Skip to content

GCP Logging Log Forwarding

Overview

GCP Stackdriver Logging is a service offer by Google Cloud Provider (GCP) for collecting and storing logs from applications and services. Valtix supports Log Forwarding to GCP Stackdriver Logging to send security events and other log information for processing, storage, access and correlation. The information sent is in an unstructured JSON format where GCP Stackdriver Logging can process the attribute-value pairs.

Requirements

The GCP valtix-firewall Service Account must be assigned Logs Writer role in order for the Gateway to write events to the GCP Stackdriver Log.

Profile Parameters

Parameter Deonticity Default Description
Profile Name Required A unique name to use to reference the Profile
Description Optional A description for the Profile
SIEM Vendor Required GCP Logging (From Gateway) The SIEM used for the Profile
Log Name Required valtix-gateway-logs The name of the Stackdriver Log used to store events

Field Integer to String Mappings

When events are forwarded from the Controller, the Controller introduces mappings of event field values to friendly names. When events are forwarded directly from the Gateway (e.g., GCP Logging), the Controller is not involved and thus the event field values are not mapped to friendly names. In order to interpret these fields, the user is responsible for performing the field value to friendly name mapping.

The fields, sub-fields and their value to friendly mapping are provided below:

Field Integer String
action 0 DUMMY_ACTION
1 ALLOW
2 DENY
3 DROP
4 REDIRECT
5 PROXY
6 LOG
7 OTHER
8 DELAY
9 DETECT_SIG
Field Integer String
gatewaySecurityType 1 INGRESS_FIREWALL
2 EAST_WEST_AND_EGRESS_FIREWALL
Field Integer String
level 1 DEBUG
2 INFO
3 NOTICE
4 WARNING
5 ERROR
6 CRITICAL
7 ALERT
8 EMERGENCY
Field Integer String
policyMatchInfo.serviceType 0 UNKNOWN
1 PROXY
2 FORWARDING
3 REVERSE_PROXY
4 FORWARD_PROXY
Field Integer String
protocol
sessionSummaryInfo.egressConnection.protocol
sessionSummaryInfo.ingressConnect.protocol
0 DUMMY
1 ICMP
6 TCP
17 UDP
252 HTTP
Field Integer String
rule.type 0 DUMMY_RULE_TYPE
1 THIRD_PARTY
2 USER_DEFINED
Field Integer String
statusText
ingressConnectionStates.state
0 CLOSED
1 SYN_SENT
2 SYN_RECV
3 ESTABLISHED
4 FIN_WAIT
5 CLOSE_WAIT
6 LAST_ACK
7 TIME_WAIT
8 CLOSE
Field Integer String
type 1 WAF
2 DPI
3 HTTP_REQUEST
4 L4_FW
5 FLOW_LOG
6 MALICIOUS_IP
7 TLS_ERROR
8 TLS_LOG
9 L7DOS
10 SNI
11 APPID
12 URLFILTER
13 SESSION_SUMMARY
14 DLP
15 FQDNFILTER
16 AV