收集 Google Kubernetes Engine 日志
本文档介绍如何通过设置 Chronicle Feed 来收集 Google Kubernetes Engine 日志,以及如何将日志字段映射到 Chronicle 统一数据模型 (UDM) 字段。本文档还列出了 Google Kubernetes Engine 支持的日志类型和事件类型。
如需了解详情,请参阅将数据注入到 Chronicle。
典型部署包括 Google Kubernetes Engine 和配置为将日志发送到 Chronicle 的 Chronicle Feed。每个客户部署可能有所不同,并且可能更复杂。
该部署包含以下组件:
Google Kubernetes Engine。您从中收集日志的 Google Kubernetes Engine 平台。
Chronicle Feed。用于从 Google Kubernetes Engine 提取日志并将日志写入 Chronicle 的 Chronicle Feed。
Chronicle。Chronicle 保留和分析来自 Google Kubernetes Engine 的日志。
提取标签用于标识将原始日志数据标准化为结构化 UDM 格式的解析器。本文档中的信息适用于具有以下提取标签的 Google Kubernetes Engine 解析器:KUBERNETES_NODE
准备工作
确保您拥有 Google 管理员帐号。
验证您是否拥有执行以下任务所需的权限:
- 创建或访问 Google Cloud 项目。
- 启用 Google Kubernetes Engine API。
- 启用 Google Kubernetes Engine 集群。
如需将日志从 Google Cloud 注入 Chronicle,请执行以下任务:
- 创建 Cloud Storage 存储桶。
- 如需将 Cloud Storage 存储桶中的日志添加到 Chronicle,请创建一个接收器。
确保部署架构中的所有系统均采用世界协调时间 (UTC) 时区进行配置。
验证 Chronicle 解析器支持的日志类型。如需了解支持的 Google Kubernetes Engine 资源类型,请参阅支持的 Google Kubernetes Engine 资源类型。
在 Chronicle 中配置 Feed 以注入 Google Kubernetes Engine 日志
- 从 Chronicle 菜单中,选择 Settings,然后点击 Feeds。
- 点击 Add New(新增)。
- 在 Source Type 中选择 Google Cloud Storage。
- 如需为 Google Kubernetes Engine 审核日志创建 Feed,请选择 Google Kubernetes Engine 审核日志作为日志类型。
- 点击下一步。
- 根据您创建的 Cloud Storage 配置,为以下字段指定值:
- 存储桶 URI
- URI 是一种
- 源代码删除选项
- 点击下一步,然后点击提交。
- 完成为 Google Kubernetes Engine 审核日志创建 Feed 的步骤后,请重复执行这些步骤,为以下每种日志类型创建单独的 Feed:
- Google Kubernetes Engine 身份验证代理日志
- Google Kubernetes Engine 节点日志
如需详细了解 Chronicle Feed,请参阅 Chronicle Feed 文档。如需了解各种 Feed 类型的要求,请参阅按类型划分的 Feed 配置。
如果您在创建 Feed 时遇到问题,请与 Chronicle 支持团队联系。
支持的 Google Kubernetes Engine 资源类型
下表列出了 Google Kubernetes Engine 解析器支持的资源类型:
| 资源类型 | 显示名称 |
|---|---|
| gke_cluster | GKE 集群操作 |
| k8s_cluster | Kubernetes 集群 |
| gke_nodepool | GKE 节点池 |
| K8s_container | GKE 容器日志 |
| k8s_node | GKE 节点池日志 |
| k8s_pod | GKE Pod 日志 |
| k8s_service | GKE 服务日志 |
| k8s_control_plane_component | Kubernetes 控制平面组件 |
| audited_resource | 经过审核的 Kubernetes 资源 |
字段映射参考文档
以下部分介绍了 Chronicle 解析器如何将 Google Kubernetes Engine 日志字段映射到 Chronicle 统一数据模型 (UDM) 字段。
字段映射参考:KUBERNETES_NODE 事件标识符与 UDM 事件类型
下表列出了 KUBERNETES_NODE 事件标识符及其对应的 UDM 事件类型。与 UDM 事件类型的对应关系基于 protopayload.methodname 日志字段,该字段被视为事件标识符。
| Event identifier | Event type |
|---|---|
io.k8s.migration.v1alpha1.storagestates.status.update |
USER_RESOURCE_UPDATE_CONTENT |
io.k8s.get |
USER_RESOURCE_ACCESS |
google.container.v1beta1.ClusterManager.CreateCluster |
USER_RESOURCE_CREATION |
io.k8s.core.v1.configmaps.patch |
USER_RESOURCE_UPDATE_CONTENT |
io.k8s.node.v1.runtimeclasses.watch |
SCAN_UNCATEGORIZED |
io.k8s.core.v1.endpoints.update |
USER_RESOURCE_UPDATE_CONTENT |
io.k8s.coordination.v1.leases.update |
USER_RESOURCE_UPDATE_CONTENT |
google.container.v1beta1.ClusterManager.UpdateCluster |
USER_RESOURCE_UPDATE_CONTENT |
io.k8s.core.v1.configmaps.update |
USER_RESOURCE_UPDATE_CONTENT |
google.container.v1.ClusterManager.CreateNodePool |
USER_RESOURCE_CREATION |
google.container.v1.ClusterManager.CreateCluster |
USER_RESOURCE_CREATION |
google.container.v1.ClusterManager.DeleteCluster |
USER_RESOURCE_DELETION |
loginservice.login |
USER_LOGIN |
loginservice.govattackwarning |
USER_LOGIN |
loginservice.accountdisabled |
USER_LOGIN |
loginservice.accountdisabledspammingthroughrelay |
USER_LOGIN |
loginservice.suspiciouslogin |
USER_LOGIN |
loginservice.suspiciousloginlesssecureapp |
USER_LOGIN |
loginservice.suspiciousprogrammaticlogin |
USER_LOGIN |
AuthorizeUser |
USER_LOGIN |
loginservice.logout |
USER_LOGOUT |
adminservice.changepassword |
USER_CHANGE_PASSWORD |
adminservice.create |
USER_RESOURCE_CREATION |
adminservice.add |
USER_RESOURCE_CREATION |
accesscontextmanager.create |
USER_RESOURCE_CREATION |
adminservice.createaccess |
USER_RESOURCE_UPDATE_PERMISSIONS |
adminservice.enforce |
USER_RESOURCE_UPDATE_PERMISSIONS |
adminservice.systemdefinedruleupdated |
USER_RESOURCE_UPDATE_PERMISSIONS |
adminservice.changetwostepverificationfrequency |
USER_RESOURCE_UPDATE_PERMISSIONS |
adminservice.suspenduser |
USER_RESOURCE_UPDATE_PERMISSIONS |
adminservice.assignrole |
USER_RESOURCE_UPDATE_PERMISSIONS |
adminservice.unassignrole |
USER_RESOURCE_UPDATE_PERMISSIONS |
setiampolicy |
USER_RESOURCE_UPDATE_PERMISSIONS |
checkinvitationrequired |
USER_RESOURCE_UPDATE_PERMISSIONS |
setiampermissions |
USER_RESOURCE_UPDATE_PERMISSIONS |
setorgpolicy |
USER_RESOURCE_UPDATE_PERMISSIONS |
storage.objects.delete |
USER_RESOURCE_DELETION |
storage.objects.update |
USER_RESOURCE_UPDATE_CONTENT |
attachcloudlink |
USER_RESOURCE_UPDATE_CONTENT |
jobservice.cancel |
USER_UNCATEGORIZED |
updatebrand |
USER_RESOURCE_UPDATE_CONTENT |
updateclient |
USER_RESOURCE_UPDATE_CONTENT |
assignprojecttobillingaccount |
USER_RESOURCE_UPDATE_CONTENT |
jobservice.insert |
RESOURCE_WRITTEN |
jobservice.jobcompleted |
RESOURCE_WRITTEN |
If the protoPayload.methodName log field starts with clustermanager
followed by any number of characters and ends with setnodepoolmanagement, then the metadata.event_type UDM field is set to USER_RESOURCE_UPDATE_CONTENT. |
USER_RESOURCE_UPDATE_CONTENT |
If the protoPayload.methodName log field starts with clustermanager
followed by any number of characters and ends with updatecomponentconfig, then the metadata.event_type UDM field is set to USER_RESOURCE_UPDATE_CONTENT. |
USER_RESOURCE_UPDATE_CONTENT |
If the protoPayload.methodName log field starts with instance
followed by any number of characters and ends with set, then the metadata.event_type UDM field is set to USER_RESOURCE_UPDATE_CONTENT. |
USER_RESOURCE_UPDATE_CONTENT |
If the protoPayload.methodName log field starts with instance
followed by any number of characters and ends with reset, then the metadata.event_type UDM field is set to USER_RESOURCE_UPDATE_CONTENT. |
USER_RESOURCE_UPDATE_CONTENT |
If the protoPayload.methodName log field starts with instance
followed by any number of characters and ends with resize, then the metadata.event_type UDM field is set to USER_RESOURCE_UPDATE_CONTENT. |
USER_RESOURCE_UPDATE_CONTENT |
If the protoPayload.methodName log field starts with iam.admin
followed by any number of characters and ends with create, then the metadata.event_type UDM field is set to USER_UNCATEGORIZED. |
USER_UNCATEGORIZED |
If the protoPayload.methodName log field starts with iam.admin
followed by any number of characters and ends with delete, then the metadata.event_type UDM field is set to USER_UNCATEGORIZED. |
USER_UNCATEGORIZED |
If the protoPayload.methodName log field starts with adminservice,
membershipsservice, accesscontextmanager, servicemanager,
serviceusage, services, projects, or clustermanager
followed by any number of characters and ends with update, change, activate,
deactivate, enable, disable, replace, or set,
then the metadata.event_type UDM field is set to USER_RESOURCE_UPDATE_CONTENT. |
USER_RESOURCE_UPDATE_CONTENT |
If the protoPayload.methodName log field contains delete or
remove, then the metadata.event_type UDM field is set to USER_RESOURCE_DELETION. |
USER_RESOURCE_DELETION |
If the protoPayload.methodName log field contains submit or
update or patch or ingest, then the metadata.event_type UDM field is set to USER_RESOURCE_WRITTEN. |
USER_RESOURCE_WRITTEN |
If the protoPayload.methodName log field starts with imageannotator.batch,
then the metadata.event_type UDM field is set to USER_RESOURCE_WRITTEN. |
USER_RESOURCE_WRITTEN |
If the protoPayload.methodName log field ends with scheduledsnapshots,
then the metadata.event_type UDM field is set to USER_RESOURCE_WRITTEN. |
USER_RESOURCE_WRITTEN |
If the protoPayload.methodName log field contains compute.disks.insert,
then the metadata.event_type UDM field is set to USER_RESOURCE_WRITTEN. |
USER_RESOURCE_WRITTEN |
If the protoPayload.methodName log field contains compute.disks.add,
then the metadata.event_type UDM field is set to USER_RESOURCE_WRITTEN. |
USER_RESOURCE_WRITTEN |
If the protoPayload.methodName log field contains compute.disks.setlabels,
then the metadata.event_type UDM field is set to USER_RESOURCE_WRITTEN. |
USER_RESOURCE_WRITTEN |
If the protoPayload.methodName log field contains insert or create
or recreate or add, then the metadata.event_type UDM field is set to USER_RESOURCE_CREATION. |
USER_RESOURCE_CREATION |
If the protoPayload.methodName log field starts with compute
followed by any number of characters and ends with migrate, then the metadata.event_type UDM field is set to USER_RESOURCE_CREATION. |
USER_RESOURCE_CREATION |
If the protoPayload.methodName log field contains get or list
or watch, then the metadata.event_type UDM field is set to USER_RESOURCE_ACCESS. |
USER_RESOURCE_ACCESS |
If the protoPayload.methodName log field starts with cloudsql
followed by any number of characters and ends with connect, then the metadata.event_type UDM field is set to USER_RESOURCE_ACCESS. |
USER_RESOURCE_ACCESS |
If the protoPayload.methodName log field contains create or
Create, then the metadata.event_type UDM field is set to USER_RESOURCE_CREATION. |
USER_RESOURCE_CREATION |
If the protoPayload.methodName log field contains get or Get,
then the metadata.event_type UDM field is set to USER_RESOURCE_ACCESS. |
USER_RESOURCE_ACCESS |
If the protoPayload.methodName log field starts with query, then the metadata.event_type UDM field is set to USER_RESOURCE_ACCESS. |
USER_RESOURCE_ACCESS |
If the protoPayload.methodName log field contains list or List,
then the metadata.event_type UDM field is set to USER_RESOURCE_ACCESS. |
USER_RESOURCE_ACCESS |
If the protoPayload.methodName log field ends with watch,
then the metadata.event_type UDM field is set to USER_RESOURCE_ACCESS. |
USER_RESOURCE_ACCESS |
If the protoPayload.methodName log field ends with IngestMessage,
then the metadata.event_type UDM field is set to USER_RESOURCE_UPDATE_CONTENT. |
USER_RESOURCE_UPDATE_CONTENT |
If the protoPayload.methodName log field ends with UpdateAgent,
then the metadata.event_type UDM field is set to USER_RESOURCE_UPDATE_CONTENT. |
USER_RESOURCE_UPDATE_CONTENT |
If the protoPayload.methodName log field contains bigquery and ends with
|
USER_RESOURCE_UPDATE_CONTENT |
If the protoPayload.methodName log field ends with MetricService.CreateTimeSeries,
then the metadata.event_type UDM field is set to USER_RESOURCE_UPDATE_CONTENT. |
USER_RESOURCE_UPDATE_CONTENT |
If the protoPayload.methodName log field ends with update,
then the metadata.event_type UDM field is set to STATUS_UPDATE. |
STATUS_UPDATE |
If the protoPayload.methodName log field ends with status.patch,
then the metadata.event_type UDM field is set to NETWORK_CONNECTION. |
NETWORK_CONNECTION |
下表列出了不基于 protopayload.methodname 日志字段的映射的 KUBERNETES_NODE 事件标识符及其对应的 UDM 事件类型。
| Event Identifier | Event Type |
|---|---|
If the daemon log field is equal to smtpd, then the metadata.event_type UDM field is set to EMAIL_UNCATEGORIZED. |
EMAIL_UNCATEGORIZED |
If the path log field is not empty, then the metadata.event_type UDM field is set to NETWORK_HTTP. |
NETWORK_HTTP |
If the htttpRequest.serverIp or httpRequest.remoteIp log field is not empty, then the metadata.event_type UDM field is set to NETWORK_HTTP. |
NETWORK_HTTP |
If the htttpRequest.requestMethod log field is equal to POST, then the metadata.event_type UDM field is set to USER_RESOURCE_UPDATE_CONTENT. |
USER_RESOURCE_UPDATE_CONTENT |
If the htttpRequest.requestMethod log field is equal to GET, then the metadata.event_type UDM field is set to USER_RESOURCE_ACCESS. |
USER_RESOURCE_ACCESS |
If the htttpRequest.requestMethod log field is equal to DELETE, then the metadata.event_type UDM field is set to USER_RESOURCE_DELETION. |
USER_RESOURCE_DELETION |
字段映射参考:KUBERNETES_NODE 通用字段
下表列出了 KUBERNETES_NODE 日志类型的通用字段及其对应的 UDM 字段。
| Log field | UDM mapping | Logic |
|---|---|---|
insertId |
metadata.product_log_id |
|
target.resource.resource_type |
The target.resource.resource_type UDM field is set to CLUSTER. |
|
resource.type |
target.resource.resource_subtype |
|
resource.labels.project_id |
target.resource_ancestors.product_object_id |
|
resource.labels.cluster_name |
target.resource.name |
If the resource.type log field value is equal to k8s_cluster,
then the resource.labels.cluster_name log field is mapped to the target.resource.name
UDM field.Else, if the resource.type log field value is equal to gke_cluster and protoPayload.resourceName is not empty, then the protoPayload.resourceName log field is mapped to the target.resource.name UDM field.Else, if the resource.type log field value is equal to gke_cluster, then the resource.labels.cluster_name log field is mapped to the target.resource.name UDM field.Else, the resource.labels.cluster_name log field is mapped to the target.resource_ancestors.name UDM field. |
resource.labels.location |
target.resource.attributes.cloud.availability_zone |
|
resource.labels.nodepool_name |
target.resource.name |
If the resource.type log field value is equal to gke_nodepool and protoPayload.resourceName is not empty, then the protoPayload.resourceName log field is mapped to the target.resource.name UDM field.Else, if the resource.type log field value is equal to gke_nodepool,
then the resource.labels.nodepool_name log field is mapped to the target.resource.name
UDM field.Else, the resource.labels.nodepool_name log field is mapped to the target.resource_ancestors.name UDM field. |
resource.labels.component_location |
target.resource.attribute.labels [component_location] |
|
resource.labels.component_name |
target.resource_ancestors.labels [component_name] |
If the resource.type log field value is equal to k8s_control_plane_component and protoPayload.resourceName is not empty, then the protoPayload.resourceName log field is mapped to the target.resource.name UDM field.Else, if the resource.type log field value is equal to k8s_control_plane_component,
then the resource.labels.component_name log field is mapped to the target.resource.name
UDM field.Else, the resource.labels.component_name log field is mapped to the target.resource_ancestors.labels.value UDM field. |
resource.labels.pod_name |
target.resource_ancestors.name |
If the resource.type log field value is equal to k8s_pod and protoPayload.resourceName is not empty, then the protoPayload.resourceName log field is mapped to the target.resource.name UDM field.Else, if the resource.type log field value is equal to k8s_pod,
then the resource.labels.pod_name log field is mapped to the target.resource.name
UDM field.Else, the resource.labels.pod_name log field is mapped to the target.resource_ancestors.name UDM field. |
resource.labels.container_name |
target.resource.name |
If the resource.type log field value is equal to k8s_container and protoPayload.resourceName is not empty, then the protoPayload.resourceName log field is mapped to the target.resource.name UDM field.Else, if the resource.type log field value is equal to k8s_container,
then the resource.labels.container_name log field is mapped to the target.resource.name
UDM field.Else, the resource.labels.container_name log field is mapped to the target.resource_ancestors.labels.value UDM field. |
resource.labels.namespace_name |
target.namespace |
|
resource.labels.node_name |
target.resource.name |
If the resource.type log field value is equal to k8s_node and protoPayload.resourceName is not empty, then the protoPayload.resourceName log field is mapped to the target.resource.name UDM field.Else, if the resource.type log field value is equal to k8s_node,
then the resource.labels.node_name log field is mapped to the target.resource.name
UDM field.Else, the resource.labels.node_name log field is mapped to the target.resource_ancestors.name UDM field. |
protoPayload.resourceName |
target.resource.name |
If the resource.type log field value is equal to audited_resource, then the protoPayload.resourceName log field is mapped to the target.resource.name UDM field. |
timestamp |
metadata.event_timestamp |
|
severity |
security_result.severity |
The security_result.severity UDM field is set to one of the following values:
|
logName |
metadata.url_back_to_product |
|
receiveTimestamp |
metadata.collected_timestamp |
|
httpRequest.latency |
about.labels [httprequest_latency] |
|
httpRequest.protocol |
network.application_protocol |
|
httpRequest.remoteIp |
principal.ip |
If the x_forwarded_for log field value is empty or the jsonPayload.httpRequest.x-forwarded-for log field array has one value, then the httpRequest.remoteIp log field is mapped to the principal.ip UDM field. |
httpRequest.remoteIp |
intermediary.ip |
If the x_forwarded_for log field value is not empty or the jsonPayload.httpRequest.x-forwarded-for log field array has more than one value, then the httpRequest.remoteIp log field is mapped to the intermediary.ip UDM field. |
httpRequest.remoteIp |
principal.port |
|
httpRequest.requestMethod |
network.http.method |
|
httpRequest.requestSize |
network.sent_bytes |
|
httpRequest.requestUrl |
target.url |
|
httpRequest.responseSize |
network.received_bytes |
|
httpRequest.serverIp |
target.ip |
|
httpRequest.serverIp |
target.port |
|
httpRequest.status |
network.http.response_code |
|
httpRequest.userAgent |
network.http.user_agent |
|
protoPayload.request.subjects.name |
target.user.attribute.labels [subject_name] |
|
protoPayload.request.subjects.kind |
target.user.attribute.labels [subject_kind] |
|
textPayload |
principal.ip |
Used a Grok pattern to extract principal_ip from the textPayload log field and mapped to the principal.ip UDM field. |
textPayload |
target.ip |
Used a Grok pattern to extract target_ip from the textPayload log field and mapped to the target.ip UDM field. |
textPayload |
network.http.method |
If the network.http.method UDM field is not empty, then network_method is extracted from the textPayload log field using a Grok pattern and mapped to the additional.fields UDM field.
Else, network_method is extracted from the textPayload log field using a Grok pattern and mapped to the network.http.method UDM field. |
textPayload |
target.url |
If the target.url UDM field is not empty, then target_url is extracted from the textPayload log field using a Grok pattern and mapped to the additional.fields UDM field.
Else, target_url is extracted from the textPayload log field using a Grok pattern and mapped to the target.url UDM field. |
textPayload |
network.application_protocol |
If the network.application_protocol UDM field is not empty, then network_application_protocol is extracted from the textPayload log field using a Grok pattern and mapped to the additional.fields UDM field.
Else, network_application_protocol is extracted from the textPayload log field using a Grok pattern and mapped to the network.application_protocol UDM field. |
textPayload |
network.application_protocol_version |
If the network.application_protocol_version UDM field is not empty, then network_application_protocol_version is extracted from the textPayload log field using a Grok pattern and mapped to the additional.fields UDM field.
Else, network_application_protocol_version is extracted from the textPayload log field using a Grok pattern and mapped to the network.application_protocol_version UDM field. |
textPayload |
network.http.response_code |
If the network.http.response_code UDM field is not empty, then network_http_response_code is extracted from the textPayload log field using a Grok pattern and mapped to the additional.fields UDM field.
Else, network_http_response_code is extracted from the textPayload log field using a Grok pattern and mapped to the network.http.response_code UDM field. |
textPayload |
target.hostname |
If the target.hostname UDM field is not empty, then target_hostname is extracted from the textPayload log field using a Grok pattern and mapped to the additional.fields UDM field.
Else, target_hostname is extracted from the textPayload log field using a Grok pattern and mapped to the target.hostname UDM field. |
textPayload |
network.http.user_agent |
If the network.http.user_agent UDM field is not empty, then network_http_user_agent is extracted from the textPayload log field using a Grok pattern and mapped to the additional.fields UDM field.
Else, network_http_user_agent is extracted from the textPayload log field using a Grok pattern and mapped to the network.http.user_agent UDM field. |
textPayload |
target.port |
If the target.port UDM field is not empty, then target_port is extracted from the textPayload log field using a Grok pattern and mapped to the additional.fields UDM field.
Else, target_port is extracted from the textPayload log field using a Grok pattern and mapped to the target.port UDM field. |
textPayload |
network.session_id |
If the network.session_id UDM field is not empty, then network_session_id is extracted from the textPayload log field using a Grok pattern and mapped to the additional.fields UDM field.
Else, network_session_id is extracted from the textPayload log field using a Grok pattern and mapped to the network.session_id UDM field. |
字段映射参考:KUBERNETES_NODE 日志字段到 UDM 字段
下表列出了 KUBERNETES_NODE 日志类型的日志字段及其对应的 UDM 字段。
| Resource types | Log field | UDM mapping | Logic |
|---|---|---|---|
k8s_container |
labels.upstream_host |
about.ip |
|
k8s_pod |
labels.activity_type_name |
about.labels [activity_type_name] |
|
gke_cluster, gke_nodepool, k8s_cluster, audited_resource |
protoPayload.requestMetadata.requestAttributes.time |
about.labels [caller_network_request_time] |
|
duration |
about.labels [duration] |
||
k8s_node |
jsonPayload.action |
about.labels [jsonpayload_action] |
|
k8s_cluster, k8s_pod, k8s_node |
jsonPayload.apiVersion |
about.labels [jsonpayload_api_version] |
|
gke_nodepool, k8s_pod, k8s_cluster |
jsonPayload.@type |
about.labels [jsonpayload_at_type] |
|
k8s_container |
jsonPayload.chartVersion |
about.labels [jsonpayload_chart_version] |
|
k8s_container |
jsonPayload.clusterDistribution |
about.labels [jsonpayload_cluster_distribution] |
|
k8s_container |
jsonPayload.componentName |
about.labels [jsonpayload_component_name] |
|
k8s_container |
jsonPayload.componentVersion |
about.labels [jsonpayload_component_version] |
|
k8s_container |
jsonPayload.coresPerReplica |
about.labels [jsonpayload_cores_per_replica] |
|
k8s_cluster |
jsonPayload.eventTime |
about.labels [jsonpayload_event_time] |
|
k8s_container |
jsonPayload.includeUnschedulableNodes |
about.labels [jsonpayload_include_unschedulable_nodes] |
|
k8s_pod, k8s_cluster, k8s_node |
jsonPayload.kind |
about.labels [jsonpayload_kind] |
|
k8s_container |
jsonPayload.log |
about.labels [jsonpayload_log] |
|
k8s_container |
jsonPayload.logtag |
about.labels [jsonpayload_logtag] |
|
k8s_container |
jsonPayload.preventSinglePointFailure |
about.labels [jsonpayload_prevent_single_point_failure] |
|
k8s_cluster |
jsonPayload.status.measureTime |
about.labels [jsonpayload_status_measure_time] |
|
k8s_node |
jsonPayload.SYSLOG_FACILITY |
about.labels [jsonpayload_syslog_facility] |
|
k8s_node |
jsonPayload.SYSLOG_IDENTIFIER |
about.labels [jsonpayload_syslog_identifier] |
|
k8s_node |
jsonPayload.SYSLOG_TIMESTAMP |
about.labels [jsonpayload_syslog_timestamp] |
|
k8s_container |
jsonPayload.timestamp |
about.labels [jsonpayload_timestamp] |
|
k8s_pod, k8s_cluster, k8s_node, k8s_container |
jsonPayload.type |
about.labels [jsonpayload_type] |
|
k8s_container |
jsonPayload.v |
about.labels [jsonpayload_v] |
|
k8s_container |
labels.protocol |
about.labels [labels_protocol] |
|
k8s_pod, k8s_cluster, k8s_node |
jsonPayload.lastTimestamp |
about.labels [last_timestamp] |
|
k8s_container |
jsonPayload.localTimestamp |
about.labels [local_timestamp] |
|
k8s_pod, k8s_cluster, k8s_node |
jsonPayload.metadata.managedFields.apiVersion |
about.labels [managed_fields_api_version] |
|
k8s_cluster |
protoPayload.request.metadata.managedFields.apiVersion |
about.labels [managed_fields_api_version] |
|
k8s_pod, k8s_cluster, k8s_node |
jsonPayload.metadata.managedFields.fieldsType |
about.labels [managed_fields_fields_type] |
|
k8s_cluster |
protoPayload.request.metadata.managedFields.manager |
about.labels [managed_fields_manager] |
|
k8s_pod, k8s_cluster, k8s_node |
jsonPayload.metadata.managedFields.operation |
about.labels [managed_fields_operation] |
|
k8s_cluster |
protoPayload.request.metadata.managedFields.operation |
about.labels [managed_fields_operation] |
|
k8s_pod, k8s_cluster, k8s_node |
jsonPayload.metadata.managedFields.time |
about.labels [managed_fields_time] |
|
k8s_cluster |
protoPayload.request.metadata.managedFields.time |
about.labels [managed_fields_time] |
|
k8s_cluster |
protoPayload.request.metadata.managedFields.fieldsType |
about.labels [managed_fields_type] |
|
k8s_pod, k8s_cluster, k8s_node |
jsonPayload.metadata.name |
about.labels [metadata_name] |
|
k8s_pod, k8s_cluster, k8s_node |
jsonPayload.metadata.namespace |
about.labels [metadata_namespace] |
|
k8s_pod, k8s_cluster, k8s_node |
jsonPayload.metadata.resourceVersion |
about.labels [metadata_resourceversion] |
|
k8s_container |
jsonPayload.nodesPerReplica |
about.labels [nodes_per_replica] |
|
gke_cluster, gke_nodepool, k8s_pod, k8s_cluster, k8s_node |
operation.first |
about.labels [operation_first] |
|
gke_cluster, gke_nodepool, k8s_pod, k8s_cluster, k8s_node |
operation.id |
about.labels [operation_id] |
|
gke_cluster, gke_nodepool, k8s_pod, k8s_cluster, k8s_node |
operation.last |
about.labels [operation_last] |
|
gke_cluster, gke_nodepool, k8s_pod, k8s_cluster, k8s_node |
operation.producer |
about.labels [operation_producer] |
|
gke_cluster, gke_nodepool, k8s_cluster, audited_resource |
protoPayload.@type |
about.labels [protopayload_at_type] |
|
k8s_cluster |
protoPayload.request.spec.acquireTime |
about.labels [protopayload_req_spec_acquire_time] |
|
gke_cluster, gke_nodepool, k8s_cluster, audited_resource |
protoPayload.request.@type |
about.labels [protopayload_request_at_type] |
|
k8s_cluster |
protoPayload.response.metadata.managedFields.fieldsType |
about.labels [protopayload_res_meta_field_type] |
|
k8s_cluster |
protoPayload.request.metadata.annotations.control-plane.alpha.kubernetes.io/leader |
about.labels [req_annotations_control_panel_kubernetes_leader] |
|
gke_cluster |
protoPayload.response.startTime |
about.labels [res_start_time] |
|
k8s_pod, k8s_cluster |
protoPayload.response.metadata.annotations.control-plane.alpha.kubernetes.io/leader |
about.labels [resp_metadata_annotations_control-plane.alpha.kubernetes.io/leader] |
|
k8s_cluster |
protoPayload.response.metadata.managedFields.manager |
about.labels [resp_metadata_managedFields_manager] |
|
k8s_cluster |
protoPayload.response.metadata.managedFields.operation |
about.labels [resp_metadata_managedFields_operation] |
|
k8s_cluster |
protoPayload.response.metadata.managedFields.time |
about.labels [resp_metadata_managedFields_time] |
|
k8s_cluster |
protoPayload.response.metadata.managedFields.apiVersion |
about.labels [resp_metadata_managed_api_version] |
|
k8s_cluster |
protoPayload.response.spec.acquireTime |
about.labels [resp_spec_acquire_time] |
|
k8s_cluster |
protoPayload.response.spec.groups |
about.labels [resp_spec_groups] |
|
gke_cluster, gke_nodepool, k8s_cluster |
protoPayload.response.@type |
about.labels [response_type] |
|
start_time |
about.labels [start_time] |
||
gke_cluster, gke_nodepool, k8s_control_plane_component, k8s_pod, k8s_cluster, k8s_node, k8s_container, k8s_service |
textPayload |
about.labels [textpayload] |
|
upstream_service_time |
about.labels [upstream_service_time] |
||
x_carbon_log_ext1 |
about.labels [x_carbon_log_ext1] |
||
k8s_container |
labels.upstream_host |
about.port |
|
k8s_pod, k8s_cluster, k8s_node |
jsonPayload.reportingInstance |
about.resource.name |
|
k8s_pod, k8s_cluster, k8s_node |
jsonPayload.reportingComponent |
about.resource.resource_subtype |
|
gke_cluster |
protoPayload.response.selfLink |
about.url |
|
k8s_pod, k8s_cluster, k8s_node |
jsonPayload.metadata.managedFields.manager |
about.user.user_display_name |
|
x_forwarded_for |
src.ip |
The first value of the x_forwarded_for log field array is mapped to src.ip UDM field. |
|
x_forwarded_for |
principal.ip |
The second value of the x_forwarded_for log field array is mapped to principal.ip UDM field. |
|
x_forwarded_for |
intermediary.ip |
The third and all other successive values of the x_forwarded_for log field array is mapped to intermediary.ip UDM field. |
|
jsonPayload.httpRequest.x-forwarded-for |
src.ip |
The first value of the jsonPayload.httpRequest.x-forwarded-for log field array is mapped to src.ip UDM field. |
|
jsonPayload.httpRequest.x-forwarded-for |
principal.ip |
The second value of the jsonPayload.httpRequest.x-forwarded-for log field array is mapped to principal.ip UDM field. |
|
jsonPayload.httpRequest.x-forwarded-for |
intermediary.ip |
The third and all other successive values of the jsonPayload.httpRequest.x-forwarded-for log field array is mapped to intermediary.ip UDM field. |
|
k8s_pod, k8s_cluster, k8s_node, k8s_container, k8s_control_plane_component |
jsonPayload.message |
metadata.description |
|
gke_cluster, gke_nodepool, k8s_cluster, audited_resource |
protoPayload.methodName |
metadata.product_event_type |
|
request_id |
metadata.product_log_id |
||
protocol |
network.application_protocol |
||
k8s_node |
jsonPayload.connection.direction |
network.direction |
The network.direction UDM field is set to one of the following values:
|
k8s_container |
labels.upstream_cluster |
network.direction |
|
k8s_container |
jsonPayload.request_length |
network.received_bytes |
|
k8s_container |
jsonPayload.request_uri |
principal.url |
|
k8s_container |
jsonPayload.request_method |
network.http.method |
|
k8s_container |
jsonPayload.remote_addr |
principal.ip |
|
k8s_container |
jsonPayload.server_protocol |
network.application_protocol |
Extracted application_protocol from jsonPayload.server_protocol log field using Grok pattern and mapped it to the network.application_protocol UDM field. |
k8s_container |
jsonPayload.server_protocol |
network.application_protocol_version |
Extracted application_protocol_version from jsonPayload.server_protocol log field using Grok pattern and mapped it to the network.application_protocol_version UDM field. |
k8s_container |
jsonPayload.status |
network.http.response_code |
|
k8s_container |
jsonPayload.http_host |
principal.hostname |
|
k8s_container |
jsonPayload.http_host |
principal.asset.hostname |
|
k8s_container |
jsonPayload.http_user_agent |
network.http.user_agent |
|
k8s_container |
jsonPayload.ssl_protocol |
network.tls.version |
|
k8s_container |
jsonPayload.remote_user |
principal.user.userid |
|
k8s_container |
jsonPayload.upstream_addr |
target.ip |
Extracted ip from jsonPayload.upstream_addr log field using Grok pattern and mapped it to the target.ip UDM field. |
k8s_container |
jsonPayload.upstream_addr |
target.port |
Extracted port from jsonPayload.upstream_addr log field using Grok pattern and mapped it to the target.port UDM field. |
k8s_container |
jsonPayload.http_referrer |
network.http.referral_url |
|
k8s_container |
jsonPayload.bytes_sent |
network.sent_bytes |
|
k8s_container |
jsonPayload.server_port |
target.nat_port |
|
k8s_container |
jsonPayload.upstream_response_time |
additional.fields[jsonpayload_upstream_response_time] |
|
k8s_container |
jsonPayload.msec |
additional.fields[jsonpayload_msec] |
|
k8s_container |
jsonPayload.upstream_connect_time |
additional.fields[jsonpayload_upstream_connect_time] |
|
k8s_container |
jsonPayload.body_bytes_sent |
additional.fields[jsonpayload_body_bytes_sent] |
|
k8s_container |
jsonPayload.request_time |
additional.fields[jsonpayload_request_time] |
|
k8s_container |
jsonPayload.http_method |
additional.fields[jsonpayload_http_method] |
|
k8s_container |
jsonPayload.http_version |
additional.fields[jsonpayload_http_version] |
|
k8s_container |
jsonPayload.response_code |
additional.fields[jsonpayload_response_code] |
|
upstream_cluster |
network.direction |
The network.direction UDM field is set to one of the following values:
|
|
labels.upstream_cluster |
network.direction |
The network.direction UDM field is set to one of the following values:
|
|
method |
network.http.method |
||
k8s_cluster |
protoPayload.request.spec.nonResourceAttributes.verb |
network.http.method |
|
k8s_container |
jsonPayload.http.req.method |
network.http.method |
|
k8s_container |
jsonPayload.http.req.path |
network.http.referral_url |
|
k8s_cluster |
protoPayload.request.spec.nonResourceAttributes.path |
network.http.referral_url |
|
response_code |
network.http.response_code |
||
gke_nodepool, k8s_cluster, audited_resource |
protoPayload.status.code |
network.http.response_code |
|
gke_cluster, gke_nodepool, k8s_cluster, audited_resource |
protoPayload.requestMetadata.callerSuppliedUserAgent |
network.http.user_agent |
|
user_agent |
network.http.user_agent |
||
k8s_node |
jsonPayload.connection.protocol |
network.ip_protocol |
|
bytes_received |
network.received_bytes |
||
k8s_container |
duration |
network.received_bytes |
|
bytes_sent |
network.sent_bytes |
||
k8s_container |
labels.total_sent_bytes |
network.sent_bytes |
|
k8s_container |
jsonPayload.session |
network.session_id |
|
k8s_container |
labels.service_authentication_policy |
network.tls.cipher |
|
authority |
principal.administrative_domain |
||
k8s_container |
labels.source_principal |
principal.administrative_domain |
|
k8s_container |
labels.source_app |
principal.application |
|
k8s_container |
jsonPayload.hostname |
principal.hostname |
|
k8s_container |
labels.source_name |
principal.hostname |
|
k8s_pod, k8s_node |
jsonPayload.source.host |
principal.hostname |
|
gke_cluster, gke_nodepool, k8s_cluster, audited_resource |
protoPayload.requestMetadata.callerIp |
principal.ip |
|
k8s_node |
jsonPayload.connection.src_ip |
principal.ip |
|
k8s_container |
labels.source_ip |
principal.ip |
|
k8s_node |
jsonPayload._CAP_EFFECTIVE |
principal.labels [jsonpayload_cap_effective] |
|
k8s_container |
jsonPayload.currency |
principal.labels [jsonpayload_currency] |
|
k8s_container |
jsonPayload.envTime |
principal.labels [jsonpayload_env_time] |
|
k8s_node |
jsonPayload._GID |
principal.labels [jsonpayload_gid] |
|
k8s_container |
jsonPayload.http.req.id |
principal.labels [jsonpayload_http_req_id] |
|
k8s_node |
jsonPayload._SELINUX_CONTEXT |
principal.labels [jsonpayload_selinux_context] |
|
k8s_node |
jsonPayload._SOURCE_REALTIME_TIMESTAMP |
principal.labels [jsonpayload_source_realtime_timestamp] |
|
k8s_node |
jsonPayload._STREAM_ID |
principal.labels [jsonpayload_stream_id] |
|
k8s_container |
jsonPayload.traceLevel |
principal.labels [jsonpayload_trace_level] |
|
k8s_node |
jsonPayload._TRANSPORT |
principal.labels [jsonpayload_transport] |
|
k8s_node |
jsonPayload._UID |
principal.labels [jsonpayload_uid] |
|
audited_resource |
protoPayload.request.filter |
principal.labels [protopayload_request_filter] |
|
audited_resource |
protoPayload.request.requests.features.type |
principal.labels [protopayload_requests_features_type] |
|
gke_cluster, gke_nodepool |
protoPayload.requestMetadata.requestAttributes.reason |
principal.labels [request_attributes_reason] |
|
k8s_pod, k8s_cluster, k8s_node |
jsonPayload.source.component |
principal.labels [source_component] |
|
k8s_container |
labels.source_version |
principal.labels [source_version] |
|
k8s_container |
labels.source_workload |
principal.labels [source_workload] |
|
k8s_node |
jsonPayload.src.workload_kind |
principal.labels [src_workload_kind] |
|
k8s_node |
jsonPayload.src.workload_name |
principal.labels [src_workload_name] |
|
k8s_node |
jsonPayload._SYSTEMD_CGROUP |
principal.labels [systemd_cgroup] |
|
k8s_node |
jsonPayload._SYSTEMD_INVOCATION_ID |
principal.labels [systemd_invocation_id] |
|
k8s_node |
jsonPayload._SYSTEMD_SLICE |
principal.labels [systemd_slice] |
|
k8s_node |
jsonPayload._SYSTEMD_UNIT |
principal.labels [systemd_unit ] |
|
audited_resource |
protoPayload.requestMetadata.callerNetwork |
principal.labels [caller_network] |
|
k8s_node |
jsonPayload.src.namespace |
principal.namespace |
|
k8s_node |
jsonPayload.src.pod_namespace |
principal.namespace |
|
k8s_container |
labels.source_namespace |
principal.namespace |
|
k8s_node |
jsonPayload.connection.src_port |
principal.port |
|
k8s_container |
labels.source_port |
principal.port |
|
k8s_node |
jsonPayload._CMDLINE |
principal.process.command_line |
|
k8s_node |
jsonPayload._EXE |
principal.process.file.full_path |
|
k8s_node |
jsonPayload._COMM |
principal.process.file.names |
|
k8s_node |
jsonPayload._PID |
principal.process.pid |
|
k8s_node |
jsonPayload._BOOT_ID |
principal.resource_ancestors.attribute.labels [jsonpayload_boot_id] |
|
k8s_container |
jsonPayload.releaseTrain |
principal.resource_ancestors.attribute.labels [release_train] |
|
gke_cluster |
protoPayload.request.cluster.initialClusterVersion |
principal.resource_ancestors.attribute.labels [req_cls_initial_cluster_version] |
|
gke_cluster |
protoPayload.request.cluster.locations |
principal.resource_ancestors.attribute.labels [req_cls_locations] |
|
gke_cluster |
protoPayload.request.cluster.location |
principal.resource_ancestors.attribute.labels [req_cluster_location] |
|
k8s_node |
jsonPayload.src.pod_name |
principal.resource_ancestors.name |
|
k8s_node |
jsonPayload._HOSTNAME |
principal.resource_ancestors.name |
|
gke_cluster |
protoPayload.request.cluster.loggingConfig.componentConfig.enableComponents |
principal.resource.attribute.labels [cluster_loggingConfig_componentConfig_enableComponents] |
|
gke_cluster |
protoPayload.request.cluster.monitoringConfig.componentConfig.enableComponents |
principal.resource.attribute.labels [cluster_monitoringConfig_componentConfig_enableComponents] |
|
k8s_node |
jsonPayload.count |
principal.resource.attribute.labels [jsonpayload_count] |
|
k8s_container |
jsonPayload.region |
principal.resource.attribute.labels [jsonpayload_region] |
|
k8s_pod, k8s_cluster, k8s_node |
jsonPayload.metadata.creationTimestamp |
principal.resource.attribute.labels [metadata_creation_time_stamp] |
|
k8s_pod |
protoPayload.metadata.creationTimestamp |
principal.resource.attribute.labels [req_creation_timestamp] |
|
k8s_container |
labels.source_canonical_revision |
principal.resource.attribute.labels [source_canonical_revision] |
|
k8s_container |
labels.source_canonical_service |
principal.resource.attribute.labels [source_canonical_service] |
|
k8s_node |
jsonPayload._MACHINE_ID |
principal.resource.product_object_id |
|
gke_cluster, gke_nodepool, k8s_cluster, audited_resource |
protoPayload.authorizationInfo.granted |
principal.user.attribute.labels [authorization_granted] |
|
audited_resource |
protoPayload.request.pageToken |
principal.user.attribute.labels [protopayload_request_page_token] |
|
audited_resource |
protoPayload.request.pageSize |
principal.user.attribute.labels [req_page_size] |
|
gke_cluster, gke_nodepool, k8s_cluster, audited_resource |
protoPayload.authorizationInfo.permission |
principal.user.attribute.permissions.name |
|
gke_cluster, gke_nodepool, k8s_cluster, audited_resource |
protoPayload.authenticationInfo.principalEmail |
principal.user.email_addresses |
If the protoPayload.authenticationInfo.principalEmail log field value is matched with regular expression .@., then the following fields are mapped:
Else, the protoPayload.authenticationInfo.principalEmail log field is mapped to the principal.user.userid UDM field. |
audited_resource |
protoPayload.authenticationInfo.serviceAccountDelegationInfo.firstPartyPrincipal.principalEmail |
principal.user.email_addresses |
|
gke_cluster, gke_nodepool, k8s_cluster, audited_resource |
protoPayload.authenticationInfo.principalEmail |
principal.user.userid |
If the protoPayload.authenticationInfo.principalEmail log field value is matched with regular expression .@., then the following fields are mapped:
Else, the protoPayload.authenticationInfo.principalEmail log field is mapped to the principal.user.userid UDM field. |
k8s_container |
labels.mesh_uid |
principal.user.userid |
|
k8s_cluster |
protoPayload.request.metadata.uid |
principal.user.userid |
If the principal.user.userid log field value is not empty, then the protoPayload.request.metadata.uid log field is mapped to the principal.user.userid UDM field.Else, the protoPayload.request.metadata.uid log field is mapped to the principal.labels UDM field. |
audited_resource |
protoPayload.authenticationInfo.principalSubject |
principal.user.userid |
|
k8s_cluster |
labels.authorization.k8s.io/decision |
security_result.action |
|
k8s_container |
labels.connection_state |
security_result.action |
The security_result.action UDM field is set to one of the following values:
|
k8s_node |
jsonPayload.disposition |
security_result.action_details |
|
k8s_cluster |
labels.authorization.k8s.io/reason |
security_result.action_details |
|
gke_nodepool, k8s_cluster, audited_resource |
protoPayload.status.message |
security_result.description |
|
gke_cluster |
protoPayload.response.status |
security_result.description |
|
k8s_pod |
labels.logMessage |
security_result.description |
|
k8s_pod |
labels.errorGroupId |
security_result.detection_fields [error_group_id] |
|
k8s_pod |
jsonPayload.errorEvent.eventTime |
security_result.detection_fields [jsonpayload_error_event_event_time] |
|
k8s_pod |
jsonPayload.errorEvent.message |
security_result.detection_fields [jsonpayload_error_event_message] |
|
k8s_pod |
jsonPayload.errorEvent.serviceContext.service |
security_result.detection_fields [jsonpayload_error_event_service_context_service] |
|
k8s_pod |
jsonPayload.errorGroup |
security_result.detection_fields [jsonpayload_error_group] |
|
k8s_pod |
jsonPayload.errorEvent.serviceContext.resourceType |
security_result.detection_fields [jsonpayload_error_service_context_resource_type] |
|
gke_cluster, gke_nodepool, k8s_cluster, audited_resource |
protoPayload.resourceName |
security_result.detection_fields [protopayload_resource_name] |
|
audited_resource |
protoPayload.authenticationInfo.serviceAccountKeyName |
security_result.detection_fields [service_account_key_name] |
|
k8s_node |
jsonPayload.PRIORITY |
security_result.priority_details |
|
k8s_node |
jsonPayload.policies.namespace |
security_result.rule_labels [policy_namespace] |
|
k8s_node |
jsonPayload.policies.name |
security_result.rule_name |
|
response_flags |
security_result.summary |
||
k8s_pod, k8s_cluster, k8s_node |
jsonPayload.reason |
security_result.summary |
|
k8s_container |
sourceLocation.function |
src.application |
|
k8s_node, k8s_container, k8s_control_plane_component |
sourceLocation.file |
src.file.full_path |
|
k8s_node, k8s_container, k8s_control_plane_component |
sourceLocation.line |
src.labels [source_location_line] |
|
k8s_container |
labels.destination_principal |
target.administrative_domain |
|
gke_cluster, gke_nodepool, k8s_cluster, audited_resource |
protoPayload.serviceName |
target.application |
|
k8s_container |
labels.destination_app |
target.application |
|
k8s_container |
labels.destination_canonical_service |
target.application |
|
audited_resource |
resource.labels.service |
target.application |
|
x_downstream_host |
target.asset.attribute.labels [x_downstream_host] |
||
k8s_container |
labels.path |
target.file.full_path |
|
path |
target.file.full_path |
||
k8s_container |
labels.destination_service_host |
target.hostname |
|
k8s_node |
jsonPayload.connection.dest_ip |
target.ip |
|
k8s_container |
labels.destination_ip |
target.ip |
|
upstream_host |
target.ip |
||
k8s_node |
jsonPayload.dest.workload_name |
target.labels [dest_workload_name] |
|
k8s_container |
labels.destination_name |
target.labels [destination_name] |
|
k8s_container |
labels.destination_version |
target.labels [destination_version] |
|
k8s_container |
labels.destination_workload |
target.labels [destination_workload] |
|
audited_resource |
protoPayload.numResponseItems |
target.labels [num_response_items] |
|
gke_cluster |
protoPayload.request.update.desiredLoggingConfig.componentConfig.enableComponents |
target.labels [req_update_desiredLoggingConfig_componentConfig_enableComponents] |
|
k8s_cluster |
protoPayload.response.spec.nonResourceAttributes.path |
target.labels [resp_spec_non_resource_attributes_path] |
|
k8s_cluster |
protoPayload.response.spec.nonResourceAttributes.verb |
target.labels [resp_spec_non_resource_attributes_verb] |
|
x_b3_parentspanid |
target.labels [x_b3_parent_span_id] |
||
x_b3_sampled |
target.labels [x_b3_sample_d] |
||
x_b3_span_id |
target.labels [x_b3_span_id] |
||
x_b3_trace_id |
target.labels [x_b3_trace_id] |
||
k8s_node |
jsonPayload.dest.pod_namespace |
target.namespace |
|
k8s_node |
jsonPayload.dest.namespace |
target.namespace |
|
k8s_container |
labels.destination_namespace |
target.namespace |
|
k8s_cluster |
protoPayload.request.metadata.namespace |
target.namespace |
|
k8s_container |
labels.destination_ip |
target.port |
|
upstream_host |
target.port |
||
k8s_node |
jsonPayload.connection.dest_port |
target.port |
|
k8s_container |
labels.destination_port |
target.port |
|
k8s_control_plane_component, k8s_node, k8s_container |
jsonPayload.pid |
target.process.pid |
|
k8s_pod |
labels.deploymentVersion |
target.resource_ancestors.attribute.labels [deployment_version] |
|
k8s_container |
labels.k8s-pod/kubernetes_io/cluster-service |
target.resource_ancestors.attribute.labels [pod_cluster_service] |
|
k8s_container |
labels.k8s-pod/component |
target.resource_ancestors.attribute.labels [pod_component] |
|
k8s_container |
labels.k8s-pod/controller-revision-hash |
target.resource_ancestors.attribute.labels [pod_controller_revision_hash] |
|
k8s_container |
labels.k8s-pod/dsName |
target.resource_ancestors.attribute.labels [pod_ds_name] |
|
k8s_container |
labels.k8s-pod/hub.gke.io/project |
target.resource_ancestors.attribute.labels [pod_gke_project] |
|
k8s_container |
labels.k8s-pod/security_istio_io/tlsMode |
target.resource_ancestors.attribute.labels [pod_security_tls_mode] |
|
k8s_container |
labels.k8s-pod/service_istio_io/canonical-name |
target.resource_ancestors.attribute.labels [pod_service_canonical_name] |
|
k8s_container |
labels.k8s-pod/pod-template-generation |
target.resource_ancestors.attribute.labels [pod_template_generation] |
|
gke_cluster |
protoPayload.request.cluster.network |
target.resource_ancestors.attribute.labels [req_cls_network] |
|
gke_cluster |
protoPayload.request.cluster.nodePools.management.autoRepair |
target.resource_ancestors.attribute.labels [req_clsNodePools_autorepair] |
|
gke_cluster |
protoPayload.request.cluster.nodePools.autoscaling.enabled |
target.resource_ancestors.attribute.labels [req_clsNodePools_autoscaling_enabled] |
|
gke_cluster |
protoPayload.request.cluster.nodePools.autoscaling.maxNodeCount |
target.resource_ancestors.attribute.labels [req_clsNodePools_autoscaling_max_node_cnt] |
|
gke_cluster |
protoPayload.request.cluster.nodePools.autoscaling.minNodeCount |
target.resource_ancestors.attribute.labels [req_clsNodePools_autoscaling_min_node_cnt] |
|
gke_cluster |
protoPayload.request.cluster.nodePools.management.autoUpgrade |
target.resource_ancestors.attribute.labels [req_clsNodePools_autoupgrade] |
|
gke_cluster |
protoPayload.request.cluster.nodePools.config.diskSizeGb |
target.resource_ancestors.attribute.labels [req_clsNodePools_config_disksize] |
|
gke_cluster |
protoPayload.request.cluster.nodePools.config.diskType |
target.resource_ancestors.attribute.labels [req_clsNodePools_config_diskType] |
|
gke_cluster |
protoPayload.request.cluster.nodePools.config.imageType |
target.resource_ancestors.attribute.labels [req_clsNodePools_config_imagetype] |
|
gke_cluster |
protoPayload.request.cluster.nodePools.config.machineType |
target.resource_ancestors.attribute.labels [req_clsNodePools_config_machinetype] |
|
gke_cluster |
protoPayload.request.cluster.nodePools.config.metadata.disable-legacy-endpoints |
target.resource_ancestors.attribute.labels [req_clsNodePools_config_metadata_disable-legacy-endpoints] |
|
gke_cluster |
protoPayload.request.cluster.nodePools.config.oauthScopes |
target.resource_ancestors.attribute.labels [req_clsNodePools_config_oauth_scopes] |
|
gke_cluster |
protoPayload.request.cluster.nodePools.upgradeSettings.maxSurge |
target.resource_ancestors.attribute.labels [req_clsNodePools_upgradeSettings_maxSurge] |
|
gke_cluster |
protoPayload.request.cluster.nodePools.initialNodeCount |
target.resource_ancestors.attribute.labels [req_clsterNodePools_autoscaling_initial_node_cnt] |
|
gke_nodepool |
protoPayload.request.nodePool.maxPodsConstraint |
target.resource_ancestors.attribute.labels [req_node_pool_name] |
|
gke_cluster |
protoPayload.request.cluster.nodePools.name |
target.resource_ancestors.name |
|
gke_cluster, gke_nodepool, k8s_cluster, audited_resource |
protoPayload.authorizationInfo.resource |
target.resource_ancestors.name |
|
k8s_node |
jsonPayload.dest.workload_kind |
target.resource_ancestors.name |
|
gke_cluster, audited_resource |
protoPayload.request.parent |
target.resource_ancestors.name |
|
| k8s_container | jsonPayload.nodeName |
target.resource_ancestors.name |
If the resource.type log field value is equal to k8s_container, then the jsonPayload.nodeName log field is mapped to the target.resource_ancestors.name UDM field. |
k8s_container |
labels.instance_name |
target.resource_ancestors.name |
|
gke_cluster |
protoPayload.request.cluster.subnetwork |
target.resource_ancestors.name |
|
k8s_container |
labels.requested_server_name |
target.resource_ancestors.name |
|
k8s_pod |
labels.deploymentAppId |
target.resource_ancestors.name |
|
k8s_node |
jsonPayload.dest.pod_name |
target.resource_ancestors.name |
|
k8s_container |
labels.compute.googleapis.com/resource_name |
target.resource_ancestors.name |
|
gke_cluster, gke_nodepool |
protoPayload.resourceLocation.currentLocations |
target.resource.attribute.cloud.availability_zone |
If the index log field value is equal to 0, then the protoPayload.resourceLocation.currentLocations log field is mapped to the token_target.resource.attribute.cloud.availability_zone UDM field.Else, the protoPayload.resourceLocation.currentLocations log field is mapped to the target.resource.attribute.labels.value UDM field. |
k8s_cluster |
protoPayload.response.metadata.creationTimestamp |
target.resource.attribute.creation_time |
|
k8s_container |
labels.agent_version |
target.resource.attribute.labels [agent_version] |
|
k8s_container |
labels.connection_id |
target.resource.attribute.labels [connection_id] |
|
k8s_container |
labels.k8s-pod/container-watcher-unique-id |
target.resource.attribute.labels [container_watcher_unique_id] |
|
k8s_container |
labels.destination_canonical_revision |
target.resource.attribute.labels [destination_canonical_revision] |
|
k8s_pod, k8s_cluster, k8s_node |
jsonPayload.involvedObject.apiVersion |
target.resource.attribute.labels [jsonpayload_involved_object_apiVersion] |
|
k8s_pod |
jsonPayload.involvedObject.fieldPath |
target.resource.attribute.labels [jsonpayload_involved_object_field_path] |
|
k8s_pod, k8s_cluster, k8s_node |
jsonPayload.involvedObject.kind |
target.resource.attribute.labels [jsonpayload_involved_object_kind] |
|
k8s_pod, k8s_cluster, k8s_node |
jsonPayload.involvedObject.name |
target.resource.attribute.labels [jsonpayload_involved_object_name] |
If the resource.type log field value is equal to k8s_cluster, then the jsonPayload.involvedObject.name log field is mapped to the target.resource.attribute.labels.value UDM field. |
k8s_pod, k8s_cluster |
jsonPayload.involvedObject.namespace |
target.resource.attribute.labels [jsonpayload_involved_object_namespace] |
|
k8s_pod, k8s_cluster |
jsonPayload.involvedObject.resourceVersion |
target.resource.attribute.labels [jsonpayload_involved_object_resourceVersion] |
|
k8s_pod, k8s_cluster, k8s_node |
jsonPayload.involvedObject.uid |
target.resource.attribute.labels [jsonpayload_involved_object_uid] |
|
k8s_container |
labels.destination_service_name |
target.resource.attribute.labels [labels_destination_service_name] |
|
k8s_container |
labels.k8s-pod/app |
target.resource.attribute.labels [labels_k8s_pod_app] |
|
k8s_container |
labels.k8s-pod/k8s-app |
target.resource.attribute.labels [labels_k8s_pod_k8s_app] |
|
k8s_container |
labels.k8s-pod/name |
target.resource.attribute.labels [labels_k8s_pod_name] |
|
k8s_container |
labels.k8s-pod/clm_test |
target.resource.attribute.labels [clm_test] |
|
k8s_container |
labels.log_sampled |
target.resource.attribute.labels [labels_log_sampled] |
|
k8s_container |
labels.request_id |
target.resource.attribute.labels [labels_request_id] |
|
k8s_container |
labels.response_flag |
target.resource.attribute.labels [labels_response_flag] |
|
k8s_container |
labels.x_carbon_log_ext1 |
target.resource.attribute.labels [labels_x_carbon_log_ext1] |
|
k8s_container |
labels.gke.googleapis.com/log_type |
target.resource.attribute.labels [log_type] |
|
gke_cluster |
protoPayload.metadata.operationType |
target.resource.attribute.labels [metadata_operationType] |
|
k8s_pod |
labels.clouderrorreporting.googleapis.com/notification_trigger_error_ingestion_time |
target.resource.attribute.labels [notification_trigger_error_ingestion_time] |
|
k8s_pod |
labels.notificationType |
target.resource.attribute.labels [notification_type] |
|
gke_cluster, audited_resource |
protoPayload.request.name |
target.resource.attribute.labels [proto_req_name] |
|
k8s_cluster |
protoPayload.request.metadata.name |
target.resource.attribute.labels [protopayload_metadata_name] |
|
k8s_cluster |
protoPayload.request.metadata.resourceVersion |
target.resource.attribute.labels [protopayload_metadata_resourceversion] |
|
gke_cluster |
protoPayload.request.cluster.binaryAuthorization.evaluationMode |
target.resource.attribute.labels [protopayload_request_cluster_binary_auth_eval_mode] |
|
audited_resource |
protoPayload.request.contentType |
target.resource.attribute.labels [protopayload_request_content_type] |
|
k8s_cluster |
protoPayload.request.kind |
target.resource.attribute.labels [protopayload_request_kind] |
|
gke_cluster |
protoPayload.request.cluster.addonsConfig.gcePersistentDiskCsiDriverConfig.enabled |
target.resource.attribute.labels [req_cls_addonsConfig_gcePersistentDiskCsiDriverConfig_enabled] |
|
gke_cluster |
protoPayload.request.cluster.releaseChannel.channel |
target.resource.attribute.labels [req_cls_channel] |
|
gke_cluster |
protoPayload.request.cluster.enableKubernetesAlpha |
target.resource.attribute.labels [req_cls_enableKubernetesAlpha] |
|
gke_cluster |
protoPayload.request.cluster.ipAllocationPolicy.stackType |
target.resource.attribute.labels [req_cls_ipAllocationPolicy_stackType] |
|
gke_cluster |
protoPayload.request.cluster.addonsConfig.networkPolicyConfig.disabled |
target.resource.attribute.labels [req_cls_policy_config_disabled] |
|
gke_nodepool |
protoPayload.request.nodePool.config.diskSizeGb |
target.resource.attribute.labels [req_node_pool_config_diskSizeGb] |
|
gke_nodepool |
protoPayload.request.nodePool.config.diskType |
target.resource.attribute.labels [req_node_pool_config_diskType] |
|
gke_nodepool |
protoPayload.request.nodePool.config.imageType |
target.resource.attribute.labels [req_node_pool_config_imageType] |
|
gke_nodepool |
protoPayload.request.nodePool.config.machineType |
target.resource.attribute.labels [req_node_pool_config_machineType] |
|
gke_nodepool |
protoPayload.request.nodePool.config.metadata.disable-legacy-endpoints |
target.resource.attribute.labels [req_node_pool_config_metadata_disable_legacy_endpoints] |
|
gke_nodepool |
protoPayload.request.nodePool.config.oauthScopes |
target.resource.attribute.labels [req_node_pool_config_oauth_scopes] |
|
gke_nodepool |
protoPayload.request.nodePool.networkConfig.enablePrivateNodes |
target.resource.attribute.labels [req_node_pool_enable_private_nodes] |
|
gke_nodepool |
protoPayload.request.nodePool.initialNodeCount |
target.resource.attribute.labels [req_node_pool_initial_node_cnt] |
|
gke_nodepool |
protoPayload.request.nodePool.management.autoRepair |
target.resource.attribute.labels [req_node_pool_management_auto_repair] |
|
gke_nodepool |
protoPayload.request.nodePool.management.autoUpgrade |
target.resource.attribute.labels [req_node_pool_management_auto_upgrade] |
|
gke_nodepool |
protoPayload.request.nodePool.upgradeSettings.maxSurge |
target.resource.attribute.labels [req_node_pool_upgrade_settings_max_surge] |
|
gke_nodepool |
protoPayload.request.nodePool.upgradeSettings.strategy |
target.resource.attribute.labels [req_node_pool_upgrade_settings_strategy] |
|
gke_nodepool |
protoPayload.request.nodePool.version |
target.resource.attribute.labels [req_nodepool_version] |
|
gke_cluster |
protoPayload.request.cluster.ipAllocationPolicy.useIpAliases |
target.resource.attribute.labels [requ_cls_ipAllocationPolicy_useIpAliases] |
|
gke_cluster |
protoPayload.request.cluster.networkConfig.datapathProvider |
target.resource.attribute.labels [requ_cls_networkConfig_datapathProvider] |
|
gke_cluster |
protoPayload.request.cluster.nodePools.upgradeSettings.strategy |
target.resource.attribute.labels [requ_cls_nodePools_upgradeSettings_strategy] |
|
requested_server_name |
target.resource.attribute.labels [requested_server_name] |
||
gke_cluster |
protoPayload.response.name |
target.resource.attribute.labels [res_name] |
|
gke_cluster |
protoPayload.response.operationType |
target.resource.attribute.labels [res_operation_type] |
|
k8s_cluster |
protoPayload.response.apiVersion |
target.resource.attribute.labels [resp_api_version] |
|
k8s_cluster |
protoPayload.response.kind |
target.resource.attribute.labels [resp_kind] |
|
k8s_cluster |
protoPayload.response.metadata.name |
target.resource.attribute.labels [resp_metadata_name] |
|
k8s_cluster |
protoPayload.response.metadata.namespace |
target.resource.attribute.labels [resp_metadata_namespace] |
|
k8s_cluster |
protoPayload.response.metadata.resourceVersion |
target.resource.attribute.labels [resp_metadata_resource_version] |
|
k8s_cluster |
protoPayload.response.metadata.uid |
target.resource.attribute.labels [resp_metadata_uid] |
|
k8s_container |
labels.response_details |
target.resource.attribute.labels [response_details] |
|
k8s_container |
labels.route_name |
target.resource.attribute.labels [route_name] |
|
k8s_container |
labels.k8s-pod/pod-template-hash |
target.resource.attribute.labels [template_hash] |
|
audited_resource |
resource.labels.method |
target.resource.attribute.labels [rc_method] |
|
k8s_cluster |
protoPayload.request.status.conditions.reason |
target.resource.attribute.permissions.description |
|
gke_cluster |
protoPayload.request.cluster.name |
target.resource.name |
|
k8s_node |
jsonPayload.node_name |
target.resource.name |
If the resource.type log field value is equal to k8s_node, then the jsonPayload.node_name log field is mapped to the target.resource.name UDM field. |
k8s_container |
jsonPayload.azureResourceID |
target.resource.product_object_id |
|
gke_cluster |
protoPayload.response.targetLink |
target.url |
|
k8s_cluster |
protoPayload.request.spec.leaseTransitions |
target.user.attribute.labels [request_lease_transitions] |
|
k8s_cluster |
protoPayload.request.spec.holderIdentity |
target.user.attribute.labels [request_spec_holderIdentity] |
|
k8s_cluster |
protoPayload.request.spec.renewTime |
target.user.attribute.labels [request_spec_renew_time] |
|
k8s_cluster |
protoPayload.request.spec.resourceAttributes.group |
target.user.attribute.labels [request_spec_resource_group] |
|
k8s_cluster |
protoPayload.request.spec.resourceAttributes.verb |
target.user.attribute.labels [request_spec_resource_verb] |
|
k8s_cluster |
protoPayload.request.spec.resourceAttributes.version |
target.user.attribute.labels [request_spec_resource_version] |
|
k8s_cluster |
protoPayload.request.spec.resourceAttributes.resource |
target.user.attribute.labels [request_spec_resource] |
|
k8s_cluster |
protoPayload.request.spec.uid |
target.user.attribute.labels [request_spec_uid] |
|
k8s_cluster |
protoPayload.request.spec.user |
target.user.attribute.labels [request_spec_user] |
|
k8s_cluster |
protoPayload.request.spec.leaseDurationSeconds |
target.user.attribute.labels [request_spec._ease_duration_sec] |
|
k8s_cluster |
protoPayload.request.status.allowed |
target.user.attribute.labels [request_status_allowed] |
|
k8s_cluster |
protoPayload.response.spec.leaseTransitions |
target.user.attribute.labels [res_lease_transitions] |
|
k8s_cluster |
protoPayload.response.spec.holderIdentity |
target.user.attribute.labels [resp_spec_holderIdentity] |
|
k8s_cluster |
protoPayload.response.spec.leaseDurationSeconds |
target.user.attribute.labels [resp_spec_lease_duration_sec] |
|
k8s_cluster |
protoPayload.response.spec.renewTime |
target.user.attribute.labels [resp_spec_renew_time] |
|
k8s_cluster |
protoPayload.response.spec.resourceAttributes.group |
target.user.attributes.labels [resp_resource_attributes_group] |
|
k8s_cluster |
protoPayload.response.spec.resourceAttributes.resource |
target.user.attributes.labels [resp_resource_attributes_resource] |
|
k8s_cluster |
protoPayload.response.spec.resourceAttributes.verb |
target.user.attributes.labels [resp_resource_attributes_verb] |
|
k8s_cluster |
protoPayload.response.spec.resourceAttributes.version |
target.user.attributes.labels [resp_resource_attributes_version] |
|
k8s_cluster |
protoPayload.request.spec.groups |
target.user.group_identifiers |
|
k8s_cluster |
protoPayload.response.spec.user |
target.user.user_display_name |
|
k8s_cluster |
protoPayload.response.spec.uid |
target.user.userid |
|
k8s_cluster |
jsonPayload.vulnerability.cveId |
extensions.vulns.vulnerabilities.cve_id |
|
k8s_cluster |
jsonPayload.vulnerability.cvssScore |
extensions.vulns.vulnerabilities.cvss_base_score |
|
k8s_cluster |
jsonPayload.vulnerability.cvssVector |
extensions.vulns.vulnerabilities.cvss_vector |
|
k8s_cluster |
jsonPayload.vulnerability.description |
extensions.vulns.vulnerabilities.description |
|
k8s_cluster |
jsonPayload.vulnerability.severity |
extensions.vulns.vulnerabilities.severity |
|
k8s_cluster |
jsonPayload.vulnerability.severity |
extensions.vulns.vulnerabilities.severity_details |
|
k8s_cluster |
jsonPayload.vulnerability.cpeUri |
extensions.vulns.vulnerabilities.about.security_result.detection_fields [vulnerability_cpe_uri] |
|
k8s_cluster |
jsonPayload.vulnerability.fixedCpeUri |
extensions.vulns.vulnerabilities.about.security_result.detection_fields [vulnerability_fixed_cpe_uri] |
|
k8s_cluster |
jsonPayload.vulnerability.relatedUrls |
extensions.vulns.vulnerabilities.about.security_result.detection_fields [vulnerability_related_urls] |
|
k8s_cluster |
jsonPayload.vulnerability.packageName |
extensions.vulns.vulnerabilities.about.security_result.detection_fields [vulnerability_package_name] |
|
k8s_cluster |
jsonPayload.vulnerability.packageType |
extensions.vulns.vulnerabilities.about.security_result.detection_fields [vulnerability_package_type] |
|
k8s_cluster |
jsonPayload.vulnerability.fixedPackage |
extensions.vulns.vulnerabilities.about.security_result.detection_fields [vulnerability_fixed_package] |
|
k8s_cluster |
jsonPayload.vulnerability.fixedPackageVersion |
extensions.vulns.vulnerabilities.about.security_result.detection_fields [vulnerability_fixed_package_version] |
|
k8s_cluster |
jsonPayload.vulnerability.affectedImages |
extensions.vulns.vulnerabilities.about.security_result.detection_fields [vulnerability_affected_images] |
|
k8s_cluster |
jsonPayload.vulnerability.affectedPackageVersion |
extensions.vulns.vulnerabilities.about.security_result.detection_fields[vulnerability_affected_package_version] |