Skip to main content
Version: 2.10.0

GCP VPC Flow Logs (10301 / 20301)

Description

This Module reports GCP VPC Flow Logs ingested from Google Cloud translating them one-to-one in syslog or JSON formats, and enriching them with GCP data not reported in base VPC Flow Logs.

Parameters

Parameter NameDescriptionComments
Compute Engine VM InstancesVMs with IPs, project ID, zone, name, and VPC namesProvided by EDF agent
Compute Engine IPv4 RoutesIP range, source and destination subnetwork IDs, Subnetwork nameProvided by EDF agent

Input

GCP Flow Logs

Syslog/JSON Message Fields

KeyField DescriptionComments
nfc_idMessage type identifier“nfc_id=20301”
exp_ipNetFlow exporter Ipv4 address<IPv4 address> (added for compatibility with other flows)
reporterThe side which reported the flow<string>, ‘SRC' or ‘DEST'
protocolTransport Protocol ( TCP = 6, UDP = 17)<number>
src_ipSource host IPv4 address<IPv4 address>
[src_ip6]Source host Ipv6 address<IPv6 address>
[src_host]Source host name<string>, included when FQDN is on
[src_project_id]Source Project ID<string>
[src_vm_name]Source VM name<string>
[src_vm_zone]Source VM Zone<string>
[src_vpc_name]Source VPC Name<string>
[src_subnetwork_name]Source Subnet name<string>
[src_continent]Source Continent for external endpoints<string>
[src_country]Source Country for external endpoints<string>, represented as ISO 3166-1 Alpha-3 country codes
[src_region]Source Region for external endpoints<string>
[src_city]Source City for external endpoints<string>
[src_asn]Source autonomous system number (ASN) of the external network to which this endpoint belongs<number>
src_portSource port number<number>
dest_ipDestination host IPv4 address<IPv4 address>
[dest_ip6]Destination host IPv6 address<IPv6 address>
[dest_host]Destination host name<string>, included when FQDN is on
[dest_project_id]Destination Project ID<string>
[dest_vm_name]Destination VM name<string>
[dest_vm_zone]Destination VM Zone<string>
[dest_vpc_name]Destination VPC Name<string>
[dest_subnetwork_name]Destination Subnet name<string>
[dest_continent]Destination Continent for external endpoints<string>
[dest_country]Destination Country for external endpoints<string>, represented as ISO 3166-1 Alpha-3 country codes
[dest_region]Destination Region for external endpoints<string>
[dest_city]Destination City for external endpoints<string>
[dest_asn]Destination autonomous system number (ASN) of the external network to which this endpoint belongs<number>
dest_portDestination EC2 instance port number<number>
packets_inPackets in the flow<number>
bytes_inTotal number of Layer 3 bytes in the packets of the flow received<number>
rtt_msecLatency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay.<number>
flow_start_timeStart time of the flow<time>
flow_end_timeEnd of the flow<time>