Skip to content

Commit

Permalink
Add module for GCP VPC flow logs
Browse files Browse the repository at this point in the history
This module ingests Google Cloud VPC flow logs that have been exported by Stackdriver to a Google Cloud Pub/Sub topic sink.

The published LogEntry objects have this format: https://cloud.google.com/logging/docs/reference/v2/rest/v2/LogEntry

The structured data in the flow logs have this format: https://cloud.google.com/vpc/docs/using-flow-logs#record_format
  • Loading branch information
andrewkroh committed Jul 2, 2019
1 parent 82ef39b commit e27540b
Show file tree
Hide file tree
Showing 21 changed files with 6,366 additions and 2 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -223,6 +223,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Add support for client addresses with port in Apache error logs {pull}12695[12695]
- Add `google-pubsub` input type for consuming messages from a Google Cloud Pub/Sub topic subscription. {pull}12746[12746]
- Add module for ingesting Cisco IOS logs over syslog. {pull}12748[12748]
- Add module for ingesting Google Cloud VPC flow logs. {pull}12747[12747]

*Heartbeat*

Expand Down
1 change: 0 additions & 1 deletion filebeat/_meta/fields.common.yml
Original file line number Diff line number Diff line change
Expand Up @@ -150,4 +150,3 @@
type: keyword
description: >
Name of organization associated with the autonomous system.
190 changes: 190 additions & 0 deletions filebeat/docs/fields.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ grouped in the following categories:
* <<exported-fields-ecs>>
* <<exported-fields-elasticsearch>>
* <<exported-fields-envoyproxy>>
* <<exported-fields-googlecloud>>
* <<exported-fields-haproxy>>
* <<exported-fields-host-processor>>
* <<exported-fields-icinga>>
Expand Down Expand Up @@ -5512,6 +5513,195 @@ type: keyword
Envoy proxy type, tcp or http
type: keyword
--
[[exported-fields-googlecloud]]
== Google Cloud fields
Module for handling logs from Google Cloud.
[float]
=== googlecloud
Fields from Google Cloud logs.
[float]
=== vpcflow
Fields for Google Cloud VPC flow logs.
*`googlecloud.vpcflow.reporter`*::
+
--
The side which reported the flow. Can be either 'SRC' or 'DEST'.
type: keyword
--
*`googlecloud.vpcflow.rtt.ms`*::
+
--
Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay.
type: long
--
[float]
=== destination.instance
If the destination of the connection was a VM located on the same VPC, this field is populated with VM instance details. In a Shared VPC configuration, project_id corresponds to the project that owns the instance, usually the service project.
*`googlecloud.vpcflow.destination.instance.project_id`*::
+
--
ID of the project containing the VM.
type: keyword
--
*`googlecloud.vpcflow.destination.instance.region`*::
+
--
Region of the VM.
type: keyword
--
*`googlecloud.vpcflow.destination.instance.zone`*::
+
--
Zone of the VM.
type: keyword
--
[float]
=== destination.vpc
If the destination of the connection was a VM located on the same VPC, this field is populated with VPC network details. In a Shared VPC configuration, project_id corresponds to that of the host project.
*`googlecloud.vpcflow.destination.vpc.project_id`*::
+
--
ID of the project containing the VM.
type: keyword
--
*`googlecloud.vpcflow.destination.vpc.vpc_name`*::
+
--
VPC on which the VM is operating.
type: keyword
--
*`googlecloud.vpcflow.destination.vpc.subnetwork_name`*::
+
--
Subnetwork on which the VM is operating.
type: keyword
--
[float]
=== source.instance
If the source of the connection was a VM located on the same VPC, this field is populated with VM instance details. In a Shared VPC configuration, project_id corresponds to the project that owns the instance, usually the service project.
*`googlecloud.vpcflow.source.instance.project_id`*::
+
--
ID of the project containing the VM.
type: keyword
--
*`googlecloud.vpcflow.source.instance.region`*::
+
--
Region of the VM.
type: keyword
--
*`googlecloud.vpcflow.source.instance.zone`*::
+
--
Zone of the VM.
type: keyword
--
[float]
=== source.vpc
If the source of the connection was a VM located on the same VPC, this field is populated with VPC network details. In a Shared VPC configuration, project_id corresponds to that of the host project.
*`googlecloud.vpcflow.source.vpc.project_id`*::
+
--
ID of the project containing the VM.
type: keyword
--
*`googlecloud.vpcflow.source.vpc.vpc_name`*::
+
--
VPC on which the VM is operating.
type: keyword
--
*`googlecloud.vpcflow.source.vpc.subnetwork_name`*::
+
--
Subnetwork on which the VM is operating.
type: keyword
--
Expand Down
75 changes: 75 additions & 0 deletions filebeat/docs/modules/googlecloud.asciidoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
////
This file is generated! See scripts/docs_collector.py
////

[[filebeat-module-googlecloud]]
[role="xpack"]

:modulename: googlecloud
:has-dashboards: false

== Google Cloud module

beta[]

This is a module for Google Cloud logs. It supports reading VPC flow logs that
have been exported from Stackdriver to a Google Pub/Sub topic sink.

include::../include/what-happens.asciidoc[]

include::../include/running-modules.asciidoc[]

include::../include/configuring-intro.asciidoc[]

:fileset_ex: vpcflow

include::../include/config-option-intro.asciidoc[]

[float]
==== `vpcflow` fileset settings

Example config:

[source,yaml]
----
- module: googleclcoud
vpcflow:
enabled: true
var.project_id: my-gcp-project-id
var.topic: googlecloud-vpc-flowlogs
var.subscription_name: filebeat-googlecloud-vpc-flowlogs-sub
var.credentials_file: ${path.config}/gcp-service-account-xyz.json
----

include::../include/var-paths.asciidoc[]

*`var.project_id`*::

Google Cloud project ID.

*`var.topic`*::

Google Cloud Pub/Sub topic name.

*`var.subscription_name`*::

Google Cloud Pub/Sub topic subscription name. If the subscription does not
exist it will be created.

*`var.credentials_file`*::

Path to a JSON file containing the credentials and key used to subscribe.

:has-dashboards!:

:fileset_ex!:

:modulename!:


[float]
=== Fields

For a description of each field in the module, see the
<<exported-fields-googlecloud,exported fields>> section.

2 changes: 2 additions & 0 deletions filebeat/docs/modules_list.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ This file is generated! See scripts/docs_collector.py
* <<filebeat-module-coredns>>
* <<filebeat-module-elasticsearch>>
* <<filebeat-module-envoyproxy>>
* <<filebeat-module-googlecloud>>
* <<filebeat-module-haproxy>>
* <<filebeat-module-icinga>>
* <<filebeat-module-iis>>
Expand Down Expand Up @@ -43,6 +44,7 @@ include::modules/cisco.asciidoc[]
include::modules/coredns.asciidoc[]
include::modules/elasticsearch.asciidoc[]
include::modules/envoyproxy.asciidoc[]
include::modules/googlecloud.asciidoc[]
include::modules/haproxy.asciidoc[]
include::modules/icinga.asciidoc[]
include::modules/iis.asciidoc[]
Expand Down
15 changes: 15 additions & 0 deletions filebeat/fileset/fileset.go
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ import (
"github.com/elastic/beats/libbeat/common/cfgwarn"
"github.com/elastic/beats/libbeat/logp"
mlimporter "github.com/elastic/beats/libbeat/ml-importer"
"github.com/elastic/beats/libbeat/paths"
)

// Fileset struct is the representation of a fileset.
Expand Down Expand Up @@ -352,6 +353,20 @@ func (fs *Fileset) getInputConfig() (*common.Config, error) {
return nil, fmt.Errorf("Error reading input config: %v", err)
}

// Additional default settings, that must be available for variable expansion.
defaults := common.MustNewConfigFrom(map[string]interface{}{
"path": map[string]interface{}{
"home": paths.Paths.Home,
"config": "${path.home}",
"data": fmt.Sprint("${path.home}", string(os.PathSeparator), "data"),
"logs": fmt.Sprint("${path.home}", string(os.PathSeparator), "logs"),
},
})

if err := cfg.Merge(defaults); err != nil {
return nil, err
}

// overrides
if len(fs.fcfg.Input) > 0 {
overrides, err := common.NewConfigFrom(fs.fcfg.Input)
Expand Down
2 changes: 1 addition & 1 deletion filebeat/include/fields.go

Large diffs are not rendered by default.

20 changes: 20 additions & 0 deletions x-pack/filebeat/filebeat.reference.yml
Original file line number Diff line number Diff line change
Expand Up @@ -167,6 +167,26 @@ filebeat.modules:
# Filebeat will choose the paths depending on your OS.
#var.paths:

#----------------------------- Google Cloud Module -----------------------------
- module: googlecloud
vpcflow:
enabled: true

# Google Cloud project ID.
var.project_id: my-gcp-project-id

# Google Pub/Sub topic containing VPC flow logs. Stackdriver must be
# configured to use this topic as a sink for VPC flow logs.
var.topic: googlecloud-vpc-flowlogs

# Google Pub/Sub subscription for the topic. Filebeat will create this
# subscription if it does not exist.
var.subscription_name: filebeat-googlecloud-vpc-flowlogs-sub

# Credentials file for the service account with authorization to read from
# the subscription.
var.credentials_file: ${path.config}/gcp-service-account-xyz.json

#------------------------------- Haproxy Module -------------------------------
- module: haproxy
# All logs
Expand Down
1 change: 1 addition & 0 deletions x-pack/filebeat/include/list.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

18 changes: 18 additions & 0 deletions x-pack/filebeat/module/googlecloud/_meta/config.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
- module: googlecloud
vpcflow:
enabled: true

# Google Cloud project ID.
var.project_id: my-gcp-project-id

# Google Pub/Sub topic containing VPC flow logs. Stackdriver must be
# configured to use this topic as a sink for VPC flow logs.
var.topic: googlecloud-vpc-flowlogs

# Google Pub/Sub subscription for the topic. Filebeat will create this
# subscription if it does not exist.
var.subscription_name: filebeat-googlecloud-vpc-flowlogs-sub

# Credentials file for the service account with authorization to read from
# the subscription.
var.credentials_file: ${path.config}/gcp-service-account-xyz.json
Loading

0 comments on commit e27540b

Please sign in to comment.