinado a los registros de auditoría de Google Kubernetes Engine, repite los pasos para crear un feed independiente destinado a cada uno de los siguientes tipos de registros:
- Registros del proxy de autenticación de Google Kubernetes Engine
- Registros de nodos de Google Kubernetes Engine
Para obtener más información sobre los feeds de Operaciones de seguridad de Google, consulta la documentación de los feeds de Operaciones de seguridad de Google. Para obtener información sobre los requisitos de cada tipo de feed, consulta Configuración de feeds por tipo.
Si tienes problemas para crear feeds, comunícate con el equipo de asistencia de operaciones de seguridad de Google.
Tipos de recursos admitidos de Google Kubernetes Engine
En la siguiente tabla, se enumeran los tipos de recursos que admite el analizador de Google Kubernetes Engine:
Tipo de recurso | Nombre visible |
---|---|
gke_cluster | Operaciones del clúster de GKE |
k8s_cluster | Clúster de Kubernetes |
gke_nodepool | Grupo de nodos de GKE |
K8s_container | Registros de contenedores de GKE |
k8s_node | Registros del grupo de nodos de GKE |
k8s_pod | Registros de los Pods de GKE |
k8s_service | Registros del servicio de GKE |
k8s_control_plane_component | Componente del plano de control de Kubernetes |
audited_resource | Recurso auditado de Kubernetes |
Referencia de asignación de campos
En las siguientes secciones, se explica cómo el analizador de operaciones de seguridad de Google asigna los campos de registro de Google Kubernetes Engine a los campos del Modelo de datos unificados de operaciones de seguridad de Google (UDM).
Referencia de asignación de campos: identificador de evento KUBERNETES_NODE para tipo de evento de UDM
En la siguiente tabla, se enumeran los identificadores de eventos KUBERNETES_NODE
y sus tipos de eventos UDM correspondientes. La asignación a un tipo de evento de UDM se basa en el campo de registro protopayload.methodname
, que se considera el identificador del evento.
Event identifier | Event type |
---|---|
io.k8s.migration.v1alpha1.storagestates.status.update |
USER_RESOURCE_UPDATE_CONTENT |
io.k8s.get |
USER_RESOURCE_ACCESS |
google.container.v1beta1.ClusterManager.CreateCluster |
USER_RESOURCE_CREATION |
io.k8s.core.v1.configmaps.patch |
USER_RESOURCE_UPDATE_CONTENT |
io.k8s.node.v1.runtimeclasses.watch |
SCAN_UNCATEGORIZED |
io.k8s.core.v1.endpoints.update |
USER_RESOURCE_UPDATE_CONTENT |
io.k8s.coordination.v1.leases.update |
USER_RESOURCE_UPDATE_CONTENT |
google.container.v1beta1.ClusterManager.UpdateCluster |
USER_RESOURCE_UPDATE_CONTENT |
io.k8s.core.v1.configmaps.update |
USER_RESOURCE_UPDATE_CONTENT |
google.container.v1.ClusterManager.CreateNodePool |
USER_RESOURCE_CREATION |
google.container.v1.ClusterManager.CreateCluster |
USER_RESOURCE_CREATION |
google.container.v1.ClusterManager.DeleteCluster |
USER_RESOURCE_DELETION |
loginservice.login |
USER_LOGIN |
loginservice.govattackwarning |
USER_LOGIN |
loginservice.accountdisabled |
USER_LOGIN |
loginservice.accountdisabledspammingthroughrelay |
USER_LOGIN |
loginservice.suspiciouslogin |
USER_LOGIN |
loginservice.suspiciousloginlesssecureapp |
USER_LOGIN |
loginservice.suspiciousprogrammaticlogin |
USER_LOGIN |
AuthorizeUser |
USER_LOGIN |
loginservice.logout |
USER_LOGOUT |
adminservice.changepassword |
USER_CHANGE_PASSWORD |
adminservice.create |
USER_RESOURCE_CREATION |
adminservice.add |
USER_RESOURCE_CREATION |
accesscontextmanager.create |
USER_RESOURCE_CREATION |
adminservice.createaccess |
USER_RESOURCE_UPDATE_PERMISSIONS |
adminservice.enforce |
USER_RESOURCE_UPDATE_PERMISSIONS |
adminservice.systemdefinedruleupdated |
USER_RESOURCE_UPDATE_PERMISSIONS |
adminservice.changetwostepverificationfrequency |
USER_RESOURCE_UPDATE_PERMISSIONS |
adminservice.suspenduser |
USER_RESOURCE_UPDATE_PERMISSIONS |
adminservice.assignrole |
USER_RESOURCE_UPDATE_PERMISSIONS |
adminservice.unassignrole |
USER_RESOURCE_UPDATE_PERMISSIONS |
setiampolicy |
USER_RESOURCE_UPDATE_PERMISSIONS |
checkinvitationrequired |
USER_RESOURCE_UPDATE_PERMISSIONS |
setiampermissions |
USER_RESOURCE_UPDATE_PERMISSIONS |
setorgpolicy |
USER_RESOURCE_UPDATE_PERMISSIONS |
storage.objects.delete |
USER_RESOURCE_DELETION |
storage.objects.update |
USER_RESOURCE_UPDATE_CONTENT |
attachcloudlink |
USER_RESOURCE_UPDATE_CONTENT |
jobservice.cancel |
USER_UNCATEGORIZED |
updatebrand |
USER_RESOURCE_UPDATE_CONTENT |
updateclient |
USER_RESOURCE_UPDATE_CONTENT |
assignprojecttobillingaccount |
USER_RESOURCE_UPDATE_CONTENT |
jobservice.insert |
RESOURCE_WRITTEN |
jobservice.jobcompleted |
RESOURCE_WRITTEN |
If the protoPayload.methodName log field starts with clustermanager
followed by any number of characters and ends with setnodepoolmanagement , then the metadata.event_type UDM field is set to USER_RESOURCE_UPDATE_CONTENT . |
USER_RESOURCE_UPDATE_CONTENT |
If the protoPayload.methodName log field starts with clustermanager
followed by any number of characters and ends with updatecomponentconfig , then the metadata.event_type UDM field is set to USER_RESOURCE_UPDATE_CONTENT . |
USER_RESOURCE_UPDATE_CONTENT |
If the protoPayload.methodName log field starts with instance
followed by any number of characters and ends with set , then the metadata.event_type UDM field is set to USER_RESOURCE_UPDATE_CONTENT . |
USER_RESOURCE_UPDATE_CONTENT |
If the protoPayload.methodName log field starts with instance
followed by any number of characters and ends with reset , then the metadata.event_type UDM field is set to USER_RESOURCE_UPDATE_CONTENT . |
USER_RESOURCE_UPDATE_CONTENT |
If the protoPayload.methodName log field starts with instance
followed by any number of characters and ends with resize , then the metadata.event_type UDM field is set to USER_RESOURCE_UPDATE_CONTENT . |
USER_RESOURCE_UPDATE_CONTENT |
If the protoPayload.methodName log field starts with iam.admin
followed by any number of characters and ends with create , then the metadata.event_type UDM field is set to USER_UNCATEGORIZED . |
USER_UNCATEGORIZED |
If the protoPayload.methodName log field starts with iam.admin
followed by any number of characters and ends with delete , then the metadata.event_type UDM field is set to USER_UNCATEGORIZED . |
USER_UNCATEGORIZED |
If the protoPayload.methodName log field starts with adminservice ,
membershipsservice , accesscontextmanager , servicemanager ,
serviceusage , services , projects , or clustermanager
followed by any number of characters and ends with update , change , activate ,
deactivate , enable , disable , replace , or set ,
then the metadata.event_type UDM field is set to USER_RESOURCE_UPDATE_CONTENT . |
USER_RESOURCE_UPDATE_CONTENT |
If the protoPayload.methodName log field contains delete or
remove , then the metadata.event_type UDM field is set to USER_RESOURCE_DELETION . |
USER_RESOURCE_DELETION |
If the protoPayload.methodName log field contains submit or
update or patch or ingest , then the metadata.event_type UDM field is set to USER_RESOURCE_WRITTEN . |
USER_RESOURCE_WRITTEN |
If the protoPayload.methodName log field starts with imageannotator.batch ,
then the metadata.event_type UDM field is set to USER_RESOURCE_WRITTEN . |
USER_RESOURCE_WRITTEN |
If the protoPayload.methodName log field ends with scheduledsnapshots ,
then the metadata.event_type UDM field is set to USER_RESOURCE_WRITTEN . |
USER_RESOURCE_WRITTEN |
If the protoPayload.methodName log field contains compute.disks.insert ,
then the metadata.event_type UDM field is set to USER_RESOURCE_WRITTEN . |
USER_RESOURCE_WRITTEN |
If the protoPayload.methodName log field contains compute.disks.add ,
then the metadata.event_type UDM field is set to USER_RESOURCE_WRITTEN . |
USER_RESOURCE_WRITTEN |
If the protoPayload.methodName log field contains compute.disks.setlabels ,
then the metadata.event_type UDM field is set to USER_RESOURCE_WRITTEN . |
USER_RESOURCE_WRITTEN |
If the protoPayload.methodName log field contains insert or create
or recreate or add , then the metadata.event_type UDM field is set to USER_RESOURCE_CREATION . |
USER_RESOURCE_CREATION |
If the protoPayload.methodName log field starts with compute
followed by any number of characters and ends with migrate , then the metadata.event_type UDM field is set to USER_RESOURCE_CREATION . |
USER_RESOURCE_CREATION |
If the protoPayload.methodName log field contains get or list
or watch , then the metadata.event_type UDM field is set to USER_RESOURCE_ACCESS . |
USER_RESOURCE_ACCESS |
If the protoPayload.methodName log field starts with cloudsql
followed by any number of characters and ends with connect , then the metadata.event_type UDM field is set to USER_RESOURCE_ACCESS . |
USER_RESOURCE_ACCESS |
If the protoPayload.methodName log field contains create or
Create , then the metadata.event_type UDM field is set to USER_RESOURCE_CREATION . |
USER_RESOURCE_CREATION |
If the protoPayload.methodName log field contains get or Get ,
then the metadata.event_type UDM field is set to USER_RESOURCE_ACCESS . |
USER_RESOURCE_ACCESS |
If the protoPayload.methodName log field starts with or query , then the metadata.event_type UDM field is set to USER_RESOURCE_ACCESS . |
USER_RESOURCE_ACCESS |
If the protoPayload.methodName log field contains list or List ,
then the metadata.event_type UDM field is set to USER_RESOURCE_ACCESS . |
USER_RESOURCE_ACCESS |
If the protoPayload.methodName log field ends with watch ,
then the metadata.event_type UDM field is set to USER_RESOURCE_ACCESS . |
USER_RESOURCE_ACCESS |
If the protoPayload.methodName log field ends with IngestMessage ,
then the metadata.event_type UDM field is set to USER_RESOURCE_UPDATE_CONTENT . |
USER_RESOURCE_UPDATE_CONTENT |
If the protoPayload.methodName log field ends with UpdateAgent ,
then the metadata.event_type UDM field is set to USER_RESOURCE_UPDATE_CONTENT . |
USER_RESOURCE_UPDATE_CONTENT |
If the protoPayload.methodName log field contains bigquery and ends with
|
USER_RESOURCE_UPDATE_CONTENT |
If the protoPayload.methodName log field ends with MetricService.CreateTimeSeries ,
then the metadata.event_type UDM field is set to USER_RESOURCE_UPDATE_CONTENT . |
USER_RESOURCE_UPDATE_CONTENT |
If the protoPayload.methodName log field ends with update ,
then the metadata.event_type UDM field is set to STATUS_UPDATE . |
STATUS_UPDATE |
If the protoPayload.methodName log field ends with status.patch ,
then the metadata.event_type UDM field is set to NETWORK_CONNECTION . |
NETWORK_CONNECTION |
En la siguiente tabla, se enumeran los identificadores de eventos KUBERNETES_NODE
y sus tipos de eventos de UDM correspondientes para las asignaciones que no se basan en el campo de registro protopayload.methodname
.
Event Identifier | Event Type |
---|---|
If the daemon log field is equal to smtpd , then the metadata.event_type UDM field is set to EMAIL_UNCATEGORIZED . |
EMAIL_UNCATEGORIZED |
If the path log field is not empty, then the metadata.event_type UDM field is set to NETWORK_HTTP . |
NETWORK_HTTP |
If the htttpRequest.serverIp or httpRequest.remoteIp log field is not empty, then the metadata.event_type UDM field is set to NETWORK_HTTP . |
NETWORK_HTTP |
If the htttpRequest.requestMethod log field is equal to POST , then the metadata.event_type UDM field is set to USER_RESOURCE_UPDATE_CONTENT . |
USER_RESOURCE_UPDATE_CONTENT |
If the htttpRequest.requestMethod log field is equal to GET , then the metadata.event_type UDM field is set to USER_RESOURCE_ACCESS . |
USER_RESOURCE_ACCESS |
If the htttpRequest.requestMethod log field is equal to DELETE , then the metadata.event_type UDM field is set to USER_RESOURCE_DELETION . |
USER_RESOURCE_DELETION |
Referencia de asignación de campos: Campos comunes de KUBERNETES_NODE
En la siguiente tabla, se enumeran los campos comunes del tipo de registro KUBERNETES_NODE
y sus campos de UDM correspondientes.
Log field | UDM mapping | Logic |
---|---|---|
insertId |
metadata.product_log_id |
|
target.resource.resource_type |
The target.resource.resource_type UDM field is set to CLUSTER . |
|
resource.type |
target.resource.resource_subtype |
|
resource.labels.project_id |
target.resource_ancestors.product_object_id |
|
resource.labels.cluster_name |
target.resource.name |
If the resource.type log field value is equal to k8s_cluster ,
then the resource.labels.cluster_name log field is mapped to the target.resource.name
UDM field.Else, if the resource.type log field value is equal to gke_cluster and protoPayload.resourceName is not empty, then the protoPayload.resourceName log field is mapped to the target.resource.name UDM field.Else, if the resource.type log field value is equal to gke_cluster , then the resource.labels.cluster_name log field is mapped to the target.resource.name UDM field.Else, the resource.labels.cluster_name log field is mapped to the target.resource_ancestors.name UDM field. |
resource.labels.location |
target.resource.attributes.cloud.availability_zone |
|
resource.labels.nodepool_name |
target.resource.name |
If the resource.type log field value is equal to gke_nodepool and protoPayload.resourceName is not empty, then the protoPayload.resourceName log field is mapped to the target.resource.name UDM field.Else, if the resource.type log field value is equal to gke_nodepool ,
then the resource.labels.nodepool_name log field is mapped to the target.resource.name
UDM field.Else, the resource.labels.nodepool_name log field is mapped to the target.resource_ancestors.name UDM field. |
resource.labels.component_location |
target.resource.attribute.labels [component_location] |
|
resource.labels.component_name |
target.resource_ancestors.labels [component_name] |
If the resource.type log field value is equal to k8s_control_plane_component and protoPayload.resourceName is not empty, then the protoPayload.resourceName log field is mapped to the target.resource.name UDM field.Else, if the resource.type log field value is equal to k8s_control_plane_component ,
then the resource.labels.component_name log field is mapped to the target.resource.name
UDM field.Else, the resource.labels.component_name log field is mapped to the target.resource_ancestors.labels.value UDM field. |
resource.labels.pod_name |
target.resource_ancestors.name |
If the resource.type log field value is equal to k8s_pod and protoPayload.resourceName is not empty, then the protoPayload.resourceName log field is mapped to the target.resource.name UDM field.Else, if the resource.type log field value is equal to k8s_pod ,
then the resource.labels.pod_name log field is mapped to the target.resource.name
UDM field.Else, the resource.labels.pod_name log field is mapped to the target.resource_ancestors.name UDM field. |
resource.labels.container_name |
target.resource.name |
If the resource.type log field value is equal to k8s_container and protoPayload.resourceName is not empty, then the protoPayload.resourceName log field is mapped to the target.resource.name UDM field.Else, if the resource.type log field value is equal to k8s_container ,
then the resource.labels.container_name log field is mapped to the target.resource.name
UDM field.Else, the resource.labels.container_name log field is mapped to the target.resource_ancestors.labels.value UDM field. |
resource.labels.namespace_name |
target.namespace |
|
resource.labels.node_name |
target.resource.name |
If the resource.type log field value is equal to k8s_node and protoPayload.resourceName is not empty, then the protoPayload.resourceName log field is mapped to the target.resource.name UDM field.Else, if the resource.type log field value is equal to k8s_node ,
then the resource.labels.node_name log field is mapped to the target.resource.name
UDM field.Else, the resource.labels.node_name log field is mapped to the target.resource_ancestors.name UDM field. |
protoPayload.resourceName |
target.resource.name |
If the resource.type log field value is equal to audited_resource , then the protoPayload.resourceName log field is mapped to the target.resource.name UDM field. |
timestamp |
metadata.event_timestamp |
|
severity |
security_result.severity |
The security_result.severity UDM field is set to one of the following values:
|
logName |
metadata.url_back_to_product |
|
receiveTimestamp |
metadata.collected_timestamp |
|
httpRequest.latency |
about.labels [httprequest_latency] (deprecated) |
|
httpRequest.latency |
additional.fields [httprequest_latency] |
|
httpRequest.protocol |
network.application_protocol |
|
httpRequest.remoteIp |
principal.ip |
If the x_forwarded_for log field value is empty or the jsonPayload.httpRequest.x-forwarded-for log field array has one value, then the httpRequest.remoteIp log field is mapped to the principal.ip UDM field. |
httpRequest.remoteIp |
intermediary.ip |
If the x_forwarded_for log field value is not empty or the jsonPayload.httpRequest.x-forwarded-for log field array has more than one value, then the httpRequest.remoteIp log field is mapped to the intermediary.ip UDM field. |
httpRequest.remoteIp |
principal.port |
|
httpRequest.requestMethod |
network.http.method |
|
httpRequest.requestSize |
network.sent_bytes |
|
httpRequest.requestUrl |
target.url |
|
httpRequest.responseSize |
network.received_bytes |
|
httpRequest.serverIp |
target.ip |
|
httpRequest.serverIp |
target.port |
|
httpRequest.status |
network.http.response_code |
|
httpRequest.userAgent |
network.http.user_agent |
|
protoPayload.request.subjects.name |
target.user.attribute.labels [subject_name] |
|
protoPayload.request.subjects.kind |
target.user.attribute.labels [subject_kind] |
|
textPayload |
principal.ip |
Used a Grok pattern to extract principal_ip from the textPayload log field and mapped to the principal.ip UDM field. |
textPayload |
target.ip |
Used a Grok pattern to extract target_ip from the textPayload log field and mapped to the target.ip UDM field. |
textPayload |
network.http.method |
If the network.http.method UDM field is not empty, then network_method is extracted from the textPayload log field using a Grok pattern and mapped to the additional.fields UDM field.
Else, network_method is extracted from the textPayload log field using a Grok pattern and mapped to the network.http.method UDM field. |
textPayload |
target.url |
If the target.url UDM field is not empty, then target_url is extracted from the textPayload log field using a Grok pattern and mapped to the additional.fields UDM field.
Else, target_url is extracted from the textPayload log field using a Grok pattern and mapped to the target.url UDM field. |
textPayload |
network.application_protocol |
If the network.application_protocol UDM field is not empty, then network_application_protocol is extracted from the textPayload log field using a Grok pattern and mapped to the additional.fields UDM field.
Else, network_application_protocol is extracted from the textPayload log field using a Grok pattern and mapped to the network.application_protocol UDM field. |
textPayload |
network.application_protocol_version |
If the network.application_protocol_version UDM field is not empty, then network_application_protocol_version is extracted from the textPayload log field using a Grok pattern and mapped to the additional.fields UDM field.
Else, network_application_protocol_version is extracted from the textPayload log field using a Grok pattern and mapped to the network.application_protocol_version UDM field. |
textPayload |
network.http.response_code |
If the network.http.response_code UDM field is not empty, then network_http_response_code is extracted from the textPayload log field using a Grok pattern and mapped to the additional.fields UDM field.
Else, network_http_response_code is extracted from the textPayload log field using a Grok pattern and mapped to the network.http.response_code UDM field. |
textPayload |
target.hostname |
If the target.hostname UDM field is not empty, then target_hostname is extracted from the textPayload log field using a Grok pattern and mapped to the additional.fields UDM field.
Else, target_hostname is extracted from the textPayload log field using a Grok pattern and mapped to the target.hostname UDM field. |
textPayload |
network.http.user_agent |
If the network.http.user_agent UDM field is not empty, then network_http_user_agent is extracted from the textPayload log field using a Grok pattern and mapped to the additional.fields UDM field.
Else, network_http_user_agent is extracted from the textPayload log field using a Grok pattern and mapped to the network.http.user_agent UDM field. |
textPayload |
target.port |
If the target.port UDM field is not empty, then target_port is extracted from the textPayload log field using a Grok pattern and mapped to the additional.fields UDM field.
Else, target_port is extracted from the textPayload log field using a Grok pattern and mapped to the target.port UDM field. |
textPayload |
network.session_id |
If the network.session_id UDM field is not empty, then network_session_id is extracted from the textPayload log field using a Grok pattern and mapped to the additional.fields UDM field.
Else, network_session_id is extracted from the textPayload log field using a Grok pattern and mapped to the network.session_id UDM field. |
jsonPayload.metadata.errorCause |
security_result.detection_fields[metadata_error_cause] |
|
jsonPayload.metadata.errorMessage |
security_result.detection_fields[metadata_error_message] |
|
labels.authorization.k8s.io/decision |
security_result.action_details |
|
|
security_result.action |
If the labels.authorization.k8s.io/decision log field value is equal to allow , then the security_result.action UDM field is set to ALLOW .Else, if the labels.authorization.k8s.io/decision log field value is equal to forbid , then the security_result.action UDM field is set to BLOCK . |
Referencia de asignación de campos: campos de registro de KUBERNETES_NODE a campos de UDM
En la siguiente tabla, se enumeran los campos de registro del tipo de registro KUBERNETES_NODE
y sus campos de UDM correspondientes.
Resource types | Log field | UDM mapping | Logic |
---|---|---|---|
k8s_container |
labels.upstream_host |
about.ip |
|
k8s_pod |
labels.activity_type_name |
about.labels [activity_type_name] (deprecated) |
|
k8s_pod |
labels.activity_type_name |
additional.fields [activity_type_name] |
|
gke_cluster, gke_nodepool, k8s_cluster, audited_resource |
protoPayload.requestMetadata.requestAttributes.time |
about.labels [caller_network_request_time] (deprecated) |
|
gke_cluster, gke_nodepool, k8s_cluster, audited_resource |
protoPayload.requestMetadata.requestAttributes.time |
additional.fields [caller_network_request_time] |
|
duration |
about.labels [duration] (deprecated) |
||
duration |
additional.fields [duration] |
||
k8s_node |
jsonPayload.action |
about.labels [jsonpayload_action] (deprecated) |
|
k8s_node |
jsonPayload.action |
additional.fields [jsonpayload_action] |
|
k8s_cluster, k8s_pod, k8s_node |
jsonPayload.apiVersion |
about.labels [jsonpayload_api_version] (deprecated) |
|
k8s_cluster, k8s_pod, k8s_node |
jsonPayload.apiVersion |
additional.fields [jsonpayload_api_version] |
|
gke_nodepool, k8s_pod, k8s_cluster |
jsonPayload.@type |
about.labels [jsonpayload_at_type] (deprecated) |
|
gke_nodepool, k8s_pod, k8s_cluster |
jsonPayload.@type |
additional.fields [jsonpayload_at_type] |
|
k8s_container |
jsonPayload.chartVersion |
about.labels [jsonpayload_chart_version] (deprecated) |
|
k8s_container |
jsonPayload.chartVersion |
additional.fields [jsonpayload_chart_version] |
|
k8s_container |
jsonPayload.clusterDistribution |
about.labels [jsonpayload_cluster_distribution] (deprecated) |
|
k8s_container |
jsonPayload.clusterDistribution |
additional.fields [jsonpayload_cluster_distribution] |
|
k8s_container |
jsonPayload.componentName |
about.labels [jsonpayload_component_name] (deprecated) |
|
k8s_container |
jsonPayload.componentName |
additional.fields [jsonpayload_component_name] |
|
k8s_container |
jsonPayload.componentVersion |
about.labels [jsonpayload_component_version] (deprecated) |
|
k8s_container |
jsonPayload.componentVersion |
additional.fields [jsonpayload_component_version] |
|
k8s_container |
jsonPayload.coresPerReplica |
about.labels [jsonpayload_cores_per_replica] (deprecated) |
|
k8s_container |
jsonPayload.coresPerReplica |
additional.fields [jsonpayload_cores_per_replica] |
|
k8s_cluster |
jsonPayload.eventTime |
about.labels [jsonpayload_event_time] (deprecated) |
|
k8s_cluster |
jsonPayload.eventTime |
additional.fields [jsonpayload_event_time] |
|
k8s_container |
jsonPayload.includeUnschedulableNodes |
about.labels [jsonpayload_include_unschedulable_nodes] (deprecated) |
|
k8s_container |
jsonPayload.includeUnschedulableNodes |
additional.fields [jsonpayload_include_unschedulable_nodes] |
|
k8s_pod, k8s_cluster, k8s_node |
jsonPayload.kind |
about.labels [jsonpayload_kind] (deprecated) |
|
k8s_pod, k8s_cluster, k8s_node |
jsonPayload.kind |
additional.fields [jsonpayload_kind] |
|
k8s_container |
jsonPayload.log |
about.labels [jsonpayload_log] (deprecated) |
|
k8s_container |
jsonPayload.log |
additional.fields [jsonpayload_log] |
|
k8s_container |
jsonPayload.logtag |
about.labels [jsonpayload_logtag] (deprecated) |
|
k8s_container |
jsonPayload.logtag |
additional.fields [jsonpayload_logtag] |
|
k8s_container |
jsonPayload.preventSinglePointFailure |
about.labels [jsonpayload_prevent_single_point_failure] (deprecated) |
|
k8s_container |
jsonPayload.preventSinglePointFailure |
additional.fields [jsonpayload_prevent_single_point_failure] |
|
k8s_cluster |
jsonPayload.status.measureTime |
about.labels [jsonpayload_status_measure_time] (deprecated) |
|
k8s_cluster |
jsonPayload.status.measureTime |
additional.fields [jsonpayload_status_measure_time] |
|
k8s_node |
jsonPayload.SYSLOG_FACILITY |
about.labels [jsonpayload_syslog_facility] (deprecated) |
|
k8s_node |
jsonPayload.SYSLOG_FACILITY |
additional.fields [jsonpayload_syslog_facility] |
|
k8s_node |
jsonPayload.SYSLOG_IDENTIFIER |
about.labels [jsonpayload_syslog_identifier] (deprecated) |
|
k8s_node |
jsonPayload.SYSLOG_IDENTIFIER |
additional.fields [jsonpayload_syslog_identifier] |
|
k8s_node |
jsonPayload.SYSLOG_TIMESTAMP |
about.labels [jsonpayload_syslog_timestamp] (deprecated) |
|
k8s_node |
jsonPayload.SYSLOG_TIMESTAMP |
additional.fields [jsonpayload_syslog_timestamp] |
|
k8s_container |
jsonPayload.timestamp |
about.labels [jsonpayload_timestamp] (deprecated) |
|
k8s_container |
jsonPayload.timestamp |
additional.fields [jsonpayload_timestamp] |
|
k8s_pod, k8s_cluster, k8s_node, k8s_container |
jsonPayload.type |
about.labels [jsonpayload_type] (deprecated) |
|
k8s_pod, k8s_cluster, k8s_node, k8s_container |
jsonPayload.type |
additional.fields [jsonpayload_type] |
|
k8s_container |
jsonPayload.v |
about.labels [jsonpayload_v] (deprecated) |
|
k8s_container |
jsonPayload.v |
additional.fields [jsonpayload_v] |
|
k8s_container |
labels.protocol |
about.labels [labels_protocol] |
|
k8s_pod, k8s_cluster, k8s_node |
jsonPayload.lastTimestamp |
about.labels [last_timestamp] (deprecated) |
|
k8s_pod, k8s_cluster, k8s_node |
jsonPayload.lastTimestamp |
additional.fields [last_timestamp] |
|
k8s_container |
jsonPayload.localTimestamp |
about.labels [local_timestamp] (deprecated) |
|
k8s_container |
jsonPayload.localTimestamp |
additional.fields [local_timestamp] |
|
k8s_pod, k8s_cluster, k8s_node |
jsonPayload.metadata.managedFields.apiVersion |
about.labels [managed_fields_api_version] |
|
k8s_cluster |
protoPayload.request.metadata.managedFields.apiVersion |
about.labels [managed_fields_api_version] |
|
k8s_pod, k8s_cluster, k8s_node |
jsonPayload.metadata.managedFields.fieldsType |
about.labels [managed_fields_fields_type] |
|
k8s_cluster |
protoPayload.request.metadata.managedFields.manager |
about.labels [managed_fields_manager] |
|
k8s_pod, k8s_cluster, k8s_node |
jsonPayload.metadata.managedFields.operation |
about.labels [managed_fields_operation] |
|
k8s_cluster |
protoPayload.request.metadata.managedFields.operation |
about.labels [managed_fields_operation] |
|
k8s_pod, k8s_cluster, k8s_node |
jsonPayload.metadata.managedFields.time |
about.labels [managed_fields_time] |
|
k8s_cluster |
protoPayload.request.metadata.managedFields.time |
about.labels [managed_fields_time] (deprecated) |
|
k8s_cluster |
protoPayload.request.metadata.managedFields.time |
additional.fields [managed_fields_time] |
|
k8s_cluster |
protoPayload.request.metadata.managedFields.fieldsType |
about.labels [managed_fields_type] |
|
k8s_pod, k8s_cluster, k8s_node |
jsonPayload.metadata.name |
about.labels [metadata_name] (deprecated) |
|
k8s_pod, k8s_cluster, k8s_node |
jsonPayload.metadata.name |
additional.fields [metadata_name] |
|
k8s_pod, k8s_cluster, k8s_node |
jsonPayload.metadata.namespace |
about.labels [metadata_namespace] (deprecated) |
|
k8s_pod, k8s_cluster, k8s_node |
jsonPayload.metadata.namespace |
additional.fields [metadata_namespace] |
|
k8s_pod, k8s_cluster, k8s_node |
jsonPayload.metadata.resourceVersion |
about.labels [metadata_resourceversion] (deprecated) |
|
k8s_pod, k8s_cluster, k8s_node |
jsonPayload.metadata.resourceVersion |
additional.fields [metadata_resourceversion] |
|
k8s_container |
jsonPayload.nodesPerReplica |
about.labels [nodes_per_replica] (deprecated) |
|
k8s_container |
jsonPayload.nodesPerReplica |
additional.fields [nodes_per_replica] |
|
gke_cluster, gke_nodepool, k8s_pod, k8s_cluster, k8s_node |
operation.first |
about.labels [operation_first] (deprecated) |
|
gke_cluster, gke_nodepool, k8s_pod, k8s_cluster, k8s_node |
operation.first |
additional.fields [operation_first] |
|
gke_cluster, gke_nodepool, k8s_pod, k8s_cluster, k8s_node |
operation.id |
about.labels [operation_id] (deprecated) |
|
gke_cluster, gke_nodepool, k8s_pod, k8s_cluster, k8s_node |
operation.id |
additional.fields [operation_id] |
|
gke_cluster, gke_nodepool, k8s_pod, k8s_cluster, k8s_node |
operation.last |
about.labels [operation_last] (deprecated) |
|
gke_cluster, gke_nodepool, k8s_pod, k8s_cluster, k8s_node |
operation.last |
additional.fields [operation_last] |
|
gke_cluster, gke_nodepool, k8s_pod, k8s_cluster, k8s_node |
operation.producer |
about.labels [operation_producer] (deprecated) |
|
gke_cluster, gke_nodepool, k8s_pod, k8s_cluster, k8s_node |
operation.producer |
additional.fields [operation_producer] |
|
gke_cluster, gke_nodepool, k8s_cluster, audited_resource |
protoPayload.@type |
about.labels [protopayload_at_type] (deprecated) |
|
gke_cluster, gke_nodepool, k8s_cluster, audited_resource |
protoPayload.@type |
additional.fields [protopayload_at_type] |
|
k8s_cluster |
protoPayload.request.spec.acquireTime |
about.labels [protopayload_req_spec_acquire_time] (deprecated) |
|
k8s_cluster |
protoPayload.request.spec.acquireTime |
additional.fields [protopayload_req_spec_acquire_time] |
|
gke_cluster, gke_nodepool, k8s_cluster, audited_resource |
protoPayload.request.@type |
about.labels [protopayload_request_at_type] (deprecated) |
|
gke_cluster, gke_nodepool, k8s_cluster, audited_resource |
protoPayload.request.@type |
additional.fields [protopayload_request_at_type] |
|
k8s_cluster |
protoPayload.response.metadata.managedFields.fieldsType |
about.labels [protopayload_res_meta_field_type] (deprecated) |
|
k8s_cluster |
protoPayload.response.metadata.managedFields.fieldsType |
additional.fields [protopayload_res_meta_field_type] |
|
k8s_cluster |
protoPayload.request.metadata.annotations.control-plane.alpha.kubernetes.io/leader |
about.labels [req_annotations_control_panel_kubernetes_leader] (deprecated) |
|
k8s_cluster |
protoPayload.request.metadata.annotations.control-plane.alpha.kubernetes.io/leader |
additional.fields [req_annotations_control_panel_kubernetes_leader] |
|
gke_cluster |
protoPayload.response.startTime |
about.labels [res_start_time] (deprecated) |
|
gke_cluster |
protoPayload.response.startTime |
additional.fields [res_start_time] |
|
k8s_pod, k8s_cluster |
protoPayload.response.metadata.annotations.control-plane.alpha.kubernetes.io/leader |
about.labels [resp_metadata_annotations_control-plane.alpha.kubernetes.io/leader] (deprecated) |
|
k8s_pod, k8s_cluster |
protoPayload.response.metadata.annotations.control-plane.alpha.kubernetes.io/leader |
additional.fields [resp_metadata_annotations_control-plane.alpha.kubernetes.io/leader] |
|
k8s_cluster |
protoPayload.response.metadata.managedFields.manager |
about.labels [resp_metadata_managedFields_manager] |
|
k8s_cluster |
protoPayload.response.metadata.managedFields.operation |
about.labels [resp_metadata_managedFields_operation] |
|
k8s_cluster |
protoPayload.response.metadata.managedFields.time |
about.labels [resp_metadata_managedFields_time] |
|
k8s_cluster |
protoPayload.response.metadata.managedFields.apiVersion |
about.labels [resp_metadata_managed_api_version] |
|
k8s_cluster |
protoPayload.response.spec.acquireTime |
about.labels [resp_spec_acquire_time] (deprecated) |
|
k8s_cluster |
protoPayload.response.spec.acquireTime |
additional.fields [resp_spec_acquire_time] |
|
k8s_cluster |
protoPayload.response.spec.groups |
about.labels [resp_spec_groups] |
|
gke_cluster, gke_nodepool, k8s_cluster |
protoPayload.response.@type |
about.labels [response_type] (deprecated) |
|
gke_cluster, gke_nodepool, k8s_cluster |
protoPayload.response.@type |
additional.fields [response_type] |
|
start_time |
about.labels [start_time] (deprecated) |
||
start_time |
additional.fields [start_time] |
||
gke_cluster, gke_nodepool, k8s_control_plane_component, k8s_pod, k8s_cluster, k8s_node, k8s_container, k8s_service |
textPayload |
about.labels [textpayload] (deprecated) |
|
gke_cluster, gke_nodepool, k8s_control_plane_component, k8s_pod, k8s_cluster, k8s_node, k8s_container, k8s_service |
textPayload |
additional.fields [textpayload] |
|
upstream_service_time |
about.labels [upstream_service_time] (deprecated) |
||
upstream_service_time |
additional.fields [upstream_service_time] |
||
x_carbon_log_ext1 |
about.labels [x_carbon_log_ext1] (deprecated) |
||
x_carbon_log_ext1 |
additional.fields [x_carbon_log_ext1] |
||
k8s_container |
labels.upstream_host |
about.port |
|
k8s_pod, k8s_cluster, k8s_node |
jsonPayload.reportingInstance |
about.resource.name |
|
k8s_pod, k8s_cluster, k8s_node |
jsonPayload.reportingComponent |
about.resource.resource_subtype |
|
gke_cluster |
protoPayload.response.selfLink |
about.url |
|
k8s_pod, k8s_cluster, k8s_node |
jsonPayload.metadata.managedFields.manager |
about.user.user_display_name |
|
x_forwarded_for |
src.ip |
The first value of the x_forwarded_for log field array is mapped to src.ip and principal.ip UDM fields. |
|
x_forwarded_for |
principal.ip |
The first value of the x_forwarded_for log field array is mapped to src.ip and principal.ip UDM fields. |
|
x_forwarded_for |
intermediary.ip |
The second and all other successive values of the x_forwarded_for log field array is mapped to the intermediary.ip UDM field. |
|
jsonPayload.httpRequest.x-forwarded-for |
src.ip |
The first value of the jsonPayload.httpRequest.x-forwarded-for log field array is mapped to src.ip UDM field. |
|
jsonPayload.httpRequest.x-forwarded-for |
principal.ip |
The second value of the jsonPayload.httpRequest.x-forwarded-for log field array is mapped to principal.ip UDM field. |
|
jsonPayload.httpRequest.x-forwarded-for |
intermediary.ip |
The third and all other successive values of the jsonPayload.httpRequest.x-forwarded-for log field array is mapped to intermediary.ip UDM field. |
|
k8s_pod, k8s_cluster, k8s_node, k8s_container, k8s_control_plane_component |
jsonPayload.message |
metadata.description |
|
gke_cluster, gke_nodepool, k8s_cluster, audited_resource |
protoPayload.methodName |
metadata.product_event_type |
|
request_id |
metadata.product_log_id |
||
protocol |
network.application_protocol |
||
k8s_node |
jsonPayload.connection.direction |
network.direction |
The network.direction UDM field is set to one of the following values:
|
k8s_container |
labels.upstream_cluster |
network.direction |
|
k8s_container |
jsonPayload.request_length |
network.received_bytes |
|
k8s_container |
jsonPayload.request_uri |
principal.url |
|
k8s_container |
jsonPayload.request_method |
network.http.method |
|
k8s_container |
jsonPayload.remote_addr |
principal.ip |
|
k8s_container |
jsonPayload.server_protocol |
network.application_protocol |
Extracted application_protocol from jsonPayload.server_protocol log field using Grok pattern and mapped it to the network.application_protocol UDM field. |
k8s_container |
jsonPayload.server_protocol |
network.application_protocol_version |
Extracted application_protocol_version from jsonPayload.server_protocol log field using Grok pattern and mapped it to the network.application_protocol_version UDM field. |
k8s_container |
jsonPayload.status |
network.http.response_code |
|
k8s_container |
jsonPayload.http_host |
principal.hostname |
|
k8s_container |
jsonPayload.http_host |
principal.asset.hostname |
|
k8s_container |
jsonPayload.http_user_agent |
network.http.user_agent |
|
k8s_container |
jsonPayload.ssl_protocol |
network.tls.version |
|
k8s_container |
jsonPayload.remote_user |
principal.user.userid |
|
k8s_container |
jsonPayload.upstream_addr |
target.ip |
Extracted ip from jsonPayload.upstream_addr log field using Grok pattern and mapped it to the target.ip UDM field. |
k8s_container |
jsonPayload.upstream_addr |
target.port |
Extracted port from jsonPayload.upstream_addr log field using Grok pattern and mapped it to the target.port UDM field. |
k8s_container |
jsonPayload.http_referrer |
network.http.referral_url |
|
k8s_container |
jsonPayload.bytes_sent |
network.sent_bytes |
|
k8s_container |
jsonPayload.server_port |
target.nat_port |
|
k8s_container |
jsonPayload.upstream_response_time |
additional.fields[jsonpayload_upstream_response_time] |
|
k8s_container |
jsonPayload.msec |
additional.fields[jsonpayload_msec] |
|
k8s_container |
jsonPayload.upstream_connect_time |
additional.fields[jsonpayload_upstream_connect_time] |
|
k8s_container |
jsonPayload.body_bytes_sent |
additional.fields[jsonpayload_body_bytes_sent] |
|
k8s_container |
jsonPayload.request_time |
additional.fields[jsonpayload_request_time] |
|
k8s_container |
jsonPayload.http_method |
additional.fields[jsonpayload_http_method] |
|
k8s_container |
jsonPayload.http_version |
additional.fields[jsonpayload_http_version] |
|
k8s_container |
jsonPayload.response_code |
additional.fields[jsonpayload_response_code] |
|
upstream_cluster |
network.direction |
The network.direction UDM field is set to one of the following values:
|
|
labels.upstream_cluster |
network.direction |
The network.direction UDM field is set to one of the following values:
|
|
method |
network.http.method |
||
k8s_cluster |
protoPayload.request.spec.nonResourceAttributes.verb |
network.http.method |
|
k8s_container |
jsonPayload.http.req.method |
network.http.method |
|
k8s_container |
jsonPayload.http.req.path |
network.http.referral_url |
|
k8s_cluster |
protoPayload.request.spec.nonResourceAttributes.path |
network.http.referral_url |
|
response_code |
network.http.response_code |
||
gke_nodepool, k8s_cluster, audited_resource |
protoPayload.status.code |
network.http.response_code |
|
gke_cluster, gke_nodepool, k8s_cluster, audited_resource |
protoPayload.requestMetadata.callerSuppliedUserAgent |
network.http.user_agent |
|
user_agent |
network.http.user_agent |
||
k8s_node |
jsonPayload.connection.protocol |
network.ip_protocol |
|
bytes_received |
network.received_bytes |
||
k8s_container |
duration |
network.received_bytes |
|
bytes_sent |
network.sent_bytes |
||
k8s_container |
labels.total_sent_bytes |
network.sent_bytes |
|
k8s_container |
jsonPayload.session |
network.session_id |
|
k8s_container |
labels.service_authentication_policy |
network.tls.cipher |
|
authority |
principal.administrative_domain |
||
k8s_container |
labels.source_principal |
principal.administrative_domain |
|
k8s_container |
labels.source_app |
principal.application |
|
k8s_container |
jsonPayload.hostname |
principal.hostname |
|
k8s_container |
labels.source_name |
principal.hostname |
|
k8s_pod, k8s_node |
jsonPayload.source.host |
principal.hostname |
|
gke_cluster, gke_nodepool, k8s_cluster, audited_resource |
protoPayload.requestMetadata.callerIp |
principal.ip |
|
k8s_node |
jsonPayload.connection.src_ip |
principal.ip |
|
k8s_container |
labels.source_ip |
principal.ip |
|
k8s_node |
jsonPayload._CAP_EFFECTIVE |
principal.labels [jsonpayload_cap_effective] (deprecated) |
|
k8s_node |
jsonPayload._CAP_EFFECTIVE |
additional.fields [jsonpayload_cap_effective] |
|
k8s_container |
jsonPayload.currency |
principal.labels [jsonpayload_currency] (deprecated) |
|
k8s_container |
jsonPayload.currency |
additional.fields [jsonpayload_currency] |
|
k8s_container |
jsonPayload.envTime |
principal.labels [jsonpayload_env_time] (deprecated) |
|
k8s_container |
jsonPayload.envTime |
additional.fields [jsonpayload_env_time] |
|
k8s_node |
jsonPayload._GID |
principal.labels [jsonpayload_gid] (deprecated) |
|
k8s_node |
jsonPayload._GID |
additional.fields [jsonpayload_gid] |
|
k8s_container |
jsonPayload.http.req.id |
principal.labels [jsonpayload_http_req_id] (deprecated) |
|
k8s_container |
jsonPayload.http.req.id |
additional.fields [jsonpayload_http_req_id] |
|
k8s_node |
jsonPayload._SELINUX_CONTEXT |
principal.labels [jsonpayload_selinux_context] (deprecated) |
|
k8s_node |
jsonPayload._SELINUX_CONTEXT |
additional.fields [jsonpayload_selinux_context] |
|
k8s_node |
jsonPayload._SOURCE_REALTIME_TIMESTAMP |
principal.labels [jsonpayload_source_realtime_timestamp] (deprecated) |
|
k8s_node |
jsonPayload._SOURCE_REALTIME_TIMESTAMP |
additional.fields [jsonpayload_source_realtime_timestamp] |
|
k8s_node |
jsonPayload._STREAM_ID |
principal.labels [jsonpayload_stream_id] (deprecated) |
|
k8s_node |
jsonPayload._STREAM_ID |
additional.fields [jsonpayload_stream_id] |
|
k8s_container |
jsonPayload.traceLevel |
principal.labels [jsonpayload_trace_level] (deprecated) |
|
k8s_container |
jsonPayload.traceLevel |
additional.fields [jsonpayload_trace_level] |
|
k8s_node |
jsonPayload._TRANSPORT |
principal.labels [jsonpayload_transport] (deprecated) |
|
k8s_node |
jsonPayload._TRANSPORT |
additional.fields [jsonpayload_transport] |
|
k8s_node |
jsonPayload._UID |
principal.labels [jsonpayload_uid] (deprecated) |
|
k8s_node |
jsonPayload._UID |
additional.fields [jsonpayload_uid] |
|
audited_resource |
protoPayload.request.filter |
principal.labels [protopayload_request_filter] (deprecated) |
|
audited_resource |
protoPayload.request.filter |
additional.fields [protopayload_request_filter] |
|
audited_resource |
protoPayload.request.requests.features.type |
principal.labels [protopayload_requests_features_type] |
|
gke_cluster, gke_nodepool |
protoPayload.requestMetadata.requestAttributes.reason |
principal.labels [request_attributes_reason] (deprecated) |
|
gke_cluster, gke_nodepool |
protoPayload.requestMetadata.requestAttributes.reason |
additional.fields [request_attributes_reason] |
|
k8s_pod, k8s_cluster, k8s_node |
jsonPayload.source.component |
principal.labels [source_component] (deprecated) |
|
k8s_pod, k8s_cluster, k8s_node |
jsonPayload.source.component |
additional.fields [source_component] |
|
k8s_container |
labels.source_version |
principal.labels [source_version] |
|
k8s_container |
labels.source_workload |
principal.labels [source_workload] |
|
k8s_node |
jsonPayload.src.workload_kind |
principal.labels [src_workload_kind] (deprecated) |
|
k8s_node |
jsonPayload.src.workload_kind |
additional.fields [src_workload_kind] |
|
k8s_node |
jsonPayload.src.workload_name |
principal.labels [src_workload_name] (deprecated) |
|
k8s_node |
jsonPayload.src.workload_name |
additional.fields [src_workload_name] |
|
k8s_node |
jsonPayload._SYSTEMD_CGROUP |
principal.labels [systemd_cgroup] (deprecated) |
|
k8s_node |
jsonPayload._SYSTEMD_CGROUP |
additional.fields [systemd_cgroup] |
|
k8s_node |
jsonPayload._SYSTEMD_INVOCATION_ID |
principal.labels [systemd_invocation_id] (deprecated) |
|
k8s_node |
jsonPayload._SYSTEMD_INVOCATION_ID |
additional.fields [systemd_invocation_id] |
|
k8s_node |
jsonPayload._SYSTEMD_SLICE |
principal.labels [systemd_slice] (deprecated) |
|
k8s_node |
jsonPayload._SYSTEMD_SLICE |
additional.fields [systemd_slice] |
|
k8s_node |
jsonPayload._SYSTEMD_UNIT |
principal.labels [systemd_unit ] (deprecated) |
|
k8s_node |
jsonPayload._SYSTEMD_UNIT |
additional.fields [systemd_unit ] |
|
audited_resource |
protoPayload.requestMetadata.callerNetwork |
principal.labels [caller_network] (deprecated) |
|
audited_resource |
protoPayload.requestMetadata.callerNetwork |
additional.fields [caller_network] |
|
k8s_node |
jsonPayload.src.namespace |
principal.namespace |
|
k8s_node |
jsonPayload.src.pod_namespace |
principal.namespace |
|
k8s_container |
labels.source_namespace |
principal.namespace |
|
k8s_node |
jsonPayload.connection.src_port |
principal.port |
|
k8s_container |
labels.source_port |
principal.port |
|
k8s_node |
jsonPayload._CMDLINE |
principal.process.command_line |
|
k8s_node |
jsonPayload._EXE |
principal.process.file.full_path |
|
k8s_node |
jsonPayload._COMM |
principal.process.file.names |
|
k8s_node |
jsonPayload._PID |
principal.process.pid |
|
k8s_node |
jsonPayload._BOOT_ID |
principal.resource_ancestors.attribute.labels [jsonpayload_boot_id] |
|
k8s_container |
jsonPayload.releaseTrain |
principal.resource_ancestors.attribute.labels [release_train] |
|
gke_cluster |
protoPayload.request.cluster.initialClusterVersion |
principal.resource_ancestors.attribute.labels [req_cls_initial_cluster_version] |
|
gke_cluster |
protoPayload.request.cluster.locations |
principal.resource_ancestors.attribute.labels [req_cls_locations] |
|
gke_cluster |
protoPayload.request.cluster.location |
principal.resource_ancestors.attribute.labels [req_cluster_location] |
|
k8s_node |
jsonPayload.src.pod_name |
principal.resource_ancestors.name |
|
k8s_node |
jsonPayload._HOSTNAME |
principal.resource_ancestors.name |
|
gke_cluster |
protoPayload.request.cluster.loggingConfig.componentConfig.enableComponents |
principal.resource.attribute.labels [cluster_loggingConfig_componentConfig_enableComponents] |
|
gke_cluster |
protoPayload.request.cluster.monitoringConfig.componentConfig.enableComponents |
principal.resource.attribute.labels [cluster_monitoringConfig_componentConfig_enableComponents] |
|
k8s_node |
jsonPayload.count |
principal.resource.attribute.labels [jsonpayload_count] |
|
k8s_container |
jsonPayload.region |
principal.resource.attribute.labels [jsonpayload_region] |
|
k8s_pod, k8s_cluster, k8s_node |
jsonPayload.metadata.creationTimestamp |
principal.resource.attribute.labels [metadata_creation_time_stamp] |
|
k8s_pod |
protoPayload.metadata.creationTimestamp |
principal.resource.attribute.labels [req_creation_timestamp] |
|
k8s_container |
labels.source_canonical_revision |
principal.resource.attribute.labels [source_canonical_revision] |
|
k8s_container |
labels.source_canonical_service |
principal.resource.attribute.labels [source_canonical_service] |
|
k8s_node |
jsonPayload._MACHINE_ID |
principal.resource.product_object_id |
|
gke_cluster, gke_nodepool, k8s_cluster, audited_resource |
protoPayload.authorizationInfo.granted |
principal.user.attribute.labels [authorization_granted] |
|
audited_resource |
protoPayload.request.pageToken |
principal.user.attribute.labels [protopayload_request_page_token] |
|
audited_resource |
protoPayload.request.pageSize |
principal.user.attribute.labels [req_page_size] |
|
gke_cluster, gke_nodepool, k8s_cluster, audited_resource |
protoPayload.authorizationInfo.permission |
principal.user.attribute.permissions.name |
|
gke_cluster, gke_nodepool, k8s_cluster, audited_resource |
protoPayload.authenticationInfo.principalEmail |
principal.user.email_addresses |
If the protoPayload.authenticationInfo.principalEmail log field value is matched with regular expression .@. , then the following fields are mapped:
Else, the protoPayload.authenticationInfo.principalEmail log field is mapped to the principal.user.userid UDM field. |
audited_resource |
protoPayload.authenticationInfo.serviceAccountDelegationInfo.firstPartyPrincipal.principalEmail |
principal.user.email_addresses |
|
gke_cluster, gke_nodepool, k8s_cluster, audited_resource |
protoPayload.authenticationInfo.principalEmail |
principal.user.userid |
If the protoPayload.authenticationInfo.principalEmail log field value is matched with regular expression .@. , then the following fields are mapped:
Else, the protoPayload.authenticationInfo.principalEmail log field is mapped to the principal.user.userid UDM field. |
k8s_container |
labels.mesh_uid |
principal.user.userid |
|
k8s_cluster |
protoPayload.request.metadata.uid |
principal.user.userid |
If the principal.user.userid log field value is not empty, then the protoPayload.request.metadata.uid log field is mapped to the principal.user.userid UDM field.Else, the protoPayload.request.metadata.uid log field is mapped to the principal.labels UDM field. |
audited_resource |
protoPayload.authenticationInfo.principalSubject |
principal.user.userid |
|
k8s_cluster |
labels.authorization.k8s.io/decision |
security_result.action |
|
k8s_container |
labels.connection_state |
security_result.action |
The security_result.action UDM field is set to one of the following values:
|
k8s_node |
jsonPayload.disposition |
security_result.action_details |
|
k8s_cluster |
labels.authorization.k8s.io/reason |
security_result.action_details |
|
gke_nodepool, k8s_cluster, audited_resource |
protoPayload.status.message |
security_result.description |
|
gke_cluster |
protoPayload.response.status |
security_result.description |
|
k8s_pod |
labels.logMessage |
security_result.description |
|
k8s_pod |
labels.errorGroupId |
security_result.detection_fields [error_group_id] |
|
k8s_pod |
jsonPayload.errorEvent.eventTime |
security_result.detection_fields [jsonpayload_error_event_event_time] |
|
k8s_pod |
jsonPayload.errorEvent.message |
security_result.detection_fields [jsonpayload_error_event_message] |
|
k8s_pod |
jsonPayload.errorEvent.serviceContext.service |
security_result.detection_fields [jsonpayload_error_event_service_context_service] |
|
k8s_pod |
jsonPayload.errorGroup |
security_result.detection_fields [jsonpayload_error_group] |
|
k8s_pod |
jsonPayload.errorEvent.serviceContext.resourceType |
security_result.detection_fields [jsonpayload_error_service_context_resource_type] |
|
gke_cluster, gke_nodepool, k8s_cluster, audited_resource |
protoPayload.resourceName |
security_result.detection_fields [protopayload_resource_name] |
|
audited_resource |
protoPayload.authenticationInfo.serviceAccountKeyName |
security_result.detection_fields [service_account_key_name] |
|
k8s_node |
jsonPayload.PRIORITY |
security_result.priority_details |
|
k8s_node |
jsonPayload.policies.namespace |
security_result.rule_labels [policy_namespace] |
|
k8s_node |
jsonPayload.policies.name |
security_result.rule_name |
|
response_flags |
security_result.summary |
||
k8s_pod, k8s_cluster, k8s_node |
jsonPayload.reason |
security_result.summary |
|
k8s_container |
sourceLocation.function |
src.application |
|
k8s_node, k8s_container, k8s_control_plane_component |
sourceLocation.file |
src.file.full_path |
|
k8s_node, k8s_container, k8s_control_plane_component |
sourceLocation.line |
src.labels [source_location_line] (deprecated) |
|
k8s_node, k8s_container, k8s_control_plane_component |
sourceLocation.line |
additional.fields [source_location_line] |
|
k8s_container |
labels.destination_principal |
target.administrative_domain |
|
gke_cluster, gke_nodepool, k8s_cluster, audited_resource |
protoPayload.serviceName |
target.application |
|
k8s_container |
labels.destination_app |
target.application |
|
k8s_container |
labels.destination_canonical_service |
target.application |
|
audited_resource |
resource.labels.service |
target.application |
|
x_downstream_host |
target.asset.attribute.labels [x_downstream_host] |
||
k8s_container |
labels.path |
target.file.full_path |
|
path |
target.file.full_path |
||
k8s_container |
labels.destination_service_host |
target.hostname |
|
k8s_node |
jsonPayload.connection.dest_ip |
target.ip |
|
k8s_container |
labels.destination_ip |
target.ip |
|
upstream_host |
target.ip |
||
k8s_node |
jsonPayload.dest.workload_name |
target.labels [dest_workload_name] (deprecated) |
|
k8s_node |
jsonPayload.dest.workload_name |
additional.fields [dest_workload_name] |
|
k8s_container |
labels.destination_name |
target.labels [destination_name] |
|
k8s_container |
labels.destination_version |
target.labels [destination_version] |
|
k8s_container |
labels.destination_workload |
target.labels [destination_workload] |
|
audited_resource |
protoPayload.numResponseItems |
target.labels [num_response_items] (deprecated) |
|
audited_resource |
protoPayload.numResponseItems |
additional.fields [num_response_items] |
|
gke_cluster |
protoPayload.request.update.desiredLoggingConfig.componentConfig.enableComponents |
target.labels [req_update_desiredLoggingConfig_componentConfig_enableComponents] (deprecated) |
|
gke_cluster |
protoPayload.request.update.desiredLoggingConfig.componentConfig.enableComponents |
additional.fields [req_update_desiredLoggingConfig_componentConfig_enableComponents] |
|
k8s_cluster |
protoPayload.response.spec.nonResourceAttributes.path |
target.labels [resp_spec_non_resource_attributes_path] (deprecated) |
|
k8s_cluster |
protoPayload.response.spec.nonResourceAttributes.path |
additional.fields [resp_spec_non_resource_attributes_path] |
|
k8s_cluster |
protoPayload.response.spec.nonResourceAttributes.verb |
target.labels [resp_spec_non_resource_attributes_verb] (deprecated) |
|
k8s_cluster |
protoPayload.response.spec.nonResourceAttributes.verb |
additional.fields [resp_spec_non_resource_attributes_verb] |
|
x_b3_parentspanid |
target.labels [x_b3_parent_span_id] (deprecated) |
||
x_b3_parentspanid |
additional.fields [x_b3_parent_span_id] |
||
x_b3_sampled |
target.labels [x_b3_sample_d] (deprecated) |
||
x_b3_sampled |
additional.fields [x_b3_sample_d] |
||
x_b3_span_id |
target.labels [x_b3_span_id] (deprecated) |
||
x_b3_span_id |
additional.fields [x_b3_span_id] |
||
x_b3_trace_id |
target.labels [x_b3_trace_id] (deprecated) |
||
x_b3_trace_id |
additional.fields [x_b3_trace_id] |
||
k8s_node |
jsonPayload.dest.pod_namespace |
target.namespace |
|
k8s_node |
jsonPayload.dest.namespace |
target.namespace |
|
k8s_container |
labels.destination_namespace |
target.namespace |
|
k8s_cluster |
protoPayload.request.metadata.namespace |
target.namespace |
|
k8s_container |
labels.destination_ip |
target.port |
|
upstream_host |
target.port |
||
k8s_node |
jsonPayload.connection.dest_port |
target.port |
|
k8s_container |
labels.destination_port |
target.port |
|
k8s_control_plane_component, k8s_node, k8s_container |
jsonPayload.pid |
target.process.pid |
|
k8s_pod |
labels.deploymentVersion |
target.resource_ancestors.attribute.labels [deployment_version] |
|
k8s_container |
labels.k8s-pod/kubernetes_io/cluster-service |
target.resource_ancestors.attribute.labels [pod_cluster_service] |
|
k8s_container |
labels.k8s-pod/component |
target.resource_ancestors.attribute.labels [pod_component] |
|
k8s_container |
labels.k8s-pod/controller-revision-hash |
target.resource_ancestors.attribute.labels [pod_controller_revision_hash] |
|
k8s_container |
labels.k8s-pod/dsName |
target.resource_ancestors.attribute.labels [pod_ds_name] |
|
k8s_container |
labels.k8s-pod/hub.gke.io/project |
target.resource_ancestors.attribute.labels [pod_gke_project] |
|
k8s_container |
labels.k8s-pod/security_istio_io/tlsMode |
target.resource_ancestors.attribute.labels [pod_security_tls_mode] |
|
k8s_container |
labels.k8s-pod/service_istio_io/canonical-name |
target.resource_ancestors.attribute.labels [pod_service_canonical_name] |
|
k8s_container |
labels.k8s-pod/pod-template-generation |
target.resource_ancestors.attribute.labels [pod_template_generation] |
|
gke_cluster |
protoPayload.request.cluster.network |
target.resource_ancestors.attribute.labels [req_cls_network] |
|
gke_cluster |
protoPayload.request.cluster.nodePools.management.autoRepair |
target.resource_ancestors.attribute.labels [req_clsNodePools_autorepair] |
|
gke_cluster |
protoPayload.request.cluster.nodePools.autoscaling.enabled |
target.resource_ancestors.attribute.labels [req_clsNodePools_autoscaling_enabled] |
|
gke_cluster |
protoPayload.request.cluster.nodePools.autoscaling.maxNodeCount |
target.resource_ancestors.attribute.labels [req_clsNodePools_autoscaling_max_node_cnt] |
|
gke_cluster |
protoPayload.request.cluster.nodePools.autoscaling.minNodeCount |
target.resource_ancestors.attribute.labels [req_clsNodePools_autoscaling_min_node_cnt] |
|
gke_cluster |
protoPayload.request.cluster.nodePools.management.autoUpgrade |
target.resource_ancestors.attribute.labels [req_clsNodePools_autoupgrade] |
|
gke_cluster |
protoPayload.request.cluster.nodePools.config.diskSizeGb |
target.resource_ancestors.attribute.labels [req_clsNodePools_config_disksize] |
|
gke_cluster |
protoPayload.request.cluster.nodePools.config.diskType |
target.resource_ancestors.attribute.labels [req_clsNodePools_config_diskType] |
|
gke_cluster |
protoPayload.request.cluster.nodePools.config.imageType |
target.resource_ancestors.attribute.labels [req_clsNodePools_config_imagetype] |
|
gke_cluster |
protoPayload.request.cluster.nodePools.config.machineType |
target.resource_ancestors.attribute.labels [req_clsNodePools_config_machinetype] |
|
gke_cluster |
protoPayload.request.cluster.nodePools.config.metadata.disable-legacy-endpoints |
target.resource_ancestors.attribute.labels [req_clsNodePools_config_metadata_disable-legacy-endpoints] |
|
gke_cluster |
protoPayload.request.cluster.nodePools.config.oauthScopes |
target.resource_ancestors.attribute.labels [req_clsNodePools_config_oauth_scopes] |
|
gke_cluster |
protoPayload.request.cluster.nodePools.upgradeSettings.maxSurge |
target.resource_ancestors.attribute.labels [req_clsNodePools_upgradeSettings_maxSurge] |
|
gke_cluster |
protoPayload.request.cluster.nodePools.initialNodeCount |
target.resource_ancestors.attribute.labels [req_clsterNodePools_autoscaling_initial_node_cnt] |
|
gke_nodepool |
protoPayload.request.nodePool.maxPodsConstraint |
target.resource_ancestors.attribute.labels [req_node_pool_name] |
|
gke_cluster |
protoPayload.request.cluster.nodePools.name |
target.resource_ancestors.name |
|
gke_cluster, gke_nodepool, k8s_cluster, audited_resource |
protoPayload.authorizationInfo.resource |
target.resource_ancestors.name |
|
k8s_node |
jsonPayload.dest.workload_kind |
target.resource_ancestors.name |
|
gke_cluster, audited_resource |
protoPayload.request.parent |
target.resource_ancestors.name |
|
k8s_container | jsonPayload.nodeName |
target.resource_ancestors.name |
If the resource.type log field value is equal to k8s_container , then the jsonPayload.nodeName log field is mapped to the target.resource_ancestors.name UDM field. |
k8s_container |
labels.instance_name |
target.resource_ancestors.name |
|
gke_cluster |
protoPayload.request.cluster.subnetwork |
target.resource_ancestors.name |
|
k8s_container |
labels.requested_server_name |
target.resource_ancestors.name |
|
k8s_pod |
labels.deploymentAppId |
target.resource_ancestors.name |
|
k8s_node |
jsonPayload.dest.pod_name |
target.resource_ancestors.name |
|
k8s_container |
labels.compute.googleapis.com/resource_name |
target.resource_ancestors.name |
|
gke_cluster, gke_nodepool |
protoPayload.resourceLocation.currentLocations |
target.resource.attribute.cloud.availability_zone |
If the index log field value is equal to 0 , then the protoPayload.resourceLocation.currentLocations log field is mapped to the token_target.resource.attribute.cloud.availability_zone UDM field.Else, the protoPayload.resourceLocation.currentLocations log field is mapped to the target.resource.attribute.labels.value UDM field. |
k8s_cluster |
protoPayload.response.metadata.creationTimestamp |
target.resource.attribute.creation_time |
|
k8s_container |
labels.agent_version |
target.resource.attribute.labels [agent_version] |
|
k8s_container |
labels.connection_id |
target.resource.attribute.labels [connection_id] |
|
k8s_container |
labels.k8s-pod/container-watcher-unique-id |
target.resource.attribute.labels [container_watcher_unique_id] |
|
k8s_container |
labels.destination_canonical_revision |
target.resource.attribute.labels [destination_canonical_revision] |
|
k8s_pod, k8s_cluster, k8s_node |
jsonPayload.involvedObject.apiVersion |
target.resource.attribute.labels [jsonpayload_involved_object_apiVersion] |
|
k8s_pod |
jsonPayload.involvedObject.fieldPath |
target.resource.attribute.labels [jsonpayload_involved_object_field_path] |
|
k8s_pod, k8s_cluster, k8s_node |
jsonPayload.involvedObject.kind |
target.resource.attribute.labels [jsonpayload_involved_object_kind] |
|
k8s_pod, k8s_cluster, k8s_node |
jsonPayload.involvedObject.name |
target.resource.attribute.labels [jsonpayload_involved_object_name] |
If the resource.type log field value is equal to k8s_cluster , then the jsonPayload.involvedObject.name log field is mapped to the target.resource.attribute.labels.value UDM field. |
k8s_pod, k8s_cluster |
jsonPayload.involvedObject.namespace |
target.resource.attribute.labels [jsonpayload_involved_object_namespace] |
|
k8s_pod, k8s_cluster |
jsonPayload.involvedObject.resourceVersion |
target.resource.attribute.labels [jsonpayload_involved_object_resourceVersion] |
|
k8s_pod, k8s_cluster, k8s_node |
jsonPayload.involvedObject.uid |
target.resource.attribute.labels [jsonpayload_involved_object_uid] |
|
k8s_container |
labels.destination_service_name |
target.resource.attribute.labels [labels_destination_service_name] |
|
k8s_container |
labels.k8s-pod/app |
target.resource.attribute.labels [labels_k8s_pod_app] |
|
k8s_container |
labels.k8s-pod/k8s-app |
target.resource.attribute.labels [labels_k8s_pod_k8s_app] |
|
k8s_container |
labels.k8s-pod/name |
target.resource.attribute.labels [labels_k8s_pod_name] |
|
k8s_container |
labels.k8s-pod/clm_test |
target.resource.attribute.labels [clm_test] |
|
k8s_container |
labels.log_sampled |
target.resource.attribute.labels [labels_log_sampled] |
|
k8s_container |
labels.request_id |
target.resource.attribute.labels [labels_request_id] |
|
k8s_container |
labels.response_flag |
target.resource.attribute.labels [labels_response_flag] |
|
k8s_container |
labels.x_carbon_log_ext1 |
target.resource.attribute.labels [labels_x_carbon_log_ext1] |
|
k8s_container |
labels.gke.googleapis.com/log_type |
target.resource.attribute.labels [log_type] |
|
gke_cluster |
protoPayload.metadata.operationType |
target.resource.attribute.labels [metadata_operationType] |
|
k8s_pod |
labels.clouderrorreporting.googleapis.com/notification_trigger_error_ingestion_time |
target.resource.attribute.labels [notification_trigger_error_ingestion_time] |
|
k8s_pod |
labels.notificationType |
target.resource.attribute.labels [notification_type] |
|
gke_cluster, audited_resource |
protoPayload.request.name |
target.resource.attribute.labels [proto_req_name] |
|
k8s_cluster |
protoPayload.request.metadata.name |
target.resource.attribute.labels [protopayload_metadata_name] |
|
k8s_cluster |
protoPayload.request.metadata.resourceVersion |
target.resource.attribute.labels [protopayload_metadata_resourceversion] |
|
gke_cluster |
protoPayload.request.cluster.binaryAuthorization.evaluationMode |
target.resource.attribute.labels [protopayload_request_cluster_binary_auth_eval_mode] |
|
audited_resource |
protoPayload.request.contentType |
target.resource.attribute.labels [protopayload_request_content_type] |
|
k8s_cluster |
protoPayload.request.kind |
target.resource.attribute.labels [protopayload_request_kind] |
|
gke_cluster |
protoPayload.request.cluster.addonsConfig.gcePersistentDiskCsiDriverConfig.enabled |
target.resource.attribute.labels [req_cls_addonsConfig_gcePersistentDiskCsiDriverConfig_enabled] |
|
gke_cluster |
protoPayload.request.cluster.releaseChannel.channel |
target.resource.attribute.labels [req_cls_channel] |
|
gke_cluster |
protoPayload.request.cluster.enableKubernetesAlpha |
target.resource.attribute.labels [req_cls_enableKubernetesAlpha] |
|
gke_cluster |
protoPayload.request.cluster.ipAllocationPolicy.stackType |
target.resource.attribute.labels [req_cls_ipAllocationPolicy_stackType] |
|
gke_cluster |
protoPayload.request.cluster.addonsConfig.networkPolicyConfig.disabled |
target.resource.attribute.labels [req_cls_policy_config_disabled] |
|
gke_nodepool |
protoPayload.request.nodePool.config.diskSizeGb |
target.resource.attribute.labels [req_node_pool_config_diskSizeGb] |
|
gke_nodepool |
protoPayload.request.nodePool.config.diskType |
target.resource.attribute.labels [req_node_pool_config_diskType] |
|
gke_nodepool |
protoPayload.request.nodePool.config.imageType |
target.resource.attribute.labels [req_node_pool_config_imageType] |
|
gke_nodepool |
protoPayload.request.nodePool.config.machineType |
target.resource.attribute.labels [req_node_pool_config_machineType] |
|
gke_nodepool |
protoPayload.request.nodePool.config.metadata.disable-legacy-endpoints |
target.resource.attribute.labels [req_node_pool_config_metadata_disable_legacy_endpoints] |
|
gke_nodepool |
protoPayload.request.nodePool.config.oauthScopes |
target.resource.attribute.labels [req_node_pool_config_oauth_scopes] |
|
gke_nodepool |
protoPayload.request.nodePool.networkConfig.enablePrivateNodes |
target.resource.attribute.labels [req_node_pool_enable_private_nodes] |
|
gke_nodepool |
protoPayload.request.nodePool.initialNodeCount |
target.resource.attribute.labels [req_node_pool_initial_node_cnt] |
|
gke_nodepool |
protoPayload.request.nodePool.management.autoRepair |
target.resource.attribute.labels [req_node_pool_management_auto_repair] |
|
gke_nodepool |
protoPayload.request.nodePool.management.autoUpgrade |
target.resource.attribute.labels [req_node_pool_management_auto_upgrade] |
|
gke_nodepool |
protoPayload.request.nodePool.upgradeSettings.maxSurge |
target.resource.attribute.labels [req_node_pool_upgrade_settings_max_surge] |
|
gke_nodepool |
protoPayload.request.nodePool.upgradeSettings.strategy |
target.resource.attribute.labels [req_node_pool_upgrade_settings_strategy] |
|
gke_nodepool |
protoPayload.request.nodePool.version |
target.resource.attribute.labels [req_nodepool_version] |
|
gke_cluster |
protoPayload.request.cluster.ipAllocationPolicy.useIpAliases |
target.resource.attribute.labels [requ_cls_ipAllocationPolicy_useIpAliases] |
|
gke_cluster |
protoPayload.request.cluster.networkConfig.datapathProvider |
target.resource.attribute.labels [requ_cls_networkConfig_datapathProvider] |
|
gke_cluster |
protoPayload.request.cluster.nodePools.upgradeSettings.strategy |
target.resource.attribute.labels [requ_cls_nodePools_upgradeSettings_strategy] |
|
requested_server_name |
target.resource.attribute.labels [requested_server_name] |
||
gke_cluster |
protoPayload.response.name |
target.resource.attribute.labels [res_name] |
|
gke_cluster |
protoPayload.response.operationType |
target.resource.attribute.labels [res_operation_type] |
|
k8s_cluster |
protoPayload.response.apiVersion |
target.resource.attribute.labels [resp_api_version] |
|
k8s_cluster |
protoPayload.response.kind |
target.resource.attribute.labels [resp_kind] |
|
k8s_cluster |
protoPayload.response.metadata.name |
target.resource.attribute.labels [resp_metadata_name] |
|
k8s_cluster |
protoPayload.response.metadata.namespace |
target.resource.attribute.labels [resp_metadata_namespace] |
|
k8s_cluster |
protoPayload.response.metadata.resourceVersion |
target.resource.attribute.labels [resp_metadata_resource_version] |
|
k8s_cluster |
protoPayload.response.metadata.uid |
target.resource.attribute.labels [resp_metadata_uid] |
|
k8s_container |
labels.response_details |
target.resource.attribute.labels [response_details] |
|
k8s_container |
labels.route_name |
target.resource.attribute.labels [route_name] |
|
k8s_container |
labels.k8s-pod/pod-template-hash |
target.resource.attribute.labels [template_hash] |
|
audited_resource |
resource.labels.method |
target.resource.attribute.labels [rc_method] |
|
k8s_cluster |
protoPayload.request.status.conditions.reason |
target.resource.attribute.permissions.description |
|
gke_cluster |
protoPayload.request.cluster.name |
target.resource.name |
|
k8s_node |
jsonPayload.node_name |
target.resource.name |
If the resource.type log field value is equal to k8s_node , then the jsonPayload.node_name log field is mapped to the target.resource.name UDM field. |
k8s_container |
jsonPayload.azureResourceID |
target.resource.product_object_id |
|
gke_cluster |
protoPayload.response.targetLink |
target.url |
|
k8s_cluster |
protoPayload.request.spec.leaseTransitions |
target.user.attribute.labels [request_lease_transitions] |
|
k8s_cluster |
protoPayload.request.spec.holderIdentity |
target.user.attribute.labels [request_spec_holderIdentity] |
|
k8s_cluster |
protoPayload.request.spec.renewTime |
target.user.attribute.labels [request_spec_renew_time] |
|
k8s_cluster |
protoPayload.request.spec.resourceAttributes.group |
target.user.attribute.labels [request_spec_resource_group] |
|
k8s_cluster |
protoPayload.request.spec.resourceAttributes.verb |
target.user.attribute.labels [request_spec_resource_verb] |
|
k8s_cluster |
protoPayload.request.spec.resourceAttributes.version |
target.user.attribute.labels [request_spec_resource_version] |
|
k8s_cluster |
protoPayload.request.spec.resourceAttributes.resource |
target.user.attribute.labels [request_spec_resource] |
|
k8s_cluster |
protoPayload.request.spec.uid |
target.user.attribute.labels [request_spec_uid] |
|
k8s_cluster |
protoPayload.request.spec.user |
target.user.attribute.labels [request_spec_user] |
|
k8s_cluster |
protoPayload.request.spec.leaseDurationSeconds |
target.user.attribute.labels [request_spec._ease_duration_sec] |
|
k8s_cluster |
protoPayload.request.status.allowed |
target.user.attribute.labels [request_status_allowed] |
|
k8s_cluster |
protoPayload.response.spec.leaseTransitions |
target.user.attribute.labels [res_lease_transitions] |
|
k8s_cluster |
protoPayload.response.spec.holderIdentity |
target.user.attribute.labels [resp_spec_holderIdentity] |
|
k8s_cluster |
protoPayload.response.spec.leaseDurationSeconds |
target.user.attribute.labels [resp_spec_lease_duration_sec] |
|
k8s_cluster |
protoPayload.response.spec.renewTime |
target.user.attribute.labels [resp_spec_renew_time] |
|
k8s_cluster |
protoPayload.response.spec.resourceAttributes.group |
target.user.attributes.labels [resp_resource_attributes_group] |
|
k8s_cluster |
protoPayload.response.spec.resourceAttributes.resource |
target.user.attributes.labels [resp_resource_attributes_resource] |
|
k8s_cluster |
protoPayload.response.spec.resourceAttributes.verb |
target.user.attributes.labels [resp_resource_attributes_verb] |
|
k8s_cluster |
protoPayload.response.spec.resourceAttributes.version |
target.user.attributes.labels [resp_resource_attributes_version] |
|
k8s_cluster |
protoPayload.request.spec.groups |
target.user.group_identifiers |
|
k8s_cluster |
protoPayload.response.spec.user |
target.user.user_display_name |
|
k8s_cluster |
protoPayload.response.spec.uid |
target.user.userid |
|
k8s_cluster |
jsonPayload.vulnerability.cveId |
extensions.vulns.vulnerabilities.cve_id |
|
k8s_cluster |
jsonPayload.vulnerability.cvssScore |
extensions.vulns.vulnerabilities.cvss_base_score |
|
k8s_cluster |
jsonPayload.vulnerability.cvssVector |
extensions.vulns.vulnerabilities.cvss_vector |
|
k8s_cluster |
jsonPayload.vulnerability.description |
extensions.vulns.vulnerabilities.description |
|
k8s_cluster |
jsonPayload.vulnerability.severity |
extensions.vulns.vulnerabilities.severity |
|
k8s_cluster |
jsonPayload.vulnerability.severity |
extensions.vulns.vulnerabilities.severity_details |
|
k8s_cluster |
jsonPayload.vulnerability.cpeUri |
extensions.vulns.vulnerabilities.about.security_result.detection_fields [vulnerability_cpe_uri] |
|
k8s_cluster |
jsonPayload.vulnerability.fixedCpeUri |
extensions.vulns.vulnerabilities.about.security_result.detection_fields [vulnerability_fixed_cpe_uri] |
|
k8s_cluster |
jsonPayload.vulnerability.relatedUrls |
extensions.vulns.vulnerabilities.about.security_result.detection_fields [vulnerability_related_urls] |
|
k8s_cluster |
jsonPayload.vulnerability.packageName |
extensions.vulns.vulnerabilities.about.security_result.detection_fields [vulnerability_package_name] |
|
k8s_cluster |
jsonPayload.vulnerability.packageType |
extensions.vulns.vulnerabilities.about.security_result.detection_fields [vulnerability_package_type] |
|
k8s_cluster |
jsonPayload.vulnerability.fixedPackage |
extensions.vulns.vulnerabilities.about.security_result.detection_fields [vulnerability_fixed_package] |
|
k8s_cluster |
jsonPayload.vulnerability.fixedPackageVersion |
extensions.vulns.vulnerabilities.about.security_result.detection_fields [vulnerability_fixed_package_version] |
|
k8s_cluster |
jsonPayload.vulnerability.affectedImages |
extensions.vulns.vulnerabilities.about.security_result.detection_fields [vulnerability_affected_images] |
|
k8s_cluster |
jsonPayload.vulnerability.affectedPackageVersion |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerability_affected_package_version] |