Google Cloud Platform (GCP) VPC Flow logs

Collect vpcflow logs from Google Cloud Platform (GCP) with Elastic Agent

What is an Elastic integration?
Version
2.38.0 (View all)
Compatible Kibana version(s)
8.13.0 or higher
Supported Serverless project types

What's this?
Security
Observability
Subscription level
What's this?
Basic

Logs

The vpcflow dataset collects logs sent from and received by VM instances, including instances used as GKE nodes.

ECS Field Reference

Please refer to the following document for detailed information on ECS fields.

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
cloud.image.id
Image ID for the cloud instance.
keyword
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
event.dataset
Event dataset
constant_keyword
event.module
Event module
constant_keyword
gcp.destination.instance.project_id
ID of the project containing the VM.
keyword
gcp.destination.instance.region
Region of the VM.
keyword
gcp.destination.instance.zone
Zone of the VM.
keyword
gcp.destination.vpc.project_id
ID of the project containing the VM.
keyword
gcp.destination.vpc.subnetwork_name
Subnetwork on which the VM is operating.
keyword
gcp.destination.vpc.vpc_name
VPC on which the VM is operating.
keyword
gcp.source.instance.project_id
ID of the project containing the VM.
keyword
gcp.source.instance.region
Region of the VM.
keyword
gcp.source.instance.zone
Zone of the VM.
keyword
gcp.source.vpc.project_id
ID of the project containing the VM.
keyword
gcp.source.vpc.subnetwork_name
Subnetwork on which the VM is operating.
keyword
gcp.source.vpc.vpc_name
VPC on which the VM is operating.
keyword
gcp.vpcflow.flattened
Contains the full vpcflow document as sent by GCP.
flattened
gcp.vpcflow.reporter
The side which reported the flow. Can be either 'SRC' or 'DEST'.
keyword
gcp.vpcflow.rtt.ms
Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay.
long
host.containerized
If the host is a container.
boolean
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
input.type
Input type
keyword
log.offset
Log offset
long

An example event for vpcflow looks as following:

{
    "@timestamp": "2019-06-14T03:50:10.845Z",
    "agent": {
        "ephemeral_id": "0b8165a2-0e25-4e9a-bb68-271697e0993f",
        "id": "c6b95057-2f5d-4b8f-b4b5-37cbdb995dec",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.7.1"
    },
    "cloud": {
        "availability_zone": "us-east1-b",
        "instance": {
            "name": "kibana"
        },
        "project": {
            "id": "my-sample-project"
        },
        "provider": "gcp",
        "region": "us-east1"
    },
    "data_stream": {
        "dataset": "gcp.vpcflow",
        "namespace": "ep",
        "type": "logs"
    },
    "destination": {
        "address": "10.139.99.242",
        "domain": "elasticsearch",
        "ip": "10.139.99.242",
        "port": 9200
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "c6b95057-2f5d-4b8f-b4b5-37cbdb995dec",
        "snapshot": false,
        "version": "8.7.1"
    },
    "event": {
        "agent_id_status": "verified",
        "category": [
            "network"
        ],
        "created": "2023-10-25T04:21:42.006Z",
        "dataset": "gcp.vpcflow",
        "end": "2019-06-14T03:49:51.821056075Z",
        "id": "ut8lbrffooxz5",
        "ingested": "2023-10-25T04:21:43Z",
        "kind": "event",
        "start": "2019-06-14T03:40:20.510622432Z",
        "type": [
            "connection"
        ]
    },
    "gcp": {
        "destination": {
            "instance": {
                "project_id": "my-sample-project",
                "region": "us-east1",
                "zone": "us-east1-b"
            },
            "vpc": {
                "project_id": "my-sample-project",
                "subnetwork_name": "default",
                "vpc_name": "default"
            }
        },
        "source": {
            "instance": {
                "project_id": "my-sample-project",
                "region": "us-east1",
                "zone": "us-east1-b"
            },
            "vpc": {
                "project_id": "my-sample-project",
                "subnetwork_name": "default",
                "vpc_name": "default"
            }
        },
        "vpcflow": {
            "reporter": "DEST",
            "rtt": {
                "ms": 201
            }
        }
    },
    "input": {
        "type": "gcp-pubsub"
    },
    "log": {
        "logger": "projects/my-sample-project/logs/compute.googleapis.com%2Fvpc_flows"
    },
    "network": {
        "bytes": 11773,
        "community_id": "1:FYaJFSEAKLcBCMFoT6sR5TMHf/s=",
        "direction": "internal",
        "iana_number": "6",
        "name": "default",
        "packets": 94,
        "transport": "tcp",
        "type": "ipv4"
    },
    "related": {
        "ip": [
            "67.43.156.13",
            "10.139.99.242"
        ]
    },
    "source": {
        "address": "67.43.156.13",
        "as": {
            "number": 35908
        },
        "bytes": 11773,
        "domain": "kibana",
        "geo": {
            "continent_name": "Asia",
            "country_iso_code": "BT",
            "country_name": "Bhutan",
            "location": {
                "lat": 27.5,
                "lon": 90.5
            }
        },
        "ip": "67.43.156.13",
        "packets": 94,
        "port": 33576
    },
    "tags": [
        "forwarded",
        "gcp-vpcflow"
    ]
}

Changelog

VersionDetailsKibana version(s)

2.38.0

Enhancement View pull request
Add policy_violation_info, metadata and related fields to audit logs.

Bug fix View pull request
Update GCP audit log dashboard to use correct email field.

8.13.0 or higher

2.37.2

Bug fix View pull request
Fix definition of subfields of nested objects

8.13.0 or higher

2.37.1

Enhancement View pull request
Improve GCP Billing documentation.

8.13.0 or higher

2.37.0

Enhancement View pull request
Retain authenticationInfo.serviceAccountKeyName data.

8.13.0 or higher

2.36.0

Enhancement View pull request
Add global dataset filter for dashboards to improve performance.

8.13.0 or higher

2.35.0

Enhancement View pull request
ECS version updated to 8.11.0. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.

8.13.0 or higher

2.34.1

Bug fix View pull request
Fix Redis metric type for 'persistence.rdb.bgsave_in_progress'. Metric type should be boolean instead of long.

8.12.0 or higher

2.34.0

Enhancement View pull request
Add tags and processors to GCP Compute, Firestore, PostgreSQL.

8.12.0 or higher

2.33.2

Enhancement View pull request
Add tags and processors to GCP Storage

8.12.0 or higher

2.33.1

Enhancement View pull request
Update Legacy metric visualization to new metric in GCP Billing overview dashboard.

8.12.0 or higher

2.33.0

Enhancement View pull request
Enable time series data for metrics data streams. This dramatically reduces storage for metrics and is expected to progressively improve query performance. For more details, see https://www.elastic.co/guide/en/elasticsearch/reference/current/tsds.html.

8.12.0 or higher

2.32.1

Enhancement View pull request
Add dimensions mappings and the metrics_fingerprint field across all metrics data streams.

8.12.0 or higher

2.32.0

Enhancement View pull request
Add new billing data stream fields.

8.12.0 or higher

2.31.2

Bug fix View pull request
Fix pipeline error parsing DNS logs with empty rdata field.

8.7.1 or higher

2.31.1

Enhancement View pull request
Add Cloud Run docs and fix policy template name to allow adding Cloud Run logs to the policy.

8.7.1 or higher

2.31.0

Enhancement View pull request
Allow users to retain otherwised discarded fields.

8.7.1 or higher

2.30.1

Bug fix View pull request
Fix mappings of group fields

8.7.1 or higher

2.30.0

Enhancement View pull request
Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.

Enhancement View pull request
Upgrade package spec to 3.0.0.

Bug fix View pull request
Fix orphan dashboard references.

Bug fix View pull request
Add missing dashboard filters.

8.7.1 or higher

2.29.1

Bug fix View pull request
Add null checks and ignore_missing checks to the rename processor

8.7.1 or higher

2.29.0

Bug fix View pull request
Remove GCP CloudSQL deprecated, alpha or beta metrics and fix field types.

8.7.1 or higher

2.28.5

Enhancement View pull request
Set metric type for GKE, Load Balancing, PubSub, Redis and Storage data streams.

8.7.1 or higher

2.28.4

Enhancement View pull request
Migrate GCP Load Balancing HTTPS Overview dashboard to lens.

8.7.1 or higher

2.28.3

Enhancement View pull request
Set metric type for Cloud Run, Compute, Dataproc and Firestore data streams.

8.7.1 or higher

2.28.2

Enhancement View pull request
Migrate GCP Load Balancing TCP SSL Proxy Overview dashboard to lens.

8.7.1 or higher

2.28.1

Enhancement View pull request
Set metric type for CloudSQL data streams.

8.7.1 or higher

2.28.0

Enhancement View pull request
Migrate GCP Load Balancing L3 Overview dashboard to lens.

8.7.1 or higher

2.27.0

Enhancement View pull request
Add GCP CloudSQL MySQL, SQL Server and PostgreSQL dashboards.

8.7.1 or higher

2.26.0

Bug fix View pull request
Fix GCP loadbalancing_metrics fields prefix.

8.7.1 or higher

2.25.1

Bug fix View pull request
Fix check on gcp.audit.authorization_info[].granted.

8.7.1 or higher

2.25.0

Enhancement View pull request
Migrate GCP Billing input control to new control panel.

8.7.1 or higher

2.24.0

Enhancement View pull request
Add GCP CloudSQL MySQL, Postgres, SQLServer data streams

8.7.1 or higher

2.23.0

Enhancement View pull request
Convert security dashboards to lens.

8.7.1 or higher

2.22.1

Enhancement View pull request
Change ownership in manifest.

8.6.0 or higher

2.22.0

Enhancement View pull request
Ensure event.kind is correctly set for pipeline errors.

8.6.0 or higher

2.21.0

Enhancement View pull request
Update package to ECS 8.8.0.

8.6.0 or higher

2.20.1

Bug fix View pull request
Fix invalid TSDS metric type for persistence.rdb.bgsave_in_progress field

8.6.0 or higher

2.20.0

Enhancement View pull request
Update package to ECS 8.7.0.

8.6.0 or higher

2.19.1

Enhancement View pull request
Migrate compute dashboard to lens and add datastream filter.

8.6.0 or higher

2.19.0

Enhancement View pull request
Add Cloud Run metrics datastream.

8.6.0 or higher

2.18.0

Enhancement View pull request
Support subscription_num_goroutines and subscription_max_outstanding_messages for GCP PubSub input

8.6.0 or higher

2.17.2

Bug fix View pull request
Fix IP Convert processor in Audit ingest pipeline.

8.6.0 or higher

2.17.1

Enhancement View pull request
Added categories and/or subcategories.

8.6.0 or higher

2.17.0

Enhancement View pull request
Add Audit Log Overview dashboard

Enhancement View pull request
Add GKE Overview dashboard

Enhancement View pull request
Add PubSub Overview dashboard

Enhancement View pull request
Add Storage Overview dashboard

8.6.0 or higher

2.16.2

Bug fix View pull request
Add logic to handle scalar request.policy values on audit

8.5.0 or higher

2.16.1

Bug fix View pull request
Replace missing input control panel with new-style control.

8.5.0 or higher

2.16.0

Enhancement View pull request
Update package to ECS 8.6.0.

8.5.0 or higher

2.15.2

Enhancement View pull request
Update documentation.

8.5.0 or higher

2.15.1

Enhancement View pull request
Add GCP Compute pipeline test.

8.5.0 or higher

2.15.0

Enhancement View pull request
Remove support for Kibana 7.17.x

Enhancement View pull request
Support multiple regions for metrics data streams

8.5.0 or higher

2.14.0

Enhancement View pull request
Update package to ECS 8.5.0.

8.3.0 or higher

2.13.0

Enhancement View pull request
Migrate dashboard by values

8.3.0 or higher

2.12.1

Bug fix View pull request
Remove duplicate fields.

7.17.6 or higher
8.3.0 or higher

2.12.0

Enhancement View pull request
Add GCP Redis

7.17.6 or higher
8.3.0 or higher

2.11.12

Bug fix View pull request
Add GKE ingest pipeline.

7.17.6 or higher
8.3.0 or higher

2.11.11

Bug fix View pull request
Fix type of dns.answers.ttl.

7.17.6 or higher
8.3.0 or higher

2.11.10

Enhancement View pull request
Add ingest pipeline for dataproc.

Enhancement View pull request
Add GCP loadbalancing ingest pipeline

Enhancement View pull request
Add GCP PubSub ingest pipeline

Enhancement View pull request
Add GCP Storage ingest pipeline

Enhancement View pull request
Add GCP Firestore ingest pipeline

Enhancement View pull request
Add GCP Compute ingest pipeline

7.17.6 or higher
8.3.0 or higher

2.11.10-beta.6

Enhancement View pull request
Add ingest pipeline for dataproc.

2.11.10-beta.5

Enhancement View pull request
Add GCP loadbalancing ingest pipeline

2.11.10-beta.4

Enhancement View pull request
Add GCP PubSub ingest pipeline

2.11.10-beta.3

Enhancement View pull request
Add GCP Storage ingest pipeline

2.11.10-beta.2

Enhancement View pull request
Add GCP Firestore ingest pipeline

2.11.10-beta.1

Enhancement View pull request
Add GCP Compute ingest pipeline

2.11.9

Bug fix View pull request
Fix GKE kubernetes.io indentation.

7.17.6 or higher
8.3.0 or higher

2.11.8

Enhancement View pull request
Remove duplicate fields.

7.17.6 or higher
8.3.0 or higher

2.11.7

Enhancement View pull request
Move Dataproc lightweight module config into integration

7.17.6 or higher
8.3.0 or higher

2.11.6

Enhancement View pull request
Move LoadBalancing lightweight module config into integration

7.17.6 or higher
8.3.0 or higher

2.11.5

Enhancement View pull request
Move Storage lightweight module config into integration

7.17.6 or higher
8.3.0 or higher

2.11.4

Enhancement View pull request
Move PubSub lightweight module config into integration

7.17.6 or higher
8.3.0 or higher

2.11.3

Enhancement View pull request
Move GKE lightweight module config into integration

7.17.6 or higher
8.3.0 or higher

2.11.2

Enhancement View pull request
Move Firestore lightweight module config into integration

7.17.6 or higher
8.3.0 or higher

2.11.1

Enhancement View pull request
Use ECS geo.location definition.

7.17.6 or higher
8.3.0 or higher

2.11.0

Enhancement View pull request
Move Compute lightweight module config into integration

7.17.6 or higher
8.3.0 or higher

2.10.0

Enhancement View pull request
Add GCP PubSub Data stream

7.17.6 or higher
8.3.0 or higher

2.9.0

Enhancement View pull request
Add GCP Dataproc Data stream

7.17.6 or higher
8.3.0 or higher

2.8.0

Enhancement View pull request
Add GCP GKE Data Stream

7.17.6 or higher
8.3.0 or higher

2.7.0

Enhancement View pull request
Add GCP Storage Data Stream

7.17.6 or higher
8.3.0 or higher

2.6.0

Enhancement View pull request
Add Load Balancing logs datastream

7.17.6 or higher
8.3.0 or higher

2.5.0

Enhancement View pull request
Add GCP Load Balancing Metricset

Bug fix View pull request
Fix credentials_json escaping in loadbalancing_metrics

Bug fix View pull request
Update loadbalancing_metrics default period to 60s

Bug fix View pull request
Fix event.dataset for loadbalancing_metrics

Enhancement View pull request
Add loadbalancing_metrics distribution fields

7.17.6 or higher
8.3.0 or higher

2.4.0

Enhancement View pull request
Update package to ECS 8.4.0

7.17.6 or higher
8.3.0 or higher

2.3.0

Enhancement View pull request
Add additional parsing for DNS Public Zone Query Logs

7.17.6 or higher
8.3.0 or higher

2.2.1

Enhancement View pull request
Fix Billing policy template title and default period for gcp.compute

7.17.6 or higher
8.3.0 or higher

2.2.0

Enhancement View pull request
Remove fields duplicated in ECS fields

7.17.6 or higher
8.3.0 or higher

2.1.0

Enhancement View pull request
restore compatibility with 7.17 release track

7.17.6 or higher
8.3.0 or higher

2.0.0

Breaking change View pull request
Move configurations to support metrics. This change is breaking, as it moves
some configuration from the top level variables to data stream variables.

This change involves project_id, credentials_file and credentials_json
variables that are moved from input level configuration to package level
configuration (as those variables are reused across all inputs/data streams).

Users with GCP integration enabled will need to input values for these
variables again when upgrading the policies to this version.

Enhancement View pull request
Add GCP Billing Data Stream

Enhancement View pull request
Add GCP Compute Data Stream

Enhancement View pull request
Add GCP Firestore Data stream

8.3.0 or higher

1.10.0

Enhancement View pull request
Update package to ECS 8.3.0.

7.17.0 or higher
8.0.0 or higher

1.9.2

Bug fix View pull request
Fix GCP auditlog parsing issue on response status

7.17.0 or higher
8.0.0 or higher

1.9.1

Enhancement View pull request
Update readme

7.17.0 or higher
8.0.0 or higher

1.9.0

Enhancement View pull request
Preserve request and response in flattened fields.

7.17.0 or higher
8.0.0 or higher

1.8.0

Enhancement View pull request
Add missing cloud.provider field.

7.17.0 or higher
8.0.0 or higher

1.7.0

Enhancement View pull request
Add dashboards for firewall and vpc flow logs.

Bug fix View pull request
Add missing mappings for several event.* fields.

1.6.1

Enhancement View pull request
Clarify the GCP privileges required by the Pub/Sub input.

7.16.3 or higher
8.0.0 or higher

1.6.0

Enhancement View pull request
Update to ECS 8.2

1.5.1

Enhancement View pull request
Add documentation for multi-fields

7.16.3 or higher
8.0.0 or higher

1.5.0

Enhancement View pull request
Improve Google Cloud Platform docs.

7.16.3 or higher
8.0.0 or higher

1.4.2

Bug fix View pull request
Remove emtpy values, names with only dots, and invalid client IPs.

7.16.3 or higher
8.0.0 or higher

1.4.1

Bug fix View pull request
Fix quoting of the credentials_json value in policy templates.

7.16.3 or higher
8.0.0 or higher

1.4.0

Enhancement View pull request
Add gcp.dns integration

1.3.1

Bug fix View pull request
Add Ingest Pipeline script to map IANA Protocol Numbers

7.15.0 or higher
8.0.0 or higher

1.3.0

Enhancement View pull request
Update to ECS 8.0

7.15.0 or higher
8.0.0 or higher

1.2.2

Bug fix View pull request
Regenerate test files using the new GeoIP database

7.15.0 or higher
8.0.0 or higher

1.2.1

Bug fix View pull request
Change test public IPs to the supported subset

1.2.0

Enhancement View pull request
Add 8.0.0 version constraint

7.15.0 or higher
8.0.0 or higher

1.1.2

Enhancement View pull request
Update Title and Description.

7.15.0 or higher

1.1.1

Bug fix View pull request
Fix logic that checks for the 'forwarded' tag

1.1.0

Enhancement View pull request
Update to ECS 1.12.0

7.15.0 or higher

1.0.0

Enhancement View pull request
Move from experimental to GA

Enhancement View pull request
remove experimental from data_sets

0.3.3

Enhancement View pull request
Convert to generated ECS fields

0.3.2

Enhancement View pull request
update to ECS 1.11.0

0.3.1

Enhancement View pull request
Escape special characters in docs

0.3.0

Enhancement View pull request
Update integration description

0.2.0

Enhancement View pull request
Set "event.module" and "event.dataset"

0.1.0

Enhancement View pull request
update to ECS 1.10.0 and adding event.original options

0.0.2

Enhancement View pull request
update to ECS 1.9.0

0.0.1

Enhancement View pull request
initial release

On this page