Collect Cloud NAT logs

This document describes how you can collect Cloud NAT logs by enabling Google Cloud telemetry ingestion to Google Security Operations and how log fields of Cloud NAT logs map into Google Security Operations Unified Data Model (UDM) fields.

For more information, see Data ingestion to Google Security Operations .

A typical deployment consists of Cloud NAT logs enabled for ingestion to Google Security Operations. Each customer deployment might differ from this representation and might be more complex.

The deployment contains the following components:

• Google Cloud: The Google Cloud services and products from which you collect logs.

• Cloud NAT logs: The Cloud NAT logs that are enabled for ingestion into Google Security Operations.

• Google Security Operations: Google Security Operations retains and analyzes the logs from Cloud NAT.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information into this document applies to the parser with the GCP_CLOUD_NAT ingestion label.

Before you begin

• Ensure that all systems in the deployment architecture are configured in the UTC time zone.

Configure Google Cloud to ingest Cloud NAT logs

For more information on how to ingest logs to Google Security Operations, see Ingest Google Cloud logs to Google Security Operations .

If you encounter issues when you ingest Cloud NAT logs, contact Google Security Operations support .

Supported Cloud NAT log formats

The Cloud NAT parser supports logs in JSON format.

Supported Cloud NAT sample logs

• JSON:

   {
    "insertId": "1q5ys57f36f47d",
    "jsonPayload": {
      "endpoint": {
        "region": "us-central1",
        "project_id": "chronical-0001",
        "vm_name": "vm-1",
        "zone": "us-central1-a"
      },
      "connection": {
        "src_port": 100,
        "nat_port": 101,
        "dest_port": 102,
        "dest_ip": "198.51.100.15",
        "src_ip": "198.51.100.10",
        "protocol": 6,
        "nat_ip": "198.51.100.30"
      },
      "destination": {
        "geo_location": {
          "continent": "America",
          "asn": 54113,
          "country": "usa"
        }
      },
      "allocation_status": "OK",
      "gateway_identifiers": {
        "router_name": "test-rw",
        "gateway_name": "test-nat-vm",
        "region": "us-central1"
      },
      "vpc": {
        "subnetwork_name": "my-subnet-nat",
        "vpc_name": "test-vpc-nat",
        "project_id": "chronical-0001"
      }
    },
    "resource": {
      "type": "nat_gateway",
      "labels": {
        "region": "us-central1",
        "router_id": "8792319260929386950",
        "project_id": "chronical-0001",
        "gateway_name": "test-nat-vm"
      }
    },
    "timestamp": "2023-10-13T05:40:32.217836735Z",
    "labels": {
      "nat.googleapis.com/network_name": "test-vpc-nat",
      "nat.googleapis.com/router_name": "test-rw",
      "nat.googleapis.com/nat_ip": "198.51.100.0",
      "nat.googleapis.com/instance_name": "vm-1",
      "nat.googleapis.com/instance_zone": "us-central1-a",
      "nat.googleapis.com/subnetwork_name": "my-subnet-nat"
    },
    "logName": "projects/chronical-0001/logs/compute.googleapis.com%2Fnat_flows",
    "receiveTimestamp": "2023-10-13T05:40:44.062385884Z"
  } 
  

Field mapping reference

This section explains how the Google Security Operations parser maps Cloud NAT fields to Google Security Operations Unified Data Model (UDM) fields.

What's next

• Data ingestion to Google Security Operations

Need more help? Get answers from Community members and Google SecOps professionals.