Log Forwarding - GCP Logging
Overview
GCP Stackdriver Logging is a service offer by Google Cloud Provider (GCP) for collecting and storing logs from applications and services. Valtix supports Log Forwarding to GCP Stackdriver Logging to send Security Events and Traffic Log information for processing, storage, access and correlation. The information sent is in a semi-structured JSON format where the attribute-value pairs can be accessed and processed.
Requirements
The GCP valtix-firewall Service Account must be assigned Logs Writer role in order for the Gateway to write events to the GCP Stackdriver Log.
Profile Parameters
| Parameter |
Deonticity |
Default |
Description |
| Profile Name |
Required |
|
A unique name to use to reference the Profile |
| Description |
Optional |
|
A description for the Profile |
| Destination |
Required |
GCP Logging (From Gateway) |
The SIEM used for the Profile |
| Log Name |
Required |
valtix-gateway-logs |
The name of the Stackdriver Log used to store events |
Field Integer to String Mappings
When events are forwarded from the Controller, the Controller introduces mappings of event field values to friendly names. When events are forwarded directly from the Gateway (e.g., GCP Logging), the Controller is not involved and thus the event field values are not mapped to friendly names. In order to interpret these fields, the user is responsible for performing the field value to friendly name mapping.
The fields, sub-fields and their value to friendly mapping are provided below:
| Field |
Integer |
String |
| action |
0 |
DUMMY_ACTION |
|
1 |
ALLOW |
|
2 |
DENY |
|
3 |
DROP |
|
4 |
REDIRECT |
|
5 |
PROXY |
|
6 |
LOG |
|
7 |
OTHER |
|
8 |
DELAY |
|
9 |
DETECT_SIG |
| Field |
Integer |
String |
| gatewaySecurityType |
1 |
INGRESS_FIREWALL |
|
2 |
EAST_WEST_AND_EGRESS_FIREWALL |
| Field |
Integer |
String |
| level |
1 |
DEBUG |
|
2 |
INFO |
|
3 |
NOTICE |
|
4 |
WARNING |
|
5 |
ERROR |
|
6 |
CRITICAL |
|
7 |
ALERT |
|
8 |
EMERGENCY |
| Field |
Integer |
String |
| policyMatchInfo.serviceType |
0 |
UNKNOWN |
|
1 |
PROXY |
|
2 |
FORWARDING |
|
3 |
REVERSE_PROXY |
|
4 |
FORWARD_PROXY |
| Field |
Integer |
String |
protocol
sessionSummaryInfo.egressConnection.protocol
sessionSummaryInfo.ingressConnect.protocol |
0 |
DUMMY |
|
1 |
ICMP |
|
6 |
TCP |
|
17 |
UDP |
|
252 |
HTTP |
| Field |
Integer |
String |
| rule.type |
0 |
DUMMY_RULE_TYPE |
|
1 |
THIRD_PARTY |
|
2 |
USER_DEFINED |
| Field |
Integer |
String |
statusText
ingressConnectionStates.state |
0 |
CLOSED |
|
1 |
SYN_SENT |
|
2 |
SYN_RECV |
|
3 |
ESTABLISHED |
|
4 |
FIN_WAIT |
|
5 |
CLOSE_WAIT |
|
6 |
LAST_ACK |
|
7 |
TIME_WAIT |
|
8 |
CLOSE |
| Field |
Integer |
String |
| type |
1 |
WAF |
|
2 |
DPI |
|
3 |
HTTP_REQUEST |
|
4 |
L4_FW |
|
5 |
FLOW_LOG |
|
6 |
MALICIOUS_IP |
|
7 |
TLS_ERROR |
|
8 |
TLS_LOG |
|
9 |
L7DOS |
|
10 |
SNI |
|
11 |
APPID |
|
12 |
URLFILTER |
|
13 |
SESSION_SUMMARY |
|
14 |
DLP |
|
15 |
FQDNFILTER |
|
16 |
AV |