GCP Logs
Connecting GCP logs to your Panther Console

Overview

Panther supports ingesting Google Cloud Platform (GCP) logs via common Data Transport options: Amazon Web Services (AWS) S3, AWS SQS, and Google Cloud Storage (GCS).

How to onboard GCP logs to Panther

To connect these logs into Panther:
  1. 1.
    Set up your Data Transport in the Panther Console.
    • Please follow Panther’s documentation for configuring the Data Transport option you will use:
  2. 2.
    Configure GCP to push logs to the Data Transport source.
    • See GCP's documentation for instructions on pushing logs to your selected Data Transport source.

Supported log types

Required fields in the table are in bold.

GCP.AuditLog

Cloud Audit Logs maintains three audit logs for each Google Cloud project, folder, and organization: Admin Activity, Data Access, and System Event. Google Cloud services writes audit log entries to these logs to help answer the questions of "who did what, where, and when?" within your Google Cloud resources.
Column
Type
Description
logName
string
The resource name of the log to which this log entry belongs.
severity
string
The severity of the log entry. The default value is LogSeverity.DEFAULT.
insertId
string
A unique identifier for the log entry.
resource
{ "type":string, "labels":{ string:string } }
The monitored resource that produced this log entry.
timestamp
timestamp
The time the event described by the log entry occurred.
receiveTimestamp
timestamp
The time the log entry was received by Logging.
labels
{ string:string }
A set of user-defined (key, value) data that provides additional information about the log entry.
operation
{ "id":string, "producer":string, "first":boolean, "last":boolean }
Information about an operation associated with the log entry, if applicable.
trace
string
Resource name of the trace associated with the log entry, if any.
httpRequest
{ "requestMethod":string, "requestURL":string, "requestSize":bigint, "status":smallint, "responseSize":bigint, "userAgent":string, "remoteIP":string, "serverIP":string, "referer":string, "latency":string, "cacheLookup":boolean, "cacheHit":boolean, "cacheValidatedWithOriginServer":boolean, "cacheFillBytes":bigint, "protocol":string }
Information about the HTTP request associated with this log entry, if applicable.
spanId
string
The span ID within the trace associated with the log entry.
traceSampled
boolean
The sampling decision of the trace associated with the log entry.
sourceLocation
{ "file":string, "line":bigint, "function":string }
Source code location information associated with the log entry, if any.
protoPayload
{ "at_sign_type":string, "serviceName":string, "methodName":string, "resourceName":string, "numResponseItems":bigint, "status":{ "code":int, "message":string, "details":string }, "authenticationInfo":{ "principalSubject":string, "serviceAccountKeyName":string, "principalEmail":string, "authoritySelector":string, "thirdPartyPrincipal":string, "serviceAccountDelegationInfo":[{ "firstPartyPrincipal":{ "principalEmail":string, "serviceMetadata":string }, "thirdPartyPrincipal":{ "thirdPartyClaims":string } }] }, "authorizationInfo":[{ "resource":string, "permission":string, "granted":boolean, "resourceAttributes":{ "service":string, "name":string, "type":string, "labels":string, "uid":string } }], "requestMetadata":{ "callerIP":string, "callerSuppliedUserAgent":string, "callerNetwork":string, "requestAttributes":string, "destinationAttributes":string }, "request":string, "response":string, "serviceData":string, "metadata":string }
The AuditLog payload
p_log_type
string
Panther added field with type of log
p_row_id
string
Panther added field with unique id (within table)
p_event_time
timestamp
Panther added standardize event time (UTC)
p_parse_time
timestamp
Panther added standardize log parse time (UTC)
p_source_id
string
Panther added field with the source id