GCP VPC Flow Logs (10301 / 20301)

Description

This Module reports GCP VPC Flow Logs ingested from Google Cloud translating them one-to-one in syslog or JSON formats, and enriching them with GCP data not reported in base VPC Flow Logs.

Parameters

Parameter Name
Description
Comments
Compute Engine VM Instances
VMs with IPs, project ID, zone, name, and VPC names
Provided by EDF agent
Compute Engine IPv4 Routes
IP range, source and destination subnetwork IDs, Subnetwork name
Provided by EDF agent

Input

GCP Flow Logs

Syslog/JSON Message Fields

Key
Field Description
Comments
nfc_id
Message type identifier
“nfc_id=20301”
exp_ip
NetFlow exporter Ipv4 address
<IPv4 address> (added for compatibility with other flows)
reporter
The side which reported the flow
<string>, ‘SRC' or ‘DEST'
protocol
Transport Protocol ( TCP = 6, UDP = 17)
<number>
src_ip
Source host IPv4 address
<IPv4 address>
[src_ip6]
Source host Ipv6 address
<IPv6 address>
[src_host]
Source host name
<string>, included when FQDN is on
[src_project_id]
Source Project ID
<string>
[src_vm_name]
Source VM name
<string>
[src_vm_zone]
Source VM Zone
<string>
[src_vpc_name]
Source VPC Name
<string>
[src_subnetwork_name]
Source Subnet name
<string>
[src_continent]
Source Continent for external endpoints
<string>
[src_country]
Source Country for external endpoints
<string>, represented as ISO 3166-1 Alpha-3 country codes
[src_region]
Source Region for external endpoints
<string>
[src_city]
Source City for external endpoints
<string>
[src_asn]
Source autonomous system number (ASN) of the external network to which this endpoint belongs
<number>
src_port
Source port number
<number>
dest_ip
Destination host IPv4 address
<IPv4 address>
[dest_ip6]
Destination host IPv6 address
<IPv6 address>
[dest_host]
Destination host name
<string>, included when FQDN is on
[dest_project_id]
Destination Project ID
<string>
[dest_vm_name]
Destination VM name
<string>
[dest_vm_zone]
Destination VM Zone
<string>
[dest_vpc_name]
Destination VPC Name
<string>
[dest_subnetwork_name]
Destination Subnet name
<string>
[dest_continent]
Destination Continent for external endpoints
<string>
[dest_country]
Destination Country for external endpoints
<string>, represented as ISO 3166-1 Alpha-3 country codes
[dest_region]
Destination Region for external endpoints
<string>
[dest_city]
Destination City for external endpoints
<string>
[dest_asn]
Destination autonomous system number (ASN) of the external network to which this endpoint belongs
<number>
dest_port
Destination EC2 instance port number
<number>
packets_in
Packets in the flow
<number>
bytes_in
Total number of Layer 3 bytes in the packets of the flow received
<number>
rtt_msec
Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay.
<number>
flow_start_time
Start time of the flow
<time>
flow_end_time
End of the flow
<time>
Last modified 2mo ago