Collect Apigee logs
Supported in:
This document describes how you can collect Apigee logs by enabling Google Cloud telemetry ingestion to Google Security Operations and how log fields of Apigee logs map to Google Security Operations Unified Data Model (UDM) fields.
For more information, see Data ingestion to Google Security Operations .
A typical deployment consists of Apigee logs enabled for ingestion to Google Security Operations. Each customer deployment might differ from this representation and might be more complex.
The deployment contains the following components:
-
Google Cloud: The Google Cloud services and products from which you collect logs.
-
Apigee logs: The Apigee logs that are enabled for ingestion to Google Security Operations.
-
Google Security Operations: Google Security Operations retains and analyzes the logs from Apigee.
An ingestion label identifies the parser which normalizes raw log data
to structured UDM format. The information in this document applies to the parser
with the GCP_APIGEE_X
ingestion label.
Before you begin
-
Ensure that all systems in the deployment architecture are configured in the UTC time zone.
-
Before starting, confirm that you have either Log Collection with MessageLogging Policy or (Legacy) Log Collection with ServiceCallout Policy set up.
-
To setup up Log Collection with MessageLogging Policy, follow the steps in the Apigee Google Cloud Integration guide .
Configure Google Cloud to ingest Apigee logs
To ingest Apigee logs to Google Security Operations, follow the steps on the Ingest Google Cloud logs to Google Security Operations page.
If you encounter issues when you ingest Apigee logs, contact Google Security Operations support .
Supported Apigee log formats
The Apigee parser supports logs in JSON format.
Supported Apigee Sample Logs
-
JSON
{ "insertId": "12wnv8zf7np8nh", "jsonPayload": { "proxy.name": "myproxy", "app.name": "", "environment.name": "test-env", "system.region.name": "us-west1", "developer.email": "", "target.country": "", "request.content-length": "", "client.state": "", "response.status.code": "200", "request.content-type": "", "response.content-type": "application/xml; charset\u003dutf-8", "proxy.revision": "6", "response.content-length": "141", "proxy.proxyendpoint.name": "default", "organization.name": "test-dummy-57377", "error.state": "", "error": "false", "fault.name": "", "client.locality": "", "target.state": "", "proxy.pathsuffix": "", "client.port": "50386", "system.uuid": "7f2fde33-5f39-4866-a073-e6c31a4664e2", "target.scheme": "https", "request.user-agent": "curl/8.5.0", "target.locality": "", "messageid": "f8093238-2f51-42ab-ae44-dec9f451c7474", "target.port": "443", "target.ip": "198.51.100.0", "apiproduct.name": "", "request.url": "https://", "request.x-cloud-trace-context": "e3d3fea1742455ede2dad1d975361511/11739831648342702971", "request.httpversion": "1.1", "target.host": "mocktarget.apigee.net", "target.url": "https://mocktarget.apigee.net/xml", "proxy.basepath": "/myproxy", "target.cn": "mocktarget.apigee.net", "client.country": "", "client.cn": "", "cachehit": "", "target.organization": "", "client.ip": "198.51.100.0", "system.timestamp": "1754652492121", "request.host": "", "request.verb": "GET", "request.x-b3-traceid": "31339f721d4be35ff2932fa471979252", "client.scheme": "https", "error.message": "" }, "resource": { "type": "api", "labels": { "project_id": "test-dummy-57377", "version": "", "location": "", "method": "", "service": "" } }, "timestamp": "2025-08-08T11:28:12.203938277Z", "severity": "INFO", "logName": "projects/test-dummy-57377/logs/apigee-secops-integration-test-env", "receiveTimestamp": "2025-08-08T11:28:12.203938277Z" }
Field mapping reference
This section explains how the Google SecOps parser maps Apigee logs fields to Google Security Operations Unified Data Model (UDM) fields.
Field mapping reference: GCP_APIGEE_X Log Collection with MessageLogging Policy logs
The following table lists the log fields of the GCP_APIGEE_X
Log Collection with MessageLogging Policy log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic |
|---|---|---|
insertId
|
metadata.product_log_id
|
|
jsonPayload.request.queryparams.count
|
target.resource.attribute.labels[json_payload_request_queryparams_count]
|
|
jsonPayload.request.uri
|
target.resource.name
|
|
|
target.resource.resource_type
|
If the jsonPayload.request.uri
log field value is not
empty, then the target.resource.resource_type
UDM field is set to BACKEND_SERVICE
. |
jsonPayload.target.host
|
target.hostname
|
|
jsonPayload.log.sni_host
|
target.hostname
|
|
jsonPayload.target.host
|
target.asset.hostname
|
|
jsonPayload.log.sni_host
|
target.asset.hostname
|
|
jsonPayload.target.sent.start.timestamp
|
target.resource.attribute.labels[json_payload_target_sent_start_timestamp]
|
|
jsonPayload.response.reason.phrase
|
security_result.summary
|
|
jsonPayload.response.reason
|
security_result.summary
|
|
jsonPayload.target.cn
|
target.resource.attribute.labels[json_payload_target_cn]
|
|
jsonPayload.target.port
|
target.port
|
|
jsonPayload.request.path
|
target.resource.attribute.labels[json_payload_request_path]
|
|
jsonPayload.target.ip
|
target.ip
|
|
jsonPayload.request.queryparam.param_name
|
target.resource.attribute.labels[json_payload_request_queryparams_param_name]
|
|
jsonPayload.request.queryparam.param_name.values
|
target.resource.attribute.labels[json_payload_request_queryparams_param_values]
|
|
jsonPayload.client.sent.end.timestamp
|
principal.resource.attribute.labels[client sent end timestamp]
|
|
jsonPayload.response.content
|
security_result.description
|
|
jsonPayload.target.organization
|
target.resource_ancestors.name
|
|
jsonPayload.log.organization
|
target.resource_ancestors.name
|
|
|
target.resource_ancestors.resource_type
|
If the jsonPayload.target.organization
log field value is not
empty or the jsonPayload.log.organization
log field value is not
empty, then the target.resource_ancestors.resource_type
UDM field is set to CLOUD_ORGANIZATION
. |
jsonPayload.target.organization.unit
|
target.resource_ancestors.attribute.labels[json_payload_target_organization_unit]
|
|
jsonPayload.proxy.client.ip
|
src.ip
|
|
jsonPayload.error.content
|
security_result.about.resource.attribute.labels[error_content]
|
|
jsonPayload.response.headers.names
|
target.resource.attribute.labels[response_headers_names]
|
|
jsonPayload.error.state
|
security_result.about.resource.attribute.labels[state]
|
|
jsonPayload.proxy.pathsuffix
|
intermediary.resource.attribute.labels[pathsuffix]
|
|
jsonPayload.log.proxy_basepath
|
intermediary.resource.attribute.labels[pathsuffix]
|
|
jsonPayload.messageid
|
metadata.product_event_type
|
|
jsonPayload.request.verb
|
network.http.method
|
|
jsonPayload.response.status.code
|
network.http.response_code
|
|
jsonPayload.log.status
|
network.http.response_code
|
|
jsonPayload.response.code
|
network.http.response_code
|
|
jsonPayload.request.transportid
|
target.resource.attribute.labels[json_payload_request_transport_id]
|
|
jsonPayload.request.content
|
target.resource.attribute.labels[json_payload_request_content]
|
|
jsonPayload.client.received.start.timestamp
|
principal.resource.attribute.labels[client_received_start_timestamp]
|
|
jsonPayload.target.basepath
|
target.resource.attribute.labels[basepath]
|
|
jsonPayload.proxy.url
|
intermediary.url
|
|
jsonPayload.request.url
|
target.resource.attribute.labels[json_payload_request_url]
|
|
jsonPayload.client.sent.start.timestamp
|
principal.resource.attribute.labels[json_payload_client_sent_start_timestamp]
|
|
jsonPayload.client.received.end.timestamp
|
principal.resource.attribute.labels[client end timestamp]
|
|
jsonPayload.target.sent.end.timestamp
|
target.resource.attribute.labels[json_payload_target_sent_end_timestamp]
|
|
jsonPayload.apigee.metrics.policy..timeTaken
|
security_result.rule_labels[apigee_metrics_policy_time_taken]
|
|
jsonPayload.target.scheme
|
target.network.application_protocol
|
|
jsonPayload.request.queryparams.names
|
target.resource.attribute.labels[json_payload_request_queryparams_names]
|
|
jsonPayload.request.version
|
target.resource.attribute.labels[json_payload_request_version]
|
|
jsonPayload.request.httpversion
|
target.resource.attribute.labels[json_payload_request_version]
|
|
jsonPayload.system.timestamp
|
additional.fields[jsonPayload_system_timestamp]
|
|
jsonPayload.client.scheme
|
principal.network.application_protocol
|
|
jsonPayload.request.header.header_name
|
target.resource.attribute.labels[json_payload_request_header_name]
|
|
jsonPayload.request.header.header_name.values
|
target.resource.attribute.labels[request_header_name_values]
|
|
jsonPayload.target.url
|
target.url
|
|
jsonPayload.url
|
target.url
|
|
jsonPayload.response.header.header_name.values
|
target.resource.attribute.labels[response_header_name_values]
|
|
jsonPayload.request.querystring
|
target.resource.attribute.labels[json_payload_request_querystring]
|
|
jsonPayload.response.headers.count
|
target.resource.attribute.labels[response_headers_count]
|
|
|
principal.resource.resource_type
|
If the resource.type
log field value is equal to gce_instance
, then the principal.resource.resource_type
UDM field is set to VIRTUAL_MACHINE
. |
resource.type
|
principal.resource.resource_subtype
|
|
resource.labels.instance_id
|
principal.resource.product_object_id
|
|
resource.labels.project_id
|
principal.resource_ancestors.product_object_id
|
|
|
principal.resource_ancestors.resource_type
|
The if the
UDM field is set to CLOUD_PROJECT
. |
resource.labels.zone
|
principal.resource.attribute.cloud.availability_zone
|
|
timestamp
|
metadata.event_timestamp
|
|
severity
|
security_result.severity
|
If the severity
log field value is equal to ERROR
, then the severity
log field is mapped to the security_result.severity
UDM field. |
severity
|
security_result.severity_details
|
|
logName
|
security_result.category_details
|
|
logName
|
principal.resource.attribute.labels[Log Name]
|
|
receiveTimestamp
|
metadata.collected_timestamp
|
|
jsonPayload.client.ip
|
principal.ip
|
|
jsonPayload.log.origin_address
|
principal.ip
|
|
jsonPayload.client.host
|
principal.ip
|
|
jsonPayload.request.formparam.param_name.values
|
target.resource.attribute.labels[json_payload_request_form_param_name_values]
|
|
jsonPayload.request.formparam.param_name
|
target.resource.attribute.labels[json_payload_request_form_param_name]
|
|
jsonPayload.request.formparams.count
|
target.resource.attribute.labels[json_payload_request_form_params_count]
|
|
jsonPayload.request.formparams.names
|
target.resource.attribute.labels[json_payload_request_form_params_names]
|
|
jsonPayload.request.formstring
|
target.resource.attribute.labels[json_payload_request_form_string]
|
|
jsonPayload.response.transport.message
|
target.resource.attribute.labels[response_transport_message]
|
|
jsonPayload.response.header.header_name
|
target.resource.attribute.labels[response_header_name]
|
|
jsonPayload.apigee.metrics.policy.policy_name.timeTaken
|
security_result.rule_labels[apigee_metrics_policy_policy_name_timeTaken]
|
|
jsonPayload.apiproduct.operation
|
intermediary.resource.attribute.labels[api_product_operation]
|
|
jsonPayload.apiproduct.operation.resource
|
intermediary.resource.attribute.labels[api_product_operation_resource]
|
|
jsonPayload.apiproduct.operation.methods
|
intermediary.resource.attribute.labels[api_product_operation_methods]
|
|
jsonPayload.apiproduct.operation.attributes.key_name
|
intermediary.resource.attribute.labels[api_product_operation_attributes_key_name]
|
|
jsonPayload.proxy.name
|
intermediary.resource.name
|
|
jsonPayload.proxy.revision
|
intermediary.resource.attribute.labels[json_payload_proxy_revision]
|
|
jsonPayload.apiproxy.basepath
|
intermediary.resource.attribute.labels[json_payload_api_proxy_basepath]
|
|
jsonPayload.client.cn
|
principal.resource.attribute.labels[json_payload_client_cn]
|
|
jsonPayload.client.country
|
principal.location.country_or_region
|
|
jsonPayload.client.email.address
|
principal.email
|
|
jsonPayload.client.locality
|
principal.location.city
|
|
jsonPayload.client.organization
|
principal.resource_ancestors.name
|
|
|
principal.resource_ancestors.resource_type
|
If the jsonPayload.client.organization
log field value is not
empty, then the principal.resource_ancestors.resource_type
UDM field is set to CLOUD_ORGANIZATION
. |
jsonPayload.client.organization.unit
|
principal.resource_ancestors.attribute.labels[client_organization_unit]
|
|
jsonPayload.client.port
|
principal.port
|
|
jsonPayload.client.received.end.time
|
principal.resource.attribute.labels[client_received_end_time]
|
|
jsonPayload.client.received.start.time
|
principal.resource.attribute.labels[client_received_start_time]
|
|
jsonPayload.client.sent.end.time
|
principal.resource.attribute.labels[client_sent_end_time]
|
|
jsonPayload.client.sent.start.time
|
principal.resource.attribute.labels[client_sent_start_time]
|
|
jsonPayload.client.ssl.enabled
|
principal.resource.attribute.labels[client_ssl_enabled]
|
|
jsonPayload.client.state
|
principal.resource.attribute.labels[client_state]
|
|
jsonPayload.current.flow.name
|
additional.fields[current_flow_name]
|
|
jsonPayload.current.flow.description
|
additional.fields[current_flow_description]
|
|
jsonPayload.environment.name
|
additional.fields[environment_name]
|
|
jsonPayload.error
|
security_result.about.resource.attribute.labels[jsonPayload_error]
|
|
jsonPayload.error.message
|
security_result.about.resource.attribute.labels[message]
|
|
jsonPayload.error.status.code
|
security_result.about.resource.attribute.labels[jsonPayload_error_status_code]
|
|
jsonPayload.error.reason.phrase
|
security_result.about.resource.attribute.labels[jsonPayload_error_reason_phrase]
|
|
jsonPayload.error.transport.message
|
security_result.about.resource.attribute.labels[jsonPayload_error_transport_message]
|
|
jsonPayload.error.header.header_name
|
security_result.about.resource.attribute.labels[error_header_name]
|
|
jsonPayload.fault.name
|
security_result.about.resource.attribute.labels[fault_name]
|
|
jsonPayload.fault.reason
|
security_result.about.resource.attribute.labels[fault_reason]
|
If the jsonPayload.error.faultReason
log field value is empty, then the jsonPayload.fault.reason
log field is mapped to the security_result.description
UDM field.Else, the jsonPayload.fault.reason
log field is mapped to the security_result.about.resource.attribute.labels.fault_reason
UDM field. |
jsonPayload.fault.category
|
security_result.category_details
|
|
jsonPayload.fault.subcategory
|
security_result.category_details
|
|
jsonPayload.literal_value
|
additional.fields[jsonPayload_literal_value]
|
|
jsonPayload.graphql
|
additional.fields[graphql]
|
|
jsonPayload.graphql.fragment
|
additional.fields[graphql_fragment]
|
|
jsonPayload.graphql.fragment.count
|
additional.fields[graphql_fragment_count]
|
|
jsonPayload.graphql.fragment.INDEX.selectionSet.INDEX
|
additional.fields[graphql_fragment_INDEX_selectionSet_INDEX]
|
|
jsonPayload.graphql.fragment.INDEX.selectionSet.INDEX.name
|
additional.fields[graphql_fragment_INDEX_selectionSet_INDEX_name]
|
|
jsonPayload.graphql.fragment.INDEX.selectionSet.count
|
additional.fields[graphql_fragment_INDEX_selectionSet_count]
|
|
jsonPayload.graphql.fragment.INDEX.selectionSet.name
|
additional.fields[graphql_fragment_INDEX_selectionSet_name]
|
|
jsonPayload.graphql.operation
|
additional.fields[graphql_operation]
|
|
jsonPayload.graphql.operation.name
|
additional.fields[graphql_operation_name]
|
|
jsonPayload.graphql.operation.operationType
|
additional.fields[graphql_operation_operationType]
|
|
jsonPayload.graphql.operation.selectionSet
|
additional.fields[graphql_operation_selectionSet]
|
|
jsonPayload.graphql.operation.selectionSet.count
|
additional.fields[graphql_operation_selectionSet_count]
|
|
jsonPayload.graphql.operation.selectionSet.name
|
additional.fields[graphql_operation_selectionSet_name]
|
|
jsonPayload.graphql.operation.selectionSet.INDEX
|
additional.fields[graphql_operation_selectionSet_INDEX]
|
|
jsonPayload.graphql.operation.selectionSet.INDEX.name
|
additional.fields[graphql_operation_selectionSet_INDEX_name]
|
|
jsonPayload.graphql.operation.selectionSet.INDEX.[selectionSet]
|
additional.fields[graphql_operation_selectionSet_INDEX_selectionSet]
|
|
jsonPayload.graphql.operation.selectionSet.INDEX.directive
|
additional.fields[graphql_operation_selectionSet_INDEX_directive]
|
|
jsonPayload.graphql.operation.selectionSet.INDEX.directive.count
|
additional.fields[graphql_operation_selectionSet_INDEX_directive_count]
|
|
jsonPayload.graphql.operation.selectionSet.INDEX.directive.INDEX
|
additional.fields[graphql_operation_selectionSet_INDEX_directive_INDEX]
|
|
jsonPayload.graphql.operation.selectionSet.INDEX.directive.INDEX.argument.INDEX
|
additional.fields[graphql_operation_selectionSet_INDEX_directive_INDEX_argument_INDEX]
|
|
jsonPayload.graphql.operation.selectionSet.INDEX.directive.INDEX.argument.INDEX.name
|
additional.fields[graphql_operation_selectionSet_INDEX_directive_INDEX_argument_INDEX_name]
|
|
jsonPayload.graphql.operation.selectionSet.INDEX.directive.INDEX.argument.INDEX.value
|
additional.fields[graphql_operation_selectionSet_INDEX_directive_INDEX_argument_INDEX_value]
|
|
jsonPayload.graphql.operation.selectionSet.INDEX.directive.name
|
additional.fields[graphql_operation_selectionSet_INDEX_directive_name]
|
|
jsonPayload.graphql.operation.variableDefinitions
|
additional.fields[graphql_operation_variableDefinitions]
|
|
jsonPayload.graphql.operation.variableDefinitions.count
|
additional.fields[graphql_operation_variableDefinitions_count]
|
|
jsonPayload.graphql.operation.variableDefinitions.INDEX
|
additional.fields[graphql_operation_variableDefinitions_INDEX]
|
|
jsonPayload.graphql.operation.variableDefinitions.INDEX.name
|
additional.fields[graphql_operation_variableDefinitions_INDEX_name]
|
|
jsonPayload.graphql.operation.variableDefinitions.INDEX.type
|
additional.fields[graphql_operation_variableDefinitions_INDEX_type]
|
|
jsonPayload.is.error
|
security_result.about.resource.attribute.labels[is_error]
|
|
jsonPayload.loadbalancing.failedservers
|
intermediary.resource.attribute.labels[loadbalancing_failed_servers]
|
|
jsonPayload.loadbalancing.isfallback
|
intermediary.resource.attribute.labels[loadbalancing_is_fallback]
|
|
jsonPayload.loadbalancing.targetserver
|
intermediary.resource.attribute.labels[loadbalancing_target_server]
|
|
jsonPayload.message
|
additional.fields[jsonPayload_message]
|
|
jsonPayload.message.content
|
additional.fields[message_content]
|
|
jsonPayload.message.formparam.param_name
|
additional.fields[message_formparam_param_name]
|
|
jsonPayload.message.formparam.param_name.values
|
additional.fields[message_formparam_param_name_values]
|
|
jsonPayload.message.formparam.param_name.values.count
|
additional.fields[message_formparam_param_name_values_count]
|
|
jsonPayload.message.formparams.count
|
additional.fields[message_formparams_count]
|
|
jsonPayload.message.formparams.names
|
additional.fields[message_formparams_names]
|
|
jsonPayload.message.formstring
|
additional.fields[message_formstring]
|
|
jsonPayload.message.header.header_name
|
additional.fields[message_header_header_name]
|
|
jsonPayload.message.header.header_name.N
|
additional.fields[message_header_header_name_N]
|
|
jsonPayload.message.header.header_name.values
|
additional.fields[message_header_header_name_values]
|
|
jsonPayload.message.header.header_name.values.count
|
additional.fields[message_header_header_name_values_count]
|
|
jsonPayload.message.header.header_name.values.string
|
additional.fields[message_header_header_name_values_string]
|
|
jsonPayload.message.headers.count
|
additional.fields[message_headers_count]
|
|
jsonPayload.message.headers.names
|
additional.fields[message_headers_names]
|
|
jsonPayload.message.path
|
additional.fields[message_path]
|
|
jsonPayload.message.queryparam.param_name
|
additional.fields[message_queryparam_param_name]
|
|
jsonPayload.message.queryparam.param_name.N
|
additional.fields[message_queryparam_param_name_N]
|
|
jsonPayload.message.queryparam.param_name.values
|
additional.fields[message_queryparam_param_name_values]
|
|
jsonPayload.message.queryparam.param_name.values.count
|
additional.fields[message_queryparam_param_name_values_count]
|
|
jsonPayload.message.queryparams.count
|
additional.fields[message_queryparams_count]
|
|
jsonPayload.message.queryparams.names
|
additional.fields[message_queryparams_names]
|
|
jsonPayload.message.querystring
|
additional.fields[message_querystring]
|
|
jsonPayload.message.status.code
|
additional.fields[message_status_code]
|
|
jsonPayload.message.transport.message
|
additional.fields[message_transport_message]
|
|
jsonPayload.message.uri
|
additional.fields[message_uri]
|
|
jsonPayload.message.verb
|
additional.fields[message_verb]
|
|
jsonPayload.message.version
|
additional.fields[message_version]
|
|
jsonPayload.mint.limitscheck.is_request_blocked
|
additional.fields[mint_limitscheck_is_request_blocked]
|
|
jsonPayload.mint.limitscheck.is_subscription_found
|
additional.fields[mint_limitscheck_is_subscription_found]
|
|
jsonPayload.mint.limitscheck.prepaid_developer_balance
|
additional.fields[mint_limitscheck_prepaid_developer_balance]
|
|
jsonPayload.mint.limitscheck.prepaid_developer_currency
|
additional.fields[mint_limitscheck_prepaid_developer_currency]
|
|
jsonPayload.mint.limitscheck.purchased_product_name
|
additional.fields[mint_limitscheck_purchased_product_name]
|
|
jsonPayload.mint.limitscheck.status_message
|
additional.fields[mint_limitscheck_status_message]
|
|
jsonPayload.mint.mintng_consumption_pricing_rates
|
additional.fields[mint_mintng_consumption_pricing_rates]
|
|
jsonPayload.mint.mintng_consumption_pricing_type
|
additional.fields[mint_mintng_consumption_pricing_type]
|
|
jsonPayload.mint.mintng_currency
|
additional.fields[mint_mintng_currency]
|
|
jsonPayload.mint.mintng_dev_share
|
additional.fields[mint_mintng_dev_share]
|
|
jsonPayload.mint.mintng_is_apiproduct_monetized
|
additional.fields[mint_mintng_is_apiproduct_monetized]
|
|
jsonPayload.mint.mintng_price
|
additional.fields[mint_mintng_price]
|
|
jsonPayload.mint.mintng_price_multiplier
|
additional.fields[mint_mintng_price_multiplier]
|
|
jsonPayload.mint.mintng_rate
|
additional.fields[mint_mintng_rate]
|
|
jsonPayload.mint.mintng_rate_before_multipliers
|
additional.fields[mint_mintng_rate_before_multipliers]
|
|
jsonPayload.mint.mintng_rate_plan_id
|
additional.fields[mint_mintng_rate_plan_id]
|
|
jsonPayload.mint.mintng_revenue_share_rates
|
additional.fields[mint_mintng_revenue_share_rates]
|
|
jsonPayload.mint.mintng_revenue_share_type
|
additional.fields[mint_mintng_revenue_share_type]
|
|
jsonPayload.mint.mintng_tx_success
|
additional.fields[mint_mintng_tx_success]
|
|
jsonPayload.mint.prepaid_updated_developer_usage
|
additional.fields[mint_prepaid_updated_developer_usage]
|
|
jsonPayload.mint.rateplan_end_time_ms
|
additional.fields[mint_rateplan_end_time_ms]
|
|
jsonPayload.mint.rateplan_start_time_ms
|
additional.fields[mint_rateplan_start_time_ms]
|
|
jsonPayload.mint.status
|
additional.fields[mint_status]
|
|
jsonPayload.mint.status_code
|
additional.fields[mint_status_code]
|
|
jsonPayload.mint.subscription_end_time_ms
|
additional.fields[mint_subscription_end_time_ms]
|
|
jsonPayload.mint.subscription_start_time_ms
|
additional.fields[mint_subscription_start_time_ms]
|
|
jsonPayload.mint.tx_success_result
|
additional.fields[mint_tx_success_result]
|
|
jsonPayload.organization.name
|
principal.resource_ancestors.name
|
|
|
principal.resource_ancestors.resource_type
|
If the jsonPayload.organization.name
log field value is not
empty, then the principal.resource_ancestors.resource_type
UDM field is set to CLOUD_ORGANIZATION
. |
jsonPayload.proxy.basepath
|
intermediary.resource.attribute.labels[proxy_basepath]
|
|
jsonPayload.proxy
|
intermediary.resource.attribute.labels[proxy]
|
|
jsonPayload.proxy.proxyendpoint.name
|
intermediary.resource.attribute.labels[proxy_endpoint_name]
|
|
jsonPayload.publishmessage.message.id
|
additional.fields[publishmessage_message_id]
|
|
jsonPayload.ratelimit.policy_name.allowed.count
|
security_result.rule_labels[ratelimit_policy_name_allowed_count]
|
|
jsonPayload.ratelimit.policy_name.used.count
|
security_result.rule_labels[ratelimit_policy_name_used_count]
|
|
jsonPayload.ratelimit.policy_name.available.count
|
security_result.rule_labels[ratelimit_policy_name_available_count]
|
|
jsonPayload.ratelimit.policy_name.exceed.count
|
security_result.rule_labels[ratelimit_policy_name_exceed_count]
|
|
jsonPayload.ratelimit.policy_name.total.exceed.count
|
security_result.rule_labels[ratelimit_policy_name_total_exceed_count]
|
|
jsonPayload.ratelimit.policy_name.expiry.time
|
security_result.rule_labels[ratelimit_policy_name_expiry_time]
|
|
jsonPayload.ratelimit.policy_name.identifier
|
security_result.rule_id
|
|
jsonPayload.ratelimit.policy_name.class
|
security_result.rule_labels[ratelimit_policy_name_class]
|
|
jsonPayload.ratelimit.policy_name.class.allowed.count
|
security_result.rule_labels[ratelimit_policy_name_class_allowed_count]
|
|
jsonPayload.ratelimit.policy_name.class.used.count
|
security_result.rule_labels[ratelimit_policy_name_class_used_count]
|
|
jsonPayload.ratelimit.policy_name.class.available.count
|
security_result.rule_labels[ratelimit_policy_name_class_available_count]
|
|
jsonPayload.ratelimit.policy_name.class.exceed.count
|
security_result.rule_labels[ratelimit_policy_name_class_exceed_count]
|
|
jsonPayload.ratelimit.policy_name.class.total.exceed.count
|
security_result.rule_labels[ratelimit_policy_name_class_total_exceed_count]
|
|
jsonPayload.ratelimit.policy_name.failed
|
security_result.rule_labels[ratelimit_policy_name_failed]
|
|
jsonPayload.request
|
target.resource.attribute.labels[request]
|
|
jsonPayload.request.formparam.param_name.values.count
|
target.resource.attribute.labels[request_formparam_name_values_count]
|
|
jsonPayload.request.formparam.param_name.N
|
target.resource.attribute.labels[request_formparam_name_N]
|
|
jsonPayload.request.grpc.rpc.name
|
target.resource.attribute.labels[request_grpc_rpc_name]
|
|
jsonPayload.request.grpc.service.name
|
target.resource.attribute.labels[request_grpc_service_name]
|
|
jsonPayload.request.header.header_name.N
|
target.resource.attribute.labels[request_header_name_N]
|
|
jsonPayload.request.header.header_name.values.count
|
target.resource.attribute.labels[request_header_name_values_count]
|
|
jsonPayload.request.header.header_name.values.string
|
target.resource.attribute.labels[request_header_name_values_string]
|
|
jsonPayload.request.headers.count
|
target.resource.attribute.labels[request_headers_count]
|
|
jsonPayload.request.headers.names
|
target.resource.attribute.labels[request_headers_names]
|
|
jsonPayload.request.queryparam.param_name.N
|
target.resource.attribute.labels[request_queryparam_name_N]
|
|
jsonPayload.request.queryparam.param_name.values.count
|
target.resource.attribute.labels[request_queryparam_name_values_count]
|
|
jsonPayload.request.transport.message
|
target.resource.attribute.labels[request_transport_message]
|
|
jsonPayload.response
|
target.resource.attribute.labels[response]
|
|
jsonPayload.response.header.header_name.values.count
|
target.resource.attribute.labels[response_header_name_values_count]
|
|
jsonPayload.response.header.header_name.values.string
|
target.resource.attribute.labels[response_header_name_values_string]
|
|
jsonPayload.response.header.header_name.N
|
target.resource.attribute.labels[response_header_name_N]
|
|
jsonPayload.system.interface.interface_name
|
intermediary.ip
|
|
|
intermediary.resource_ancestors.resource_type
|
If the jsonPayload.system.pod.name
log field value is not
empty, then the intermediary.resource_ancestors.resource_type
UDM field is set to POD
. |
jsonPayload.system.pod.name
|
intermediary.resource_ancestors.name
|
|
jsonPayload.system.region.name
|
intermediary.location.country_or_region
|
|
jsonPayload.system.time
|
intermediary.resource.attribute.labels[system_time]
|
|
jsonPayload.system.time.year
|
intermediary.resource.attribute.labels[system_time_year]
|
|
jsonPayload.system.time.month
|
intermediary.resource.attribute.labels[system_time_month]
|
|
jsonPayload.system.time.day
|
intermediary.resource.attribute.labels[system_time_day]
|
|
jsonPayload.system.time.dayofweek
|
intermediary.resource.attribute.labels[system_time_dayofweek]
|
|
jsonPayload.system.time.hour
|
intermediary.resource.attribute.labels[system_time_hour]
|
|
jsonPayload.system.time.minute
|
intermediary.resource.attribute.labels[system_time_minute]
|
|
jsonPayload.system.time.second
|
intermediary.resource.attribute.labels[system_time_second]
|
|
jsonPayload.system.time.millisecond
|
intermediary.resource.attribute.labels[system_time_millisecond]
|
|
jsonPayload.system.time.zone
|
intermediary.resource.attribute.labels[system_time_zone]
|
|
jsonPayload.system.uuid
|
intermediary.resource.attribute.labels[system_uuid]
|
|
jsonPayload.target.copy.pathsuffix
|
target.resource.attribute.labels[target_copy_pathsuffix]
|
|
jsonPayload.target.copy.queryparams
|
target.resource.attribute.labels[target_copy_queryparams]
|
|
jsonPayload.target.country
|
target.location.country_or_region
|
|
jsonPayload.target.email.address
|
target.user.email_addresses
|
|
jsonPayload.developer.email
|
target.user.email_addresses
|
|
jsonPayload.target.expectedcn
|
target.resource.attribute.labels[target_expectedcn]
|
|
jsonPayload.target.locality
|
target.location.city
|
|
jsonPayload.target.name
|
target.resource.attribute.labels[target_name]
|
|
jsonPayload.target.received.end.time
|
target.resource.attribute.labels[target_received_end_time]
|
|
jsonPayload.target.received.start.time
|
target.resource.attribute.labels[target_received_start_time]
|
|
jsonPayload.target.received.start.timestamp
|
target.resource.attribute.labels[target_received_start_timestamp]
|
|
jsonPayload.target.sent.end.time
|
target.resource.attribute.labels[target_sent_end_time]
|
|
jsonPayload.target.sent.start.time
|
target.resource.attribute.labels[target_sent_start_time]
|
|
jsonPayload.target.ssl.enabled
|
target.resource.attribute.labels[target_ssl_enabled]
|
|
jsonPayload.target.state
|
target.resource.attribute.labels[target_state]
|
|
jsonPayload.variable.expectedcn
|
additional.fields[variable_expectedcn]
|
|
jsonPayload.request.host
|
target.resource.attribute.labels[json_payload_request_host]
|
|
jsonPayload.request_msg.header.host
|
target.resource.attribute.labels[json_payload_request_host]
|
|
jsonPayload.request.user-agent
|
network.http.user_agent
|
|
jsonPayload.request.header.user-agent
|
network.http.user_agent
|
|
jsonPayload.request.x-b3-traceid
|
target.resource.attribute.labels[json_payload_request_x_b3_traceid]
|
|
jsonPayload.request.header.x-b3-traceid
|
target.resource.attribute.labels[json_payload_request_x_b3_traceid]
|
|
jsonPayload.request.header.x-cloud-trace-context
|
target.resource.attribute.labels[json_payload_request_x_cloud_trace_context]
|
|
jsonPayload.request.x-cloud-trace-context
|
target.resource.attribute.labels[json_payload_request_x_cloud_trace_context]
|
|
jsonPayload.apiproduct.name
|
intermediary.resource.attribute.labels[jsonPayload_api_product_name]
|
|
jsonPayload.app.name
|
target.application
|
|
jsonPayload.developer.app.name
|
target.application
|
|
jsonPayload.cachehit
|
additional.fields[jsonPayload_cachehit]
|
Field mapping reference: GCP_APIGEE_X Log Collection with ServiceCallout Policy logs
The following table lists the log fields of the GCP_APIGEE_X
(Legacy) Log Collection with ServiceCallout Policy log type and their corresponding UDM fields.
| Log field | UDM mapping | Logic |
|---|---|---|
jsonPayload.proxyResponseCode
|
intermediary.network.http.response_code
|
|
jsonPayload.apiProxy
|
intermediary.resource.name
|
|
jsonPayload.apiproxy
|
intermediary.resource.name
|
|
|
intermediary.resource.resource_type
|
If the jsonPayload.apiproxy
log field value is not
empty or the jsonPayload.apiProxy
log field value is not
empty, then the intermediary.resource.resource_type
UDM field is set to BACKEND_SERVICE
. |
|
intermediary.resource.attribute.cloud.environment
|
If the jsonPayload.apiproxy
log field value is not
empty or the jsonPayload.apiProxy
log field value is not
empty, then the intermediary.resource.attribute.cloud.environment
UDM field is set to GOOGLE_CLOUD_PLATFORM
. |
jsonPayload.apiProduct
|
intermediary.resource.attribute.labels[json_payload_api_product]
|
|
jsonPayload.apiProxyRevision
|
intermediary.resource.attribute.labels[json_payload_api_proxy_revision]
|
|
jsonPayload.proxyRequestReceived
|
intermediary.resource.attribute.labels[json_payload_proxy_request_received]
|
|
jsonPayload.proxyResponseSent
|
intermediary.resource.attribute.labels[json_payload_proxy_response_sent]
|
|
receiveTimestamp
|
metadata.collected_timestamp
|
|
timestamp
|
metadata.event_timestamp
|
|
|
metadata.event_type
|
The metadata.event_type
UDM field is set to USER_RESOURCE_ACCESS
. |
insertId
|
metadata.product_log_id
|
|
jsonPayload.correlationId
|
metadata.product_event_type
|
|
|
metadata.product_name
|
The metadata.product_name
UDM field is set to GCP APIGEE X
. |
|
metadata.vendor_name
|
The metadata.vendor_name
UDM field is set to Google Cloud Platform
. |
jsonPayload.verb
|
network.http.method
|
|
labels.application
|
principal.application
|
|
jsonPayload.ax_resolved_client_ip
|
principal.ip
|
|
resource.labels.zone
|
principal.resource.attribute.cloud.availability_zone
|
|
|
principal.resource.resource_type
|
If the resource.type
log field value is equal to gce_instance
, then the principal.resource.resource_type
UDM field is set to VIRTUAL_MACHINE
. |
resource.type
|
principal.resource.resource_subtype
|
|
resource.labels.instance_id
|
principal.resource.product_object_id
|
|
resource.labels.project_id
|
principal.resource_ancestors.product_object_id
|
|
|
principal.resource_ancestors.resource_type
|
If the resource.labels.project_id
log field value is not
empty, then the principal.resource_ancestors.resource_type
UDM field is set to CLOUD_PROJECT
. |
jsonPayload.organization
|
principal.resource_ancestors.name
|
|
|
principal.resource_ancestors.resource_type
|
If the jsonPayload.organization
log field value is not
empty, then the principal.resource_ancestors.resource_type
UDM field is set to CLOUD_ORGANIZATION
. |
jsonPayload.clientReceived
|
principal.resource.attribute.labels[json_payload_client_received]
|
|
jsonPayload.clientSent
|
principal.resource.attribute.labels[json_payload_client_sent]
|
|
logName
|
principal.resource.attribute.labels[Log Name]
|
|
resource.labels.project_id
|
principal.resource.attribute.labels[Project Id]
|
|
jsonPayload.clientId
|
principal.user.userid
|
|
logName
|
security_result.category_details
|
|
jsonPayload.faultName
|
security_result.description
|
|
severity
|
security_result.severity
|
If the severity
log field value is equal to ERROR
, then the severity
log field is mapped to the security_result.severity
UDM field.Else, if the severity
log field value is equal to INFO
or NOTICE
, then the security_result.severity
UDM field is set to INFORMATIONAL
.Else, if the severity
log field value is equal to WARNING
or NOTICE
, then the security_result.severity
UDM field is set to MEDIUM
. |
severity
|
security_result.severity_details
|
|
jsonPayload.targetResponseCode
|
target.network.http.response_code
|
|
jsonPayload.requestUri
|
target.resource.name
|
|
|
target.resource.resource_type
|
If the jsonPayload.requestUri
log field value is not
empty, then the target.resource.resource_type
UDM field is set to BACKEND_SERVICE
. |
jsonPayload.requestUrl
|
target.url
|
|
jsonPayload.targetResponseReceived
|
target.resource.attribute.labels[json_payload_target_request_received]
|
|
jsonPayload.targetRequestSent
|
target.resource.attribute.labels[json_payload_target_request_sent]
|
|
jsonPayload.bot_reason
|
additional.fields[json_payload_bot_reason]
|
|
jsonPayload.count_distinct_bot
|
additional.fields[json_payload_count_distinct_bot]
|
|
jsonPayload.developerApp
|
additional.fields[json_payload_developer_app]
|
|
jsonPayload.developerId
|
additional.fields[json_payload_developer_id]
|
|
jsonPayload.minute
|
additional.fields[json_payload_minute]
|
|
jsonPayload.environment
|
additional.fields[json_payload_environment]
|
|
jsonPayload.sum_bot_traffic
|
additional.fields[json_payload_sum_bot_traffic]
|
|
partialSuccess
|
additional.fields[partial_success]
|
What's next
Need more help? Get answers from Community members and Google SecOps professionals.
