GCP VPC Flow Logs (10301 / 20301)
Description
This Module reports GCP VPC Flow Logs ingested from Google Cloud translating them one-to-one in syslog or JSON formats, and enriching them with GCP data not reported in base VPC Flow Logs.
Parameters
| Parameter Name | Description | Comments |
|---|---|---|
| Compute Engine VM Instances | VMs with IPs, project ID, zone, name, and VPC names | Provided by EDF agent |
| Compute Engine IPv4 Routes | IP range, source and destination subnetwork IDs, Subnetwork name | Provided by EDF agent |
Input
GCP Flow Logs
Syslog/JSON Message Fields
| Key | Field Description | Comments |
|---|---|---|
| nfc_id | Message type identifier | “nfc_id=20301” |
| exp_ip | NetFlow exporter Ipv4 address | <IPv4 address> (added for compatibility with other flows) |
| reporter | The side which reported the flow | <string>, ‘SRC' or ‘DEST' |
| protocol | Transport Protocol ( TCP = 6, UDP = 17) | <number> |
| src_ip | Source host IPv4 address | <IPv4 address> |
| [src_ip6] | Source host Ipv6 address | <IPv6 address> |
| [src_host] | Source host name | <string>, included when FQDN is on |
| [src_project_id] | Source Project ID | <string> |
| [src_vm_name] | Source VM name | <string> |
| [src_vm_zone] | Source VM Zone | <string> |
| [src_vpc_name] | Source VPC Name | <string> |
| [src_subnetwork_name] | Source Subnet name | <string> |
| [src_continent] | Source Continent for external endpoints | <string> |
| [src_country] | Source Country for external endpoints | <string>, represented as ISO 3166-1 Alpha-3 country codes |
| [src_region] | Source Region for external endpoints | <string> |
| [src_city] | Source City for external endpoints | <string> |
| [src_asn] | Source autonomous system number (ASN) of the external network to which this endpoint belongs | <number> |
| src_port | Source port number | <number> |
| dest_ip | Destination host IPv4 address | <IPv4 address> |
| [dest_ip6] | Destination host IPv6 address | <IPv6 address> |
| [dest_host] | Destination host name | <string>, included when FQDN is on |
| [dest_project_id] | Destination Project ID | <string> |
| [dest_vm_name] | Destination VM name | <string> |
| [dest_vm_zone] | Destination VM Zone | <string> |
| [dest_vpc_name] | Destination VPC Name | <string> |
| [dest_subnetwork_name] | Destination Subnet name | <string> |
| [dest_continent] | Destination Continent for external endpoints | <string> |
| [dest_country] | Destination Country for external endpoints | <string>, represented as ISO 3166-1 Alpha-3 country codes |
| [dest_region] | Destination Region for external endpoints | <string> |
| [dest_city] | Destination City for external endpoints | <string> |
| [dest_asn] | Destination autonomous system number (ASN) of the external network to which this endpoint belongs | <number> |
| dest_port | Destination EC2 instance port number | <number> |
| packets_in | Packets in the flow | <number> |
| bytes_in | Total number of Layer 3 bytes in the packets of the flow received | <number> |
| rtt_msec | Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay. | <number> |
| flow_start_time | Start time of the flow | <time> |
| flow_end_time | End of the flow | <time> |