GCP Logs
Connecting GCP logs to your Panther Console
Last updated
Was this helpful?
Connecting GCP logs to your Panther Console
Last updated
Was this helpful?
Panther supports ingesting Google Cloud Platform (GCP) logs via common options: Amazon Web Services (AWS) S3, AWS SQS, and Google Cloud Storage (GCS).
To connect these logs into Panther:
In the lefthand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for "GCP" then click the Google Cloud Platform tile.
Select the data transport method you wish to use for this integration, then follow Panther's instructions for configuring the method:
The below demonstrates how to onboard GCP using GCS as the data transport. For GCS, Panther uses to get notified of new data to consume in your bucket.
Configure GCP to push logs to the Data Transport source.
See GCP's documentation for instructions on pushing logs to your selected Data Transport source.
The video below walks through a configuration using GCS as the data transport method.
Cloud Audit Logs maintains three audit logs for each Google Cloud project, folder, and organization: Admin Activity, Data Access, and System Event. Google Cloud services writes audit log entries to these logs to help answer the questions of "who did what, where, and when?" within your Google Cloud resources.
Column
Type
Description
logName
string
The resource name of the log to which this log entry belongs.
severity
string
The severity of the log entry. The default value is LogSeverity.DEFAULT.
insertId
string
A unique identifier for the log entry.
resource
{ "type":string, "labels":{ string:string } }
The monitored resource that produced this log entry.
timestamp
timestamp
The time the event described by the log entry occurred.
receiveTimestamp
timestamp
The time the log entry was received by Logging.
labels
{ string:string }
A set of user-defined (key, value) data that provides additional information about the log entry.
operation
{ "id":string, "producer":string, "first":boolean, "last":boolean }
Information about an operation associated with the log entry, if applicable.
trace
string
Resource name of the trace associated with the log entry, if any.
httpRequest
{ "requestMethod":string, "requestURL":string, "requestSize":bigint, "status":smallint, "responseSize":bigint, "userAgent":string, "remoteIP":string, "serverIP":string, "referer":string, "latency":string, "cacheLookup":boolean, "cacheHit":boolean, "cacheValidatedWithOriginServer":boolean, "cacheFillBytes":bigint, "protocol":string }
Information about the HTTP request associated with this log entry, if applicable.
spanId
string
The span ID within the trace associated with the log entry.
traceSampled
boolean
The sampling decision of the trace associated with the log entry.
sourceLocation
{ "file":string, "line":bigint, "function":string }
Source code location information associated with the log entry, if any.
protoPayload
{ "at_sign_type":string, "serviceName":string, "methodName":string, "resourceName":string, "numResponseItems":bigint, "status":{ "code":int, "message":string, "details":string }, "authenticationInfo":{ "principalSubject":string, "serviceAccountKeyName":string, "principalEmail":string, "authoritySelector":string, "thirdPartyPrincipal":string, "serviceAccountDelegationInfo":[{ "firstPartyPrincipal":{ "principalEmail":string, "serviceMetadata":string }, "thirdPartyPrincipal":{ "thirdPartyClaims":string } }] }, "authorizationInfo":[{ "resource":string, "permission":string, "granted":boolean, "resourceAttributes":{ "service":string, "name":string, "type":string, "labels":string, "uid":string } }], "requestMetadata":{ "callerIP":string, "callerSuppliedUserAgent":string, "callerNetwork":string, "requestAttributes":string, "destinationAttributes":string }, "request":string, "response":string, "serviceData":json, "metadata":string }
The AuditLog payload
Note: protoPayload.serviceData is type json because Google emits context-dependent logs. By having it as type:json, Panther can account for anything that can be present under this field.
p_log_type
string
Panther added field with type of log
p_row_id
string
Panther added field with unique id (within table)
p_event_time
timestamp
Panther added standardize event time (UTC)
p_parse_time
timestamp
Panther added standardize log parse time (UTC)
p_source_id
string
Panther added field with the source id
p_source_label
string
Panther added field with the source label
p_any_ip_addresses
[string]
Panther added field with collection of ip addresses associated with the row
p_any_domain_names
[string]
Panther added field with collection of domain names associated with the row
p_any_sha1_hashes
[string]
Panther added field with collection of SHA1 hashes associated with the row
p_any_md5_hashes
[string]
Panther added field with collection of MD5 hashes associated with the row
p_any_sha256_hashes
[string]
Panther added field with collection of SHA256 hashes of any algorithm associated with the row
External HTTP(S) Load Balancing distributes HTTP and HTTPS traffic to backends hosted on a variety of Google Cloud platforms (such as Compute Engine, Google Kubernetes Engine (GKE), Cloud Storage, and so on), as well as external backends connected over the internet or via hybrid connectivity. HTTP(S) load balancing logs provide information for monitoring and debugging web traffic.
See Panther's built in rules for GCP in
For more information, see the
For more information, see the documentation.