Collect Google Cloud Kubernetes Context logs

This document describes how fields of Google Cloud Kubernetes Context logs map to Google Security Operations Unified Data Model (UDM) fields.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the GCP_KUBERNETES_CONTEXT ingestion label.

For information about other context parsers that Google SecOps supports, see Google SecOps context parsers .

Supported Google Cloud Kubernetes Context logs log formats

The Google Cloud Kubernetes Context logs parser supports logs in JSON format.

Supported Google Cloud Kubernetes Context logs sample logs

JSON:

 {
  "name": "//container.googleapis.com/projects/chronicle-dpa-test/locations/us-west2/clusters/us-west2-looker-composer-13ff96ad-gke/k8s/namespaces/composer-2-0-25-airflow-2-2-5-13ff96ad/apps/deployments/airflow-scheduler",
  "assetType": "apps.k8s.io/Deployment",
  "resource": {
    "version": "v1",
    "discoveryDocumentUri": "https://raw.githubusercontent.com/kubernetes/kubernetes/master/api/openapi-spec/swagger.json",
    "discoveryName": "io.k8s.api.apps.v1.Deployment",
    "parent": "//container.googleapis.com/projects/chronicle-dpa-test/locations/us-west2/clusters/us-west2-looker-composer-13ff96ad-gke/k8s/namespaces/composer-2-0-25-airflow-2-2-5-13ff96ad",
    "data": {
      "metadata": {
        "annotations": {
          "deployment.kubernetes.io/revision": "2"
        },
        "clusterName": "",
        "creationTimestamp": "2023-04-04T09:31:48Z",
        "generateName": "",
        "generation": 2,
        "labels": {
          "run": "airflow-scheduler"
        },
        "name": "airflow-scheduler",
        "namespace": "composer-2-0-25-airflow-2-2-5-13ff96ad",
        "resourceVersion": "16338",
        "selfLink": "",
        "uid": "805b92ef-6616-4e05-86c6-4ba3101dffa9"
      },
      "spec": {
        "minReadySeconds": 0,
        "paused": false,
        "progressDeadlineSeconds": 600,
        "replicas": 1,
        "revisionHistoryLimit": 10,
        "selector": {
          "matchLabels": {
            "run": "airflow-scheduler"
          }
        },
        "strategy": {
          "rollingUpdate": {
            "maxSurge": 1,
            "maxUnavailable": 1
          },
          "type": "RollingUpdate"
        },
        "template": {
          "metadata": {
            "annotations": {
              "cluster-autoscaler.kubernetes.io/safe-to-evict": "true"
            },
            "clusterName": "",
            "creationTimestamp": null,
            "generateName": "",
            "generation": 0,
            "labels": {
              "composer-system-pod": "true",
              "run": "airflow-scheduler"
            },
            "name": "",
            "namespace": "",
            "resourceVersion": "",
            "selfLink": "",
            "uid": ""
          },
          "spec": {
            "containers": [
              {
                "args": [
                  "scheduler"
                ],
                "env": [
                  {
                    "name": "AIRFLOW_LOOKER_GCP_REGION",
                    "value": "us-west2"
                  },
                  {
                    "name": "AIRFLOW_LOOKER_MODEL_FILES_GCS_BUCKET",
                    "value": "composer-gcs-model-files-582699623097"
                  },
                  {
                    "name": "AIRFLOW_LOOKER_SA_ETL_BQ_DATASET",
                    "value": "looker_system_activity"
                  },
                  {
                    "name": "AIRFLOW_LOOKER_SCHEDULE_INTERVAL",
                    "value": "@daily"
                  },
                  {
                    "name": "CLOUDSDK_METRICS_ENVIRONMENT",
                    "value": "2.2.5+composer"
                  },
                  {
                    "name": "GCS_BUCKET",
                    "value": "us-west2-looker-composer-13ff96ad-bucket"
                  },
                  {
                    "name": "AIRFLOW_HOME",
                    "value": "/etc/airflow"
                  },
                  {
                    "name": "DAGS_FOLDER",
                    "value": "/home/airflow/gcs/dags"
                  },
                  {
                    "name": "SQL_HOST",
                    "value": "198.51.100.0"
                  },
                  {
                    "name": "SQL_DATABASE",
                    "value": "composer-2-0-25-airflow-2-2-5-13ff96ad"
                  },
                  {
                    "name": "SQL_USER",
                    "value": "root"
                  },
                  {
                    "name": "SQL_PASSWORD",
                    "value": "",
                    "valueFrom": {
                      "secretKeyRef": {
                        "key": "sql_password",
                        "localObjectReference": {
                          "name": "airflow-secrets"
                        }
                      }
                    }
                  },
                  {
                    "name": "GCSFUSE_EXTRACTED",
                    "value": "TRUE"
                  },
                  {
                    "name": "COMPOSER_VERSION",
                    "value": "2.0.25"
                  },
                  {
                    "name": "AIRFLOW__WEBSERVER__BASE_URL",
                    "value": "https://485fdbb7327b42c59ac3907f4753cc05-dot-us-west2.composer.googleusercontent.com"
                  },
                  {
                    "name": "SQL_SUBNET",
                    "value": ""
                  },
                  {
                    "name": "AIRFLOW__CORE__SQL_ALCHEMY_CONN",
                    "value": "postgresql+psycopg2://$(SQL_USER):$(SQL_PASSWORD)@198.51.100.0:3306/$(SQL_DATABASE)"
                  },
                  {
                    "name": "AIRFLOW__CORE__FERNET_KEY",
                    "value": "",
                    "valueFrom": {
                      "secretKeyRef": {
                        "key": "fernet_key",
                        "localObjectReference": {
                          "name": "airflow-secrets"
                        }
                      }
                    }
                  },
                  {
                    "name": "GCP_PROJECT",
                    "value": "chronicle-dpa-test"
                  },
                  {
                    "name": "COMPOSER_LOCATION",
                    "value": "us-west2"
                  },
                  {
                    "name": "COMPOSER_GKE_ZONE",
                    "value": ""
                  },
                  {
                    "name": "COMPOSER_GKE_NAME",
                    "value": "us-west2-looker-composer-13ff96ad-gke"
                  },
                  {
                    "name": "AUTOGKE",
                    "value": "TRUE"
                  },
                  {
                    "name": "COMPOSER_GKE_LOCATION",
                    "value": "us-west2"
                  },
                  {
                    "name": "COMPOSER_PYTHON_VERSION",
                    "value": "3"
                  },
                  {
                    "name": "COMPOSER_ENVIRONMENT",
                    "value": "looker-composer"
                  },
                  {
                    "name": "COMPOSER_VERSIONED_NAMESPACE",
                    "value": "composer-2-0-25-airflow-2-2-5-13ff96ad"
                  },
                  {
                    "name": "GKE_CLUSTER_NAME",
                    "value": "us-west2-looker-composer-13ff96ad-gke"
                  },
                  {
                    "name": "POD_NAME",
                    "value": "",
                    "valueFrom": {
                      "fieldRef": {
                        "apiVersion": "v1",
                        "fieldPath": "metadata.name"
                      }
                    }
                  },
                  {
                    "name": "CONTAINER_NAME",
                    "value": "airflow-scheduler"
                  },
                  {
                    "name": "AIRFLOW_LOOKER_SA_ETL_BQ_DATASET",
                    "value": "looker_system_activity"
                  },
                  {
                    "name": "AIRFLOW_LOOKER_GCP_REGION",
                    "value": "us-west2"
                  },
                  {
                    "name": "AIRFLOW_LOOKER_MODEL_FILES_GCS_BUCKET",
                    "value": "composer-gcs-model-files-582699623097"
                  },
                  {
                    "name": "AIRFLOW_LOOKER_SCHEDULE_INTERVAL",
                    "value": "@daily"
                  }
                ],
                "image": "us-west2-docker.pkg.dev/chronicle-dpa-test/composer-images-us-west2-looker-composer-13ff96ad-gke/2ea83cca-ed14-47b2-a3ef-804cae0f7cb3",
                "imagePullPolicy": "IfNotPresent",
                "livenessProbe": {
                  "failureThreshold": 6,
                  "handler": {
                    "exec": {
                      "command": [
                        "/var/local/scheduler_checker.py"
                      ]
                    }
                  },
                  "initialDelaySeconds": 120,
                  "periodSeconds": 60,
                  "successThreshold": 1,
                  "timeoutSeconds": 30
                },
                "name": "airflow-scheduler",
                "resources": {
                  "limits": {
                    "cpu": "2125m",
                    "ephemeral-storage": "1945Mi",
                    "memory": "2176Mi"
                  },
                  "requests": {
                    "cpu": "2125m",
                    "ephemeral-storage": "1945Mi",
                    "memory": "2176Mi"
                  }
                },
                "stdin": false,
                "stdinOnce": false,
                "terminationMessagePath": "/dev/termination-log",
                "terminationMessagePolicy": "File",
                "tty": false,
                "volumeMounts": [
                  {
                    "mountPath": "/etc/airflow/airflow_cfg",
                    "name": "airflow-config",
                    "readOnly": false,
                    "subPath": "",
                    "subPathExpr": ""
                  },
                  {
                    "mountPath": "/home/airflow/gcs",
                    "name": "gcsdir",
                    "readOnly": false,
                    "subPath": "",
                    "subPathExpr": ""
                  },
                  {
                    "mountPath": "/home/airflow/container-comms",
                    "name": "container-comms",
                    "readOnly": false,
                    "subPath": "",
                    "subPathExpr": ""
                  },
                  {
                    "mountPath": "/home/airflow/gcsfuse",
                    "mountPropagation": "HostToContainer",
                    "name": "gcsfuse",
                    "readOnly": false,
                    "subPath": "",
                    "subPathExpr": ""
                  }
                ],
                "workingDir": ""
              },
              {
                "args": [
                  "/home/airflow/gcs"
                ],
                "env": [
                  {
                    "name": "GCS_BUCKET",
                    "value": "us-west2-looker-composer-13ff96ad-bucket"
                  },
                  {
                    "name": "SQL_DATABASE",
                    "value": "composer-2-0-25-airflow-2-2-5-13ff96ad"
                  },
                  {
                    "name": "SQL_USER",
                    "value": "root"
                  },
                  {
                    "name": "SQL_PASSWORD",
                    "value": "",
                    "valueFrom": {
                      "secretKeyRef": {
                        "key": "sql_password",
                        "localObjectReference": {
                          "name": "airflow-secrets"
                        }
                      }
                    }
                  },
                  {
                    "name": "COMPOSER_GKE_ZONE",
                    "value": ""
                  },
                  {
                    "name": "COMPOSER_GKE_NAME",
                    "value": "us-west2-looker-composer-13ff96ad-gke"
                  },
                  {
                    "name": "SQL_SUBNET",
                    "value": ""
                  },
                  {
                    "name": "AUTOGKE",
                    "value": "TRUE"
                  },
                  {
                    "name": "COMPOSER_GKE_LOCATION",
                    "value": "us-west2"
                  }
                ],
                "image": "us-docker.pkg.dev/cloud-airflow-releaser/gcs-syncd/gcs-syncd:cloud_composer_service_2022-08-23-RC2",
                "imagePullPolicy": "IfNotPresent",
                "name": "gcs-syncd",
                "resources": {
                  "limits": {
                    "cpu": "375m",
                    "ephemeral-storage": "102Mi",
                    "memory": "384Mi"
                  },
                  "requests": {
                    "cpu": "375m",
                    "ephemeral-storage": "102Mi",
                    "memory": "384Mi"
                  }
                },
                "stdin": false,
                "stdinOnce": false,
                "terminationMessagePath": "/dev/termination-log",
                "terminationMessagePolicy": "File",
                "tty": false,
                "volumeMounts": [
                  {
                    "mountPath": "/home/airflow/gcs",
                    "name": "gcsdir",
                    "readOnly": false,
                    "subPath": "",
                    "subPathExpr": ""
                  }
                ],
                "workingDir": ""
              }
            ],
            "dnsPolicy": "ClusterFirst",
            "hostIPC": false,
            "hostNetwork": false,
            "hostPID": false,
            "hostname": "",
            "nodeName": "",
            "priorityClassName": "",
            "restartPolicy": "Always",
            "schedulerName": "default-scheduler",
            "securityContext": {},
            "serviceAccount": "",
            "serviceAccountName": "",
            "subdomain": "",
            "terminationGracePeriodSeconds": 30,
            "tolerations": [
              {
                "effect": "NoSchedule",
                "key": "kubernetes.io/arch",
                "operator": "Equal",
                "value": "amd64"
              }
            ],
            "volumes": [
              {
                "name": "airflow-config",
                "volumeSource": {
                  "configMap": {
                    "defaultMode": 420,
                    "localObjectReference": {
                      "name": "airflow-configmap"
                    }
                  }
                }
              },
              {
                "name": "gcsdir",
                "volumeSource": {
                  "emptyDir": {
                    "medium": ""
                  }
                }
              },
              {
                "name": "container-comms",
                "volumeSource": {
                  "hostPath": {
                    "path": "/var/composer/gcs_mount_status",
                    "type": ""
                  }
                }
              },
              {
                "name": "gcsfuse",
                "volumeSource": {
                  "hostPath": {
                    "path": "/var/composer/gcs_mount",
                    "type": ""
                  }
                }
              }
            ]
          }
        }
      },
      "status": {
        "availableReplicas": 1,
        "conditions": [
          {
            "lastTransitionTime": "2023-04-04T09:31:48Z",
            "lastUpdateTime": "2023-04-04T09:31:48Z",
            "message": "Deployment has minimum availability.",
            "reason": "MinimumReplicasAvailable",
            "status": "True",
            "type": "Available"
          },
          {
            "lastTransitionTime": "2023-04-04T09:31:48Z",
            "lastUpdateTime": "2023-04-04T09:38:49Z",
            "message": "ReplicaSet \\"airflow-scheduler-5569f66584\\" has successfully progressed.",
            "reason": "NewReplicaSetAvailable",
            "status": "True",
            "type": "Progressing"
          }
        ],
        "observedGeneration": 2,
        "readyReplicas": 1,
        "replicas": 1,
        "unavailableReplicas": 0,
        "updatedReplicas": 1
      }
    }
  },
  "ancestors": [
    "projects/582699623097",
    "organizations/383339652788"
  ]
}

Field mapping reference

This section explains how the Google SecOps parser maps Google Cloud Kubernetes Context logs fields to Google SecOps UDM fields.

Log field

UDM mapping

Logic

resource.data.autoscaling.autoprovisioningNodePoolDefaults.serviceAccount

entity.email

resource.data.config.serviceAccount

entity.email

resource.data.spec.hostname

entity.hostname

resource.data.metadata.labels.kubernetes.io/hostname

entity.hostname

resource.data.privateClusterConfig.privateEndpoint

entity.ip

If the assetType log field value is equal to container.googleapis.com/Cluster , then temp_ip field is extracted from the resource.data.privateClusterConfig.privateEndpoint log field using Grok pattern, and the temp_ip field value is mapped to the entity.ip UDM field.

resource.data.spec.loadBalancerIP

entity.ip

If the assetType log field value is equal to k8s.io/Service , then temp_ip field is extracted from the resource.data.spec.loadBalancerIP log field using Grok pattern, and the temp_ip field value is mapped to the entity.ip UDM field.

resource.data.status.hostIP

entity.ip

If the assetType log field value is equal to k8s.io/Pod , then temp_ip field is extracted from the resource.data.status.hostIP log field using Grok pattern, and the temp_ip field value is mapped to the entity.ip UDM field.

resource.data.networkConfig.podIpv4CidrBlock

entity.ip

If the assetType log field value is equal to container.googleapis.com/NodePool , then temp_ip field is extracted from the resource.data.networkConfig.podIpv4CidrBlock log field using Grok pattern, and the temp_ip field value is mapped to the entity.ip UDM field.

resource.data.spec.podCIDRs

entity.ip

If the assetType log field value is equal to container.googleapis.com/NodePool , then temp_ip field is extracted from the resource.data.spec.podCIDRs log field using Grok pattern, and the temp_ip field value is mapped to the entity.ip UDM field.

resource.data.location

entity.location.name

resource.data.metadata.labels.topology.kubernetes.io/region

entity.location.name

resource.data.metadata.labels.failure-domain.beta.kubernetes.io/region

entity.location.name

If the resource.data.metadata.labels.topology.kubernetes.io/region log field value is empty, then the resource.data.metadata.labels.failure-domain.beta.kubernetes.io/region log field is mapped to the entity.location.name UDM field.

resource.location

entity.location.name

resource.data.metadata.namespace

entity.namespace

resource.data.privateClusterConfig.publicEndpoint

entity.nat_ip

resource.data.status.nodeInfo.operatingSystem

entity.platform

If one of the following conditions is met, then the entity.platform UDM field is set to LINUX :

If the resource.data.status.nodeInfo.operatingSystem log field value is not empty and the resource.data.status.nodeInfo.operatingSystem log field value matches the regular expression pattern linux
If the resource.data.spec.nodeSelector.beta.kubernetes.io/os log field value is not empty and the resource.data.spec.nodeSelector.beta.kubernetes.io/os log field value matches the regular expression pattern linux
If the resource.data.spec.nodeSelector.kubernetes.io/os log field value is not empty and the resource.data.spec.nodeSelector.kubernetes.io/os log field value matches the regular expression pattern linux
If the resource.data.metadata.labels.kubernetes.io/os log field value is not empty and the resource.data.metadata.labels.kubernetes.io/os log field value matches the regular expression pattern linux
If the resource.data.metadata.labels.beta.kubernetes.io/os log field value is not empty and the resource.data.metadata.labels.beta.kubernetes.io/os log field value matches the regular expression pattern linux

If the entity.platform UDM field is not mapped then the entity.resource.attribute.labels[kubernetes_operatingSystem] UDM fields is mapped to one of the following log field:

resource.data.status.nodeInfo.operatingSystem log field if the resource.data.status.nodeInfo.operatingSystem log field value is not empty
resource.data.spec.nodeSelector.beta.kubernetes.io/os log field if the resource.data.spec.nodeSelector.beta.kubernetes.io/os log field value is not empty
resource.data.spec.nodeSelector.kubernetes.io/os log field if the resource.data.spec.nodeSelector.kubernetes.io/os log field value is not empty
resource.data.metadata.labels.kubernetes.io/os log field if the resource.data.metadata.labels.kubernetes.io/os log field value is not empty
resource.data.metadata.labels.beta.kubernetes.io/os log field if the resource.data.metadata.labels.beta.kubernetes.io/os log field value is not empty

resource.data.spec.nodeSelector.beta.kubernetes.io/os

entity.platform

resource.data.spec.nodeSelector.kubernetes.io/os

entity.platform

resource.data.metadata.labels.kubernetes.io/os

entity.platform

resource.data.metadata.labels.beta.kubernetes.io/os

entity.platform

resource.data.nodePools.locations

entity.resource_ancestors.attribute.cloud.availability_zone

resource.data.spec.template.spec.volumes.name

entity.resource_ancestors.name

resource.data.spec.volumes.name

entity.resource_ancestors.name

resource.data.nodePools.name

entity.resource_ancestors.name

resource.data.network

entity.resource_ancestors.name

resource.data.nodePools.config.oauthScopes

entity.resource_ancestors.attribute.permissions.name

entity.resource_ancestors.resource_type

If the resource.data.nodePools.name log field value is not empty, then the entity.resource_ancestors.resource_type UDM field is set to VIRTUAL_MACHINE .

If the resource.data.network log field value is not empty, then the entity.resource_ancestors.resource_type UDM field is set to VPC_NETWORK .

resource.data.metadata.labels.topology.kubernetes.io/zone

entity.resource.attribute.cloud.availability_zone

resource.data.metadata.labels.failure-domain.beta.kubernetes.io/zone

entity.resource.attribute.cloud.availability_zone

If the resource.data.metadata.labels.topology.kubernetes.io/zone log field value is empty, then the resource.data.metadata.labels.failure-domain.beta.kubernetes.io/zone log field is mapped to the entity.resource.attribute.cloud.availability_zone UDM field.

resource.data.locations

entity.resource.attribute.cloud.availability_zone

If the first value of the resource.data.spec.containers.ports.protocol log field value is equal to TCP or UDP , then the resource.data.spec.containers.ports.protocol log field is mapped to the relations.entity.network.ip_protocol UDM field.

Else, the resource.data.spec.containers.ports.protocol log field is mapped to the relations.entity.resource.attribute.labels[spec_containers_ports_protocol] UDM field.

entity.resource.attribute.cloud.environment

The entity.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM .

resource.data.metadata.creationTimestamp

entity.resource.attribute.creation_time

resource.data.roleRef.name

entity.resource.attribute.roles.name

name

entity.resource.name

resource.data.config.oauthScopes

entity.resource.attribute.permissions.name

resource.data.autoscaling.autoprovisioningNodePoolDefaults.oauthScopes

entity.resource.attribute.permissions.name

assetType

entity.resource.resource_subtype

entity.resource.resource_type

If the assetType log field value is equal to container.googleapis.com/Cluster or container.googleapis.com/NodePool , then the entity.resource.resource_type UDM field is set to CLUSTER .

Else, if the assetType log field value is equal to k8s.io/Node , then the entity.resource.resource_type UDM field is set to VIRTUAL_MACHINE .

Else, if the assetType log field value is equal to k8s.io/Pod , then the entity.resource.resource_type UDM field is set to POD .

Else, if the assetType log field value is equal to networking.k8s.io/NetworkPolicy , then the entity.resource.resource_type UDM field is set to ACCESS_POLICY .

Else, if the assetType log field value is equal to rbac.authorization.k8s.io/ClusterRole or rbac.authorization.k8s.io/ClusterRoleBinding or rbac.authorization.k8s.io/Role or rbac.authorization.k8s.io/RoleBinding , then the entity.resource.resource_type UDM field is set to SETTING .

Else, the entity.resource.resource_type UDM field is set to BACKEND_SERVICE .

resource.data.spec.priority

entity.security_result.priority_details

If the resource.data.spec.priority log field value is not empty and the resource.data.spec.priorityClassName log field value is not empty, then the resource.data.spec.priority - resource.data.spec.priorityClassName log field is mapped to the entity.security_result.priority_details UDM field.

Else, if the resource.data.spec.priority log field value is not empty, then the resource.data.spec.priorityClassName log field is mapped to the entity.security_result.priority_details UDM field.

Else, if the resource.data.spec.priorityClassName log field value is not empty, then the resource.data.spec.priority log field is mapped to the entity.security_result.priority_details UDM field.

resource.data.spec.priorityClassName

entity.security_result.priority_details

resource.data.metadata.selfLink

entity.url

resource.data.selfLink

entity.url

resource.data.spec.serviceAccountName

entity.user.userid

resource.data.createTime

metadata.creation_timestamp

resource.data.metadata.annotations.kubernetes.io/deprecation

metadata.description

metadata.entity_type

The metadata.entity_type UDM field is set to RESOURCE .

resource.data.metadata.uid

metadata.product_entity_id

The resource.data.metadata.uid log field is mapped to the metadata.product_entity_id UDM field.

If the resource.data.metadata.uid log field value is empty, then the resource.data.id log field is mapped to the metadata.product_entity_id UDM field.

If the resource.data.id log field value is empty, then the resource.data.name log field is mapped to the entity.resource.product_object_id UDM field.

resource.data.id

metadata.product_entity_id

resource.data.name

metadata.product_entity_id

resource.data.spec.providerID

entity.resource.product_object_id

If the metadata.product_entity_id UDM field value is empty and the entity.resource.product_object_id UDM field value is empty, then the resource.data.spec.providerID log field is mapped to the entity.resource.product_object_id UDM field.

Else, the resource.data.spec.providerID log field is mapped to the entity.resource.attribute.labels.spec_providerID UDM field.

metadata.product_name

The metadata.product_name UDM field is set to GCP Kubernetes .

resource.version

metadata.product_version

metadata.vendor_name

The metadata.vendor_name UDM field is set to Google Cloud Platform .

relations.entity_type

The relations.entity_type UDM field is set to RESOURCE if the value of the following log fields are not empty:

ancestors
resource.data.metadata.clusterName
resource.data.spec.containers.name
resource.data.spec.template.spec.containers.name
resource.data.spec.template.metadata.clusterName
resource.data.status.containerStatuses.name
resource.data.status.initContainerStatuses.name
resource.data.spec.initContainers.name
resource.data.spec.template.spec.initContainers.name
resource.data.metadata.ownerReferences.name

resource.data.spec.containers.workingDir

relations.entity.file.full_path

resource.data.spec.template.spec.containers.workingDir

relations.entity.file.full_path

resource.data.spec.initContainers.workingDir

relations.entity.file.full_path

resource.data.spec.template.spec.initContainers.workingDir

relations.entity.file.full_path

relations.direction

The relations.direction UDM field is set to UNIDIRECTIONAL if the value of the following log fields are not empty:

ancestors
resource.data.metadata.clusterName
resource.data.spec.containers.name
resource.data.spec.template.spec.containers.name
resource.data.spec.template.metadata.clusterName
resource.data.status.containerStatuses.name
resource.data.status.initContainerStatuses.name
resource.data.spec.initContainers.name
resource.data.spec.template.spec.initContainers.name
resource.data.metadata.ownerReferences.name

resource.data.spec.containers.ports.protocol

relations.entity.network.ip_protocol

If the index log field value is equal to 0 and the resource.data.spec.containers.ports.protocol log field value is equal to TCP or UDP , then the resource.data.spec.containers.ports.protocol log field is mapped to the relations.entity.network.ip_protocol UDM field.

Else, the resource.data.spec.containers.ports.protocol log field is mapped to the

relations.entity.resource.attribute.labels.spec_containers_ports protocol 
%index

UDM field.

relations.entity.resource_ancestors.attribute.cloud.environment

The res_type field is extracted from the ancestors log field using Grok pattern. If the resource.parent log field value does not contain the res_type field value, then the relations.entity.resource_ancestors.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM .

ancestors

relations.entity.resource_ancestors.name

The res_type field is extracted from the ancestors log field using Grok pattern. If the resource.parent log field value does not contain the res_type field value, then the ancestors log field is mapped to the relations.entity.resource_ancestors.name UDM field.

relations.entity.resource_ancestors.resource_subtype

The res_type field is extracted from the ancestors log field using Grok pattern. If the resource.parent log field value does not contain the res_type field value, then the res_type field is mapped to the relations.entity.resource_ancestors.resource_subtype UDM field.

relations.entity.resource_ancestors.resource_type

The res_type field is extracted from the ancestors log field using Grok pattern. If the resource.parent log field value does not contain the res_type field value, then the relations.entity.resource_ancestors.resource_type UDM field is set to CLOUD_PROJECT .

relations.entity.resource.attribute.cloud.environment

The res_type field is extracted from the ancestors log field using Grok pattern. If the resource.parent log field value does not contain the res_type field value, then the relations.entity.resource.attribute.cloud.environment UDM field is set to GOOGLE_CLOUD_PLATFORM .

resource.parent