收集 Apigee 日志
支持的语言:
Google SecOps
SIEM
本文档介绍了如何通过启用 Google Cloud 遥测数据注入到 Google Security Operations 来收集 Apigee 日志,以及 Apigee 日志的日志字段如何映射到 Google Security Operations Unified Data Model (UDM) 字段。
如需了解详情,请参阅将数据注入 Google Security Operations。
典型部署包括已启用 Apigee 日志以注入到 Google Security Operations。每个客户部署都可能与此表示法不同,并且可能更复杂。
部署包含以下组件:
Google Cloud:您要从中收集日志的服务和产品。 Google Cloud
Apigee 日志:已启用以注入到 Google Security Operations 的 Apigee 日志。
Google Security Operations:Google Security Operations 会保留并分析来自 Apigee 的日志。
注入标签用于标识将原始日志数据标准化为结构化 UDM 格式的解析器。本文档中的信息适用于具有 GCP_APIGEE_X 注入标签的解析器。
准备工作
确保部署架构中的所有系统都配置为使用世界协调时间 (UTC) 时区。
确保使用旧版 Cloud Logging 政策或新版 Cloud Logging 政策。如需了解详情,请参阅旧版 Cloud Logging 政策。
配置 Google Cloud 以注入 Apigee 日志
如需将 Apigee 日志注入到 Google Security Operations,请按照将 Google Cloud 日志注入到 Google Security Operations 页面上的步骤操作。
如果您在注入 Apigee 日志时遇到问题,请与 Google Security Operations 支持团队联系。
支持的 Apigee 日志格式
Apigee 解析器支持 JSON 格式的日志。
支持的 Apigee 示例日志
JSON
{ "text": { "metadata": { "reportTimestamp": "2021-10-22T01:25:16Z", "messageId": "1634865916094", "org": "ascension", "env": "prod" }, "totalNumberOfBots": 1, "bots": [ { "ipAddress": "198.51.100.0", "botDetectedLast": "2021-10-22T00:49:51Z", "ipIsp": "Google LLC", "ipCountry": "United States", "botReason": [ "Flooder" ], "callCount": "666", "topUrl": "/price-estimator/v1/shoppable-service/search/taxonomy/", "ipCity": "NO_CITY" } ] } }
字段映射参考
字段映射参考信息:GCP_APIGEE_X 旧版 Cloud Logging 政策日志
下表列出了 GCP_APIGEE_X 旧版 Cloud Logging 政策日志类型的日志字段及其对应的 UDM 字段。
| Log field | UDM mapping | Logic |
|---|---|---|
jsonPayload.proxyResponseCode |
intermediary.network.http.response_code |
|
jsonPayload.apiProxy |
intermediary.resource.name |
|
jsonPayload.apiproxy |
intermediary.resource.name |
|
|
intermediary.resource.resource_type |
If the jsonPayload.apiproxy log field value is not empty or the jsonPayload.apiProxy log field value is not empty, then the intermediary.resource.resource_type UDM field is set to BACKEND_SERVICE. |
|
intermediary.resource.attribute.cloud.environment |
If the jsonPayload.apiproxy log field value is not empty or the jsonPayload.apiProxy log field value is not empty, then the intermediary.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM. |
jsonPayload.apiProduct |
intermediary.resource.attribute.labels[json_payload_api_product] |
|
jsonPayload.apiProxyRevision |
intermediary.resource.attribute.labels[json_payload_api_proxy_revision] |
|
jsonPayload.proxyRequestReceived |
intermediary.resource.attribute.labels[json_payload_proxy_request_received] |
|
jsonPayload.proxyResponseSent |
intermediary.resource.attribute.labels[json_payload_proxy_response_sent] |
|
receiveTimestamp |
metadata.collected_timestamp |
|
timestamp |
metadata.event_timestamp |
|
|
metadata.event_type |
The metadata.event_type UDM field is set to USER_RESOURCE_ACCESS. |
insertId |
metadata.product_log_id |
|
jsonPayload.correlationId |
metadata.product_event_type |
|
|
metadata.product_name |
The metadata.product_name UDM field is set to GCP APIGEE X. |
|
metadata.vendor_name |
The metadata.vendor_name UDM field is set to Google Cloud Platform. |
jsonPayload.verb |
network.http.method |
|
labels.application |
principal.application |
|
jsonPayload.ax_resolved_client_ip |
principal.ip |
|
resource.labels.zone |
principal.resource.attribute.cloud.availability_zone |
|
|
principal.resource.resource_type |
If the resource.type log field value is equal to gce_instance, then the principal.resource.resource_type UDM field is set to VIRTUAL_MACHINE. |
resource.type |
principal.resource.resource_subtype |
|
resource.labels.instance_id |
principal.resource.product_object_id |
|
resource.labels.project_id |
principal.resource_ancestors.product_object_id |
|
|
principal.resource_ancestors.resource_type |
If the resource.labels.project_id log field value is not empty, then the principal.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT. |
jsonPayload.organization |
principal.resource_ancestors.name |
|
|
principal.resource_ancestors.resource_type |
If the jsonPayload.organization log field value is not empty, then the principal.resource_ancestors.resource_type UDM field is set to CLOUD_ORGANIZATION. |
jsonPayload.clientReceived |
principal.resource.attribute.labels[json_payload_client_received] |
|
jsonPayload.clientSent |
principal.resource.attribute.labels[json_payload_client_sent] |
|
logName |
principal.resource.attribute.labels[Log Name] |
|
resource.labels.project_id |
principal.resource.attribute.labels[Project Id] |
|
jsonPayload.clientId |
principal.user.userid |
|
logName |
security_result.category_details |
|
jsonPayload.faultName |
security_result.description |
|
severity |
security_result.severity |
If the severity log field value is equal to ERROR, then the severity log field is mapped to the security_result.severity UDM field.Else, if the severity log field value is equal to INFO or NOTICE, then the security_result.severity UDM field is set to INFORMATIONAL.Else, if the severity log field value is equal to WARNING or NOTICE, then the security_result.severity UDM field is set to MEDIUM.
|
severity |
security_result.severity_details |
|
jsonPayload.targetResponseCode |
target.network.http.response_code |
|
jsonPayload.requestUri |
target.resource.name |
|
|
target.resource.resource_type |
If the jsonPayload.requestUri log field value is not empty, then the target.resource.resource_type UDM field is set to BACKEND_SERVICE. |
jsonPayload.requestUrl |
target.url |
|
jsonPayload.targetResponseReceived |
target.resource.attribute.labels[json_payload_target_request_received] |
|
jsonPayload.targetRequestSent |
target.resource.attribute.labels[json_payload_target_request_sent] |
|
jsonPayload.bot_reason |
additional.fields[json_payload_bot_reason] |
|
jsonPayload.count_distinct_bot |
additional.fields[json_payload_count_distinct_bot] |
|
jsonPayload.developerApp |
additional.fields[json_payload_developer_app] |
|
jsonPayload.developerId |
additional.fields[json_payload_developer_id] |
|
jsonPayload.minute |
additional.fields[json_payload_minute] |
|
jsonPayload.environment |
additional.fields[json_payload_environment] |
|
jsonPayload.sum_bot_traffic |
additional.fields[json_payload_sum_bot_traffic] |
|
partialSuccess |
additional.fields[partial_success] |
字段映射参考信息:GCP_APIGEE_X 新 Cloud Logging 政策日志
下表列出了 GCP_APIGEE_X 新 Cloud Logging 政策日志类型的日志字段及其对应的 UDM 字段。
| Log field | UDM mapping | Logic |
|---|---|---|
insertId |
metadata.product_log_id |
|
jsonPayload.request.queryparams.count |
target.resource.attribute.labels[json_payload_request_queryparams_count] |
|
jsonPayload.request.uri |
target.resource.name |
|
|
target.resource.resource_type |
If the jsonPayload.request.uri log field value is not empty, then the target.resource.resource_type UDM field is set to BACKEND_SERVICE. |
jsonPayload.target.host |
target.hostname |
|
jsonPayload.log.sni_host |
target.hostname |
|
jsonPayload.target.host |
target.asset.hostname |
|
jsonPayload.log.sni_host |
target.asset.hostname |
|
jsonPayload.target.sent.start.timestamp |
target.resource.attribute.labels[json_payload_target_sent_start_timestamp] |
|
jsonPayload.response.reason.phrase |
security_result.summary |
|
jsonPayload.response.reason |
security_result.summary |
|
jsonPayload.target.cn |
target.resource.attribute.labels[json_payload_target_cn] |
|
jsonPayload.target.port |
target.port |
|
jsonPayload.request.path |
target.resource.attribute.labels[json_payload_request_path] |
|
jsonPayload.target.ip |
target.ip |
|
jsonPayload.request.queryparam.param_name |
target.resource.attribute.labels[json_payload_request_queryparams_param_name] |
|
jsonPayload.request.queryparam.param_name.values |
target.resource.attribute.labels[json_payload_request_queryparams_param_values] |
|
jsonPayload.client.sent.end.timestamp |
principal.resource.attribute.labels[client sent end timestamp] |
|
jsonPayload.response.content |
security_result.description |
|
jsonPayload.target.organization |
target.resource_ancestors.name |
|
jsonPayload.log.organization |
target.resource_ancestors.name |
|
|
target.resource_ancestors.resource_type |
If the jsonPayload.target.organization log field value is not empty or the jsonPayload.log.organization log field value is not empty, then the target.resource_ancestors.resource_type UDM field is set to CLOUD_ORGANIZATION. |
jsonPayload.target.organization.unit |
target.resource_ancestors.attribute.labels[json_payload_target_organization_unit] |
|
jsonPayload.proxy.client.ip |
src.ip |
|
jsonPayload.error.content |
security_result.about.resource.attribute.labels[error_content] |
|
jsonPayload.response.headers.names |
target.resource.attribute.labels[response_headers_names] |
|
jsonPayload.error.state |
security_result.about.resource.attribute.labels[state] |
|
jsonPayload.proxy.pathsuffix |
intermediary.resource.attribute.labels[pathsuffix] |
|
jsonPayload.log.proxy_basepath |
intermediary.resource.attribute.labels[pathsuffix] |
|
jsonPayload.messageid |
metadata.product_event_type |
|
jsonPayload.request.verb |
network.http.method |
|
jsonPayload.response.status.code |
network.http.response_code |
|
jsonPayload.log.status |
network.http.response_code |
|
jsonPayload.response.code |
network.http.response_code |
|
jsonPayload.request.transportid |
target.resource.attribute.labels[json_payload_request_transport_id] |
|
jsonPayload.request.content |
target.resource.attribute.labels[json_payload_request_content] |
|
jsonPayload.client.received.start.timestamp |
principal.resource.attribute.labels[client_received_start_timestamp] |
|
jsonPayload.target.basepath |
target.resource.attribute.labels[basepath] |
|
jsonPayload.proxy.url |
intermediary.url |
|
jsonPayload.request.url |
target.resource.attribute.labels[json_payload_request_url] |
|
jsonPayload.client.sent.start.timestamp |
principal.resource.attribute.labels[json_payload_client_sent_start_timestamp] |
|
jsonPayload.client.received.end.timestamp |
principal.resource.attribute.labels[client end timestamp] |
|
jsonPayload.target.sent.end.timestamp |
target.resource.attribute.labels[json_payload_target_sent_end_timestamp] |
|
jsonPayload.apigee.metrics.policy..timeTaken |
security_result.rule_labels[apigee_metrics_policy_time_taken] |
|
jsonPayload.target.scheme |
target.network.application_protocol |
|
jsonPayload.request.queryparams.names |
target.resource.attribute.labels[json_payload_request_queryparams_names] |
|
jsonPayload.request.version |
target.resource.attribute.labels[json_payload_request_version] |
|
jsonPayload.request.httpversion |
target.resource.attribute.labels[json_payload_request_version] |
|
jsonPayload.system.timestamp |
additional.fields[jsonPayload_system_timestamp] |
|
jsonPayload.client.scheme |
principal.network.application_protocol |
|
jsonPayload.request.header.header_name |
target.resource.attribute.labels[json_payload_request_header_name] |
|
jsonPayload.request.header.header_name.values |
target.resource.attribute.labels[request_header_name_values] |
|
jsonPayload.target.url |
target.url |
|
jsonPayload.url |
target.url |
|
jsonPayload.response.header.header_name.values |
target.resource.attribute.labels[response_header_name_values] |
|
jsonPayload.request.querystring |
target.resource.attribute.labels[json_payload_request_querystring] |
|
jsonPayload.response.headers.count |
target.resource.attribute.labels[response_headers_count] |
|
|
principal.resource.resource_type |
If the resource.type log field value is equal to gce_instance, then the principal.resource.resource_type UDM field is set to VIRTUAL_MACHINE. |
resource.type |
principal.resource.resource_subtype |
|
resource.labels.instance_id |
principal.resource.product_object_id |
|
resource.labels.project_id |
principal.resource_ancestors.product_object_id |
|
|
principal.resource_ancestors.resource_type |
The if the UDM field is set to CLOUD_PROJECT. |
resource.labels.zone |
principal.resource.attribute.cloud.availability_zone |
|
timestamp |
metadata.event_timestamp |
|
severity |
security_result.severity |
If the severity log field value is equal to ERROR, then the severity log field is mapped to the security_result.severity UDM field. |
severity |
security_result.severity_details |
|
logName |
security_result.category_details |
|
logName |
principal.resource.attribute.labels[Log Name] |
|
receiveTimestamp |
metadata.collected_timestamp |
|
jsonPayload.client.ip |
principal.ip |
|
jsonPayload.log.origin_address |
principal.ip |
|
jsonPayload.client.host |
principal.ip |
|
jsonPayload.request.formparam.param_name.values |
target.resource.attribute.labels[json_payload_request_form_param_name_values] |
|
jsonPayload.request.formparam.param_name |
target.resource.attribute.labels[json_payload_request_form_param_name] |
|
jsonPayload.request.formparams.count |
target.resource.attribute.labels[json_payload_request_form_params_count] |
|
jsonPayload.request.formparams.names |
target.resource.attribute.labels[json_payload_request_form_params_names] |
|
jsonPayload.request.formstring |
target.resource.attribute.labels[json_payload_request_form_string] |
|
jsonPayload.response.transport.message |
target.resource.attribute.labels[response_transport_message] |
|
jsonPayload.response.header.header_name |
target.resource.attribute.labels[response_header_name] |
|
jsonPayload.apigee.metrics.policy.policy_name.timeTaken |
security_result.rule_labels[apigee_metrics_policy_policy_name_timeTaken] |
|
jsonPayload.apiproduct.operation |
intermediary.resource.attribute.labels[api_product_operation] |
|
jsonPayload.apiproduct.operation.resource |
intermediary.resource.attribute.labels[api_product_operation_resource] |
|
jsonPayload.apiproduct.operation.methods |
intermediary.resource.attribute.labels[api_product_operation_methods] |
|
jsonPayload.apiproduct.operation.attributes.key_name |
intermediary.resource.attribute.labels[api_product_operation_attributes_key_name] |
|
jsonPayload.proxy.name |
intermediary.resource.name |
|
jsonPayload.proxy.revision |
intermediary.resource.attribute.labels[json_payload_proxy_revision] |
|
jsonPayload.apiproxy.basepath |
intermediary.resource.attribute.labels[json_payload_api_proxy_basepath] |
|
jsonPayload.client.cn |
principal.resource.attribute.labels[json_payload_client_cn] |
|
jsonPayload.client.country |
principal.location.country_or_region |
|
jsonPayload.client.email.address |
principal.email |
|
jsonPayload.client.locality |
principal.location.city |
|
jsonPayload.client.organization |
principal.resource_ancestors.name |
|
|
principal.resource_ancestors.resource_type |
If the jsonPayload.client.organization log field value is not empty, then the principal.resource_ancestors.resource_type UDM field is set to CLOUD_ORGANIZATION. |
jsonPayload.client.organization.unit |
principal.resource_ancestors.attribute.labels[client_organization_unit] |
|
jsonPayload.client.port |
principal.port |
|
jsonPayload.client.received.end.time |
principal.resource.attribute.labels[client_received_end_time] |
|
jsonPayload.client.received.start.time |
principal.resource.attribute.labels[client_received_start_time] |
|
jsonPayload.client.sent.end.time |
principal.resource.attribute.labels[client_sent_end_time] |
|
jsonPayload.client.sent.start.time |
principal.resource.attribute.labels[client_sent_start_time] |
|
jsonPayload.client.ssl.enabled |
principal.resource.attribute.labels[client_ssl_enabled] |
|
jsonPayload.client.state |
principal.resource.attribute.labels[client_state] |
|
jsonPayload.current.flow.name |
additional.fields[current_flow_name] |
|
jsonPayload.current.flow.description |
additional.fields[current_flow_description] |
|
jsonPayload.environment.name |
additional.fields[environment_name] |
|
jsonPayload.error |
security_result.about.resource.attribute.labels[jsonPayload_error] |
|
jsonPayload.error.message |
security_result.about.resource.attribute.labels[message] |
|
jsonPayload.error.status.code |
security_result.about.resource.attribute.labels[jsonPayload_error_status_code] |
|
jsonPayload.error.reason.phrase |
security_result.about.resource.attribute.labels[jsonPayload_error_reason_phrase] |
|
jsonPayload.error.transport.message |
security_result.about.resource.attribute.labels[jsonPayload_error_transport_message] |
|
jsonPayload.error.header.header_name |
security_result.about.resource.attribute.labels[error_header_name] |
|
jsonPayload.fault.name |
security_result.about.resource.attribute.labels[fault_name] |
|
jsonPayload.fault.reason |
security_result.about.resource.attribute.labels[fault_reason] |
If the jsonPayload.error.faultReason log field value is empty, then the jsonPayload.fault.reason log field is mapped to the security_result.description UDM field.Else, the jsonPayload.fault.reason log field is mapped to the security_result.about.resource.attribute.labels.fault_reason UDM field. |
jsonPayload.fault.category |
security_result.category_details |
|
jsonPayload.fault.subcategory |
security_result.category_details |
|
jsonPayload.literal_value |
additional.fields[jsonPayload_literal_value] |
|
jsonPayload.graphql |
additional.fields[graphql] |
|
jsonPayload.graphql.fragment |
additional.fields[graphql_fragment] |
|
jsonPayload.graphql.fragment.count |
additional.fields[graphql_fragment_count] |
|
jsonPayload.graphql.fragment.INDEX.selectionSet.INDEX |
additional.fields[graphql_fragment_INDEX_selectionSet_INDEX] |
|
jsonPayload.graphql.fragment.INDEX.selectionSet.INDEX.name |
additional.fields[graphql_fragment_INDEX_selectionSet_INDEX_name] |
|
jsonPayload.graphql.fragment.INDEX.selectionSet.count |
additional.fields[graphql_fragment_INDEX_selectionSet_count] |
|
jsonPayload.graphql.fragment.INDEX.selectionSet.name |
additional.fields[graphql_fragment_INDEX_selectionSet_name] |
|
jsonPayload.graphql.operation |
additional.fields[graphql_operation] |
|
jsonPayload.graphql.operation.name |
additional.fields[graphql_operation_name] |
|
jsonPayload.graphql.operation.operationType |
additional.fields[graphql_operation_operationType] |
|
jsonPayload.graphql.operation.selectionSet |
additional.fields[graphql_operation_selectionSet] |
|
jsonPayload.graphql.operation.selectionSet.count |
additional.fields[graphql_operation_selectionSet_count] |
|
jsonPayload.graphql.operation.selectionSet.name |
additional.fields[graphql_operation_selectionSet_name] |
|
jsonPayload.graphql.operation.selectionSet.INDEX |
additional.fields[graphql_operation_selectionSet_INDEX] |
|
jsonPayload.graphql.operation.selectionSet.INDEX.name |
additional.fields[graphql_operation_selectionSet_INDEX_name] |
|
jsonPayload.graphql.operation.selectionSet.INDEX.[selectionSet] |
additional.fields[graphql_operation_selectionSet_INDEX_selectionSet] |
|
jsonPayload.graphql.operation.selectionSet.INDEX.directive |
additional.fields[graphql_operation_selectionSet_INDEX_directive] |
|
jsonPayload.graphql.operation.selectionSet.INDEX.directive.count |
additional.fields[graphql_operation_selectionSet_INDEX_directive_count] |
|
jsonPayload.graphql.operation.selectionSet.INDEX.directive.INDEX |
additional.fields[graphql_operation_selectionSet_INDEX_directive_INDEX] |
|
jsonPayload.graphql.operation.selectionSet.INDEX.directive.INDEX.argument.INDEX |
additional.fields[graphql_operation_selectionSet_INDEX_directive_INDEX_argument_INDEX] |
|
jsonPayload.graphql.operation.selectionSet.INDEX.directive.INDEX.argument.INDEX.name |
additional.fields[graphql_operation_selectionSet_INDEX_directive_INDEX_argument_INDEX_name] |
|
jsonPayload.graphql.operation.selectionSet.INDEX.directive.INDEX.argument.INDEX.value |
additional.fields[graphql_operation_selectionSet_INDEX_directive_INDEX_argument_INDEX_value] |
|
jsonPayload.graphql.operation.selectionSet.INDEX.directive.name |
additional.fields[graphql_operation_selectionSet_INDEX_directive_name] |
|
jsonPayload.graphql.operation.variableDefinitions |
additional.fields[graphql_operation_variableDefinitions] |
|
jsonPayload.graphql.operation.variableDefinitions.count |
additional.fields[graphql_operation_variableDefinitions_count] |
|
jsonPayload.graphql.operation.variableDefinitions.INDEX |
additional.fields[graphql_operation_variableDefinitions_INDEX] |
|
jsonPayload.graphql.operation.variableDefinitions.INDEX.name |
additional.fields[graphql_operation_variableDefinitions_INDEX_name] |
|
jsonPayload.graphql.operation.variableDefinitions.INDEX.type |
additional.fields[graphql_operation_variableDefinitions_INDEX_type] |
|
jsonPayload.is.error |
security_result.about.resource.attribute.labels[is_error] |
|
jsonPayload.loadbalancing.failedservers |
intermediary.resource.attribute.labels[loadbalancing_failed_servers] |
|
jsonPayload.loadbalancing.isfallback |
intermediary.resource.attribute.labels[loadbalancing_is_fallback] |
|
jsonPayload.loadbalancing.targetserver |
intermediary.resource.attribute.labels[loadbalancing_target_server] |
|
jsonPayload.message |
additional.fields[jsonPayload_message] |
|
jsonPayload.message.content |
additional.fields[message_content] |
|
jsonPayload.message.formparam.param_name |
additional.fields[message_formparam_param_name] |
|
jsonPayload.message.formparam.param_name.values |
additional.fields[message_formparam_param_name_values] |
|
jsonPayload.message.formparam.param_name.values.count |
additional.fields[message_formparam_param_name_values_count] |
|
jsonPayload.message.formparams.count |
additional.fields[message_formparams_count] |
|
jsonPayload.message.formparams.names |
additional.fields[message_formparams_names] |
|
jsonPayload.message.formstring |
additional.fields[message_formstring] |
|
jsonPayload.message.header.header_name |
additional.fields[message_header_header_name] |
|
jsonPayload.message.header.header_name.N |
additional.fields[message_header_header_name_N] |
|
jsonPayload.message.header.header_name.values |
additional.fields[message_header_header_name_values] |
|
jsonPayload.message.header.header_name.values.count |
additional.fields[message_header_header_name_values_count] |
|
jsonPayload.message.header.header_name.values.string |
additional.fields[message_header_header_name_values_string] |
|
jsonPayload.message.headers.count |
additional.fields[message_headers_count] |
|
jsonPayload.message.headers.names |
additional.fields[message_headers_names] |
|
jsonPayload.message.path |
additional.fields[message_path] |
|
jsonPayload.message.queryparam.param_name |
additional.fields[message_queryparam_param_name] |
|
jsonPayload.message.queryparam.param_name.N |
additional.fields[message_queryparam_param_name_N] |
|
jsonPayload.message.queryparam.param_name.values |
additional.fields[message_queryparam_param_name_values] |
|
jsonPayload.message.queryparam.param_name.values.count |
additional.fields[message_queryparam_param_name_values_count] |
|
jsonPayload.message.queryparams.count |
additional.fields[message_queryparams_count] |
|
jsonPayload.message.queryparams.names |
additional.fields[message_queryparams_names] |
|
jsonPayload.message.querystring |
additional.fields[message_querystring] |
|
jsonPayload.message.status.code |
additional.fields[message_status_code] |
|
jsonPayload.message.transport.message |
additional.fields[message_transport_message] |
|
jsonPayload.message.uri |
additional.fields[message_uri] |
|
jsonPayload.message.verb |
additional.fields[message_verb] |
|
jsonPayload.message.version |
additional.fields[message_version] |
|
jsonPayload.mint.limitscheck.is_request_blocked |
additional.fields[mint_limitscheck_is_request_blocked] |
|
jsonPayload.mint.limitscheck.is_subscription_found |
additional.fields[mint_limitscheck_is_subscription_found] |
|
jsonPayload.mint.limitscheck.prepaid_developer_balance |
additional.fields[mint_limitscheck_prepaid_developer_balance] |
|
jsonPayload.mint.limitscheck.prepaid_developer_currency |
additional.fields[mint_limitscheck_prepaid_developer_currency] |
|
jsonPayload.mint.limitscheck.purchased_product_name |
additional.fields[mint_limitscheck_purchased_product_name] |
|
jsonPayload.mint.limitscheck.status_message |
additional.fields[mint_limitscheck_status_message] |
|
jsonPayload.mint.mintng_consumption_pricing_rates |
additional.fields[mint_mintng_consumption_pricing_rates] |
|
jsonPayload.mint.mintng_consumption_pricing_type |
additional.fields[mint_mintng_consumption_pricing_type] |
|
jsonPayload.mint.mintng_currency |
additional.fields[mint_mintng_currency] |
|
jsonPayload.mint.mintng_dev_share |
additional.fields[mint_mintng_dev_share] |
|
jsonPayload.mint.mintng_is_apiproduct_monetized |
additional.fields[mint_mintng_is_apiproduct_monetized] |
|
jsonPayload.mint.mintng_price |
additional.fields[mint_mintng_price] |
|
jsonPayload.mint.mintng_price_multiplier |
additional.fields[mint_mintng_price_multiplier] |
|
jsonPayload.mint.mintng_rate |
additional.fields[mint_mintng_rate] |
|
jsonPayload.mint.mintng_rate_before_multipliers |
additional.fields[mint_mintng_rate_before_multipliers] |
|
jsonPayload.mint.mintng_rate_plan_id |
additional.fields[mint_mintng_rate_plan_id] |
|
jsonPayload.mint.mintng_revenue_share_rates |
additional.fields[mint_mintng_revenue_share_rates] |
|
jsonPayload.mint.mintng_revenue_share_type |
additional.fields[mint_mintng_revenue_share_type] |
|
jsonPayload.mint.mintng_tx_success |
additional.fields[mint_mintng_tx_success] |
|
jsonPayload.mint.prepaid_updated_developer_usage |
additional.fields[mint_prepaid_updated_developer_usage] |
|
jsonPayload.mint.rateplan_end_time_ms |
additional.fields[mint_rateplan_end_time_ms] |
|
jsonPayload.mint.rateplan_start_time_ms |
additional.fields[mint_rateplan_start_time_ms] |
|
jsonPayload.mint.status |
additional.fields[mint_status] |
|
jsonPayload.mint.status_code |
additional.fields[mint_status_code] |
|
jsonPayload.mint.subscription_end_time_ms |
additional.fields[mint_subscription_end_time_ms] |
|
jsonPayload.mint.subscription_start_time_ms |
additional.fields[mint_subscription_start_time_ms] |
|
jsonPayload.mint.tx_success_result |
additional.fields[mint_tx_success_result] |
|
jsonPayload.organization.name |
principal.resource_ancestors.name |
|
|
principal.resource_ancestors.resource_type |
If the jsonPayload.organization.name log field value is not empty, then the principal.resource_ancestors.resource_type UDM field is set to CLOUD_ORGANIZATION. |
jsonPayload.proxy.basepath |
intermediary.resource.attribute.labels[proxy_basepath] |
|
jsonPayload.proxy |
intermediary.resource.attribute.labels[proxy] |
|
jsonPayload.proxy.proxyendpoint.name |
intermediary.resource.attribute.labels[proxy_endpoint_name] |
|
jsonPayload.publishmessage.message.id |
additional.fields[publishmessage_message_id] |
|
jsonPayload.ratelimit.policy_name.allowed.count |
security_result.rule_labels[ratelimit_policy_name_allowed_count] |
|
jsonPayload.ratelimit.policy_name.used.count |
security_result.rule_labels[ratelimit_policy_name_used_count] |
|
jsonPayload.ratelimit.policy_name.available.count |
security_result.rule_labels[ratelimit_policy_name_available_count] |
|
jsonPayload.ratelimit.policy_name.exceed.count |
security_result.rule_labels[ratelimit_policy_name_exceed_count] |
|
jsonPayload.ratelimit.policy_name.total.exceed.count |
security_result.rule_labels[ratelimit_policy_name_total_exceed_count] |
|
jsonPayload.ratelimit.policy_name.expiry.time |
security_result.rule_labels[ratelimit_policy_name_expiry_time] |
|
jsonPayload.ratelimit.policy_name.identifier |
security_result.rule_id |
|
jsonPayload.ratelimit.policy_name.class |
security_result.rule_labels[ratelimit_policy_name_class] |
|
jsonPayload.ratelimit.policy_name.class.allowed.count |
security_result.rule_labels[ratelimit_policy_name_class_allowed_count] |
|
jsonPayload.ratelimit.policy_name.class.used.count |
security_result.rule_labels[ratelimit_policy_name_class_used_count] |
|
jsonPayload.ratelimit.policy_name.class.available.count |
security_result.rule_labels[ratelimit_policy_name_class_available_count] |
|
jsonPayload.ratelimit.policy_name.class.exceed.count |
security_result.rule_labels[ratelimit_policy_name_class_exceed_count] |
|
jsonPayload.ratelimit.policy_name.class.total.exceed.count |
security_result.rule_labels[ratelimit_policy_name_class_total_exceed_count] |
|
jsonPayload.ratelimit.policy_name.failed |
security_result.rule_labels[ratelimit_policy_name_failed] |
|
jsonPayload.request |
target.resource.attribute.labels[request] |
|
jsonPayload.request.formparam.param_name.values.count |
target.resource.attribute.labels[request_formparam_name_values_count] |
|
jsonPayload.request.formparam.param_name.N |
target.resource.attribute.labels[request_formparam_name_N] |
|
jsonPayload.request.grpc.rpc.name |
target.resource.attribute.labels[request_grpc_rpc_name] |
|
jsonPayload.request.grpc.service.name |
target.resource.attribute.labels[request_grpc_service_name] |
|
jsonPayload.request.header.header_name.N |
target.resource.attribute.labels[request_header_name_N] |
|
jsonPayload.request.header.header_name.values.count |
target.resource.attribute.labels[request_header_name_values_count] |
|
jsonPayload.request.header.header_name.values.string |
target.resource.attribute.labels[request_header_name_values_string] |
|
jsonPayload.request.headers.count |
target.resource.attribute.labels[request_headers_count] |
|
jsonPayload.request.headers.names |
target.resource.attribute.labels[request_headers_names] |
|
jsonPayload.request.queryparam.param_name.N |
target.resource.attribute.labels[request_queryparam_name_N] |
|
jsonPayload.request.queryparam.param_name.values.count |
target.resource.attribute.labels[request_queryparam_name_values_count] |
|
jsonPayload.request.transport.message |
target.resource.attribute.labels[request_transport_message] |
|
jsonPayload.response |
target.resource.attribute.labels[response] |
|
jsonPayload.response.header.header_name.values.count |
target.resource.attribute.labels[response_header_name_values_count] |
|
jsonPayload.response.header.header_name.values.string |
target.resource.attribute.labels[response_header_name_values_string] |
|
jsonPayload.response.header.header_name.N |
target.resource.attribute.labels[response_header_name_N] |
|
jsonPayload.system.interface.interface_name |
intermediary.ip |
|
|
intermediary.resource_ancestors.resource_type |
If the jsonPayload.system.pod.name log field value is not empty, then the intermediary.resource_ancestors.resource_type UDM field is set to POD. |
jsonPayload.system.pod.name |
intermediary.resource_ancestors.name |
|
jsonPayload.system.region.name |
intermediary.location.country_or_region |
|
jsonPayload.system.time |
intermediary.resource.attribute.labels[system_time] |
|
jsonPayload.system.time.year |
intermediary.resource.attribute.labels[system_time_year] |
|
jsonPayload.system.time.month |
intermediary.resource.attribute.labels[system_time_month] |
|
jsonPayload.system.time.day |
intermediary.resource.attribute.labels[system_time_day] |
|
jsonPayload.system.time.dayofweek |
intermediary.resource.attribute.labels[system_time_dayofweek] |
|
jsonPayload.system.time.hour |
intermediary.resource.attribute.labels[system_time_hour] |
|
jsonPayload.system.time.minute |
intermediary.resource.attribute.labels[system_time_minute] |
|
jsonPayload.system.time.second |
intermediary.resource.attribute.labels[system_time_second] |
|
jsonPayload.system.time.millisecond |
intermediary.resource.attribute.labels[system_time_millisecond] |
|
jsonPayload.system.time.zone |
intermediary.resource.attribute.labels[system_time_zone] |
|
jsonPayload.system.uuid |
intermediary.resource.attribute.labels[system_uuid] |
|
jsonPayload.target.copy.pathsuffix |
target.resource.attribute.labels[target_copy_pathsuffix] |
|
jsonPayload.target.copy.queryparams |
target.resource.attribute.labels[target_copy_queryparams] |
|
jsonPayload.target.country |
target.location.country_or_region |
|
jsonPayload.target.email.address |
target.user.email_addresses |
|
jsonPayload.developer.email |
target.user.email_addresses |
|
jsonPayload.target.expectedcn |
target.resource.attribute.labels[target_expectedcn] |
|
jsonPayload.target.locality |
target.location.city |
|
jsonPayload.target.name |
target.resource.attribute.labels[target_name] |
|
jsonPayload.target.received.end.time |
target.resource.attribute.labels[target_received_end_time] |
|
jsonPayload.target.received.start.time |
target.resource.attribute.labels[target_received_start_time] |
|
jsonPayload.target.received.start.timestamp |
target.resource.attribute.labels[target_received_start_timestamp] |
|
jsonPayload.target.sent.end.time |
target.resource.attribute.labels[target_sent_end_time] |
|
jsonPayload.target.sent.start.time |
target.resource.attribute.labels[target_sent_start_time] |
|
jsonPayload.target.ssl.enabled |
target.resource.attribute.labels[target_ssl_enabled] |
|
jsonPayload.target.state |
target.resource.attribute.labels[target_state] |
|
jsonPayload.variable.expectedcn |
additional.fields[variable_expectedcn] |
|
jsonPayload.request.host |
target.resource.attribute.labels[json_payload_request_host] |
|
jsonPayload.request_msg.header.host |
target.resource.attribute.labels[json_payload_request_host] |
|
jsonPayload.request.user-agent |
network.http.user_agent |
|
jsonPayload.request.header.user-agent |
network.http.user_agent |
|
jsonPayload.request.x-b3-traceid |
target.resource.attribute.labels[json_payload_request_x_b3_traceid] |
|
jsonPayload.request.header.x-b3-traceid |
target.resource.attribute.labels[json_payload_request_x_b3_traceid] |
|
jsonPayload.request.header.x-cloud-trace-context |
target.resource.attribute.labels[json_payload_request_x_cloud_trace_context] |
|
jsonPayload.request.x-cloud-trace-context |
target.resource.attribute.labels[json_payload_request_x_cloud_trace_context] |
|
jsonPayload.apiproduct.name |
intermediary.resource.attribute.labels[jsonPayload_api_product_name] |
|
jsonPayload.app.name |
target.application |
|
jsonPayload.developer.app.name |
target.application |
|
jsonPayload.cachehit |
additional.fields[jsonPayload_cachehit] |
后续步骤
需要更多帮助?从社区成员和 Google SecOps 专业人士那里获得解答。