Collect Google Cloud SQL logs

This document describes how you can export Cloud SQL logs by enabling Google Cloud telemetry ingestion to Google Security Operations and how Cloud SQL logs fields map to Google Security Operations Unified Data Model (UDM) fields.

For more information, see Data ingestion to Google Security Operations overview .

A typical deployment consists of Cloud SQL logs enabled for ingestion to Google Security Operations. Each customer deployment might differ from this representation and might be more complex.

The deployment contains the following components:

Google Cloud: The Google Cloud services and products from which you collect logs
Cloud SQL logs: The Cloud SQL logs that are enabled for ingestion to Google Security Operations
Google Security Operations: Retains and analyzes Cloud SQL logs and Google Workspace audit logs

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with GCP_CLOUDSQL ingestion label.

Before you begin

Ensure that you have set up access control for your organization and resources using Identity and Access Management (IAM). For more information about access control, see Access control for organizations with IAM .
Ensure that all systems in the deployment architecture are configured in the UTC time zone.
Verify the methods that the Cloud SQL parser supports. The following table lists the resources and methods supported by the Cloud SQL parser:

flags
list

Configure ingestion of Cloud SQL logs

To ingest Cloud SQL logs to Google Security Operations, follow the steps on the Ingest Google Cloud logs to Google Security Operations page.

If you encounter issues when you ingest Cloud SQL logs, contact Google Security Operations support .

Supported Cloud SQL log formats

The Cloud SQL parser supports logs in JSON format.

Supported Cloud SQL sample logs

JSON

 {
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "status": {},
    "authenticationInfo": {
      "principalEmail": "test.user@example.com"
    },
    "requestMetadata": {
      "callerIp": "198.51.100.0",
      "requestAttributes": {
        "time": "2023-05-18T06:16:08.481272Z",
        "auth": {}
      },
      "destinationAttributes": {}
    },
    "serviceName": "cloudsql.googleapis.com",
    "methodName": "cloudsql.backupRuns.list",
    "authorizationInfo": [
      {
        "resource": "projects/test-project/instances/test-instance",
        "permission": "cloudsql.backupRuns.list",
        "granted": true,
        "resourceAttributes": {
          "service": "sqladmin.googleapis.com",
          "name": "projects/test-project/instances/test-instance",
          "type": "sqladmin.googleapis.com/Instance"
        }
      }
    ],
    "resourceName": "projects/test-project/instances/test-instance",
    "request": {
      "instance": "test-instance",
      "maxResults": 1000,
      "project": "dummy-project",
      "@type": "type.googleapis.com/google.cloud.sql.v1beta4.SqlBackupRunsListRequest"
    }
  },
  "insertId": "9fsk13e6h22g",
  "resource": {
    "type": "cloudsql_database",
    "labels": {
      "database_id": "test-project:test-instance",
      "region": "us-central1",
      "project_id": "dummy-project"
    }
  },
  "timestamp": "2023-05-18T06:16:08.383405Z",
  "severity": "INFO",
  "logName": "projects/test-project/logs/cloudaudit.googleapis.com%2Fdata_access",
  "receiveTimestamp": "2023-05-18T06:16:08.563749821Z"
}

Field mapping reference

This section explains how the Google Security Operations parser maps Cloud SQL logs fields to Google Security Operations Unified Data Model (UDM) fields.

The following labels fields for UDM nouns are deprecated: about.labels , intermediary.labels , observer.labels , principal.labels , src.labels , security_result.about.labels , and target.labels . For existing parsers, in addition to these UDM fields, the logs fields are also mapped to key/value additional.fields UDM fields. For new parsers, the key/value settings in additional.fields UDM fields are used instead of the deprecated labels UDM fields. We recommend that you update the existing rules to use the key/value settings in the additional.fields UDM fields instead of the deprecated labels UDM fields.

Log field

UDM mapping

Logic

protoPayload.request.spec.containers.0.args

about.file.capabilities_tags

protoPayload.metadata.backupCompletionTime

about.labels[backup_completion_time] (deprecated)

protoPayload.metadata.backupCompletionTime

additional.fields[backup_completion_time]

protoPayload.metadata.backupStartTime

about.labels[backup_start_time] (deprecated)

protoPayload.metadata.backupStartTime

additional.fields[backup_start_time]

protoPayload.request.objects.db

target.resource.attribute.labels.0.[database_name]

protoPayload.request.objects.object_type

target.resource.attribute.labels.0.[objects_type]

jsonPayload.executionState

target.resource.attribute.labels[execution_state]

protoPayload.request.body.failoverContext.kind

about.labels[fail_over_context_kind] (deprecated)

protoPayload.request.body.failoverContext.kind

additional.fields[fail_over_context_kind]

protoPayload.request.body.failoverContext.settingsVersion

about.labels[fail_over_context_settings_version] (deprecated)

protoPayload.request.body.failoverContext.settingsVersion

additional.fields[fail_over_context_settings_version]

protoPayload.request.filter

about.labels[filter] (deprecated)

protoPayload.request.filter

additional.fields[filter]

labels.instance_id

about.labels[instance_id] (deprecated)

labels.instance_id

additional.fields[instance_id]

labels.INSTANCE_UID

about.labels[instance_uid] (deprecated)

labels.INSTANCE_UID

additional.fields[instance_uid]

labels.PROJECT_NUMBER

additional.fields[project_number]

labels.SOURCE_ID

additional.fields[source_id]

protoPayload.metadata.intents.intent

about.labels[intent]

resource.labels.job_id

target.resource.product_object_id

jsonPayload.jobName

target.resource.name

jsonPayload.@type

about.labels[jsonPayload_at_type] (deprecated)

jsonPayload.@type

additional.fields[jsonPayload_at_type]

labels.LOG_BUCKET_NUM

about.labels[log_bucket_num] (deprecated)

labels.LOG_BUCKET_NUM

additional.fields[log_bucket_num]

protoPayload.metadata.@type

about.labels[metadata_at_type] (deprecated)

protoPayload.metadata.@type

additional.fields[metadata_at_type]

resource.labels.method

about.labels[method] (deprecated)

resource.labels.method

additional.fields[method]

protoPayload.request.objects.name

target.resource.attribute.labels.0.[objects_name]

operation.first

about.labels[operation_first] (deprecated)

operation.first

additional.fields[operation_first]

operation.id

about.labels[operation_id] (deprecated)

operation.id

additional.fields[operation_id]

operation.last

about.labels[operation_last] (deprecated)

operation.last

additional.fields[operation_last]

operation.producer

about.labels[operation_producer] (deprecated)

operation.producer

additional.fields[operation_producer]

protoPayload.@type

about.labels[protopayload_at_type] (deprecated)

protoPayload.@type

additional.fields[protopayload_at_type]

protoPayload.metadata.intents.diffs.newValue

about.labels[protoPayload.metadata.intents.diffs.property]

protoPayload.response.kind

about.labels[res_kind] (deprecated)

protoPayload.response.kind

additional.fields[res_kind]

protoPayload.response.operationType

about.labels[res_operation_type] (deprecated)

protoPayload.response.operationType

additional.fields[res_operation_type]

protoPayload.response.@type

about.labels[response_type] (deprecated)

protoPayload.response.@type

additional.fields[response_type]

jsonPayload.resultState

target.resource.attribute.labels[result_state]

jsonPayload.scheduledTime

target.resource.attribute.labels[scheduled_time]

jsonPayload.status

target.resource.attribute.labels[status]

jsonPayload.targetType

target.resource.attribute.labels[target_type]

jsonPayload.trace_id

about.labels[trace_id] (deprecated)

jsonPayload.trace_id

additional.fields[trace_id]

trace

about.labels[trace] (deprecated)

trace

additional.fields[trace]

jsonPayload.urlsCrawledCount

target.resource.attribute.labels[urls_crwaled_count]

protoPayload.metadata.windowEndTime

about.labels[window_end_time] (deprecated)

protoPayload.metadata.windowEndTime

additional.fields[window_end_time]

protoPayload.metadata.windowStartTime

about.labels[window_start_time] (deprecated)

protoPayload.metadata.windowStartTime

additional.fields[window_start_time]

protoPayload.metadata.windowStatus

about.labels[window_status] (deprecated)

protoPayload.metadata.windowStatus

additional.fields[window_status]

protoPayload.response.selfLink

about.url

receiveTimestamp

metadata.collected_timestamp

protoPayload.response.operationType

metadata.description

protoPayload.response.kind

metadata.description

protoPayload.metadata.message

metadata.description

Extracted log_message from textPayload log field using the Grok pattern, and the log_message extracted field is mapped to the metadata.descriptiom UDM field.

timestamp

metadata.event_timestamp

jsonPayload.event_timestamp_us

metadata.event_timestamp

protoPayload.metadata.projectMetadataDelta.addedMetadataKeys

metadata.ingestion_labels[project_metadata_keys_added]

protoPayload.metadata.projectMetadataDelta.deletedMetadataKeys

metadata.ingestion_labels[project_metadata_keys_deleted]

protoPayload.metadata.instanceMetadataDelta.addedMetadataKeys

metadata.ingestion_labels[instance_metadata_key_added]

protoPayload.metadata.instanceMetadataDelta.deletedMetadataKeys

metadata.ingestion_labels[instance_metadata_key_deleted]

protoPayload.metadata.instanceMetadataDelta.modifiedMetadataKeys

metadata.ingestion_labels[instance_metadata_key_modified]

protoPayload.metadata.projectMetadataDelta.modifiedMetadataKeys

metadata.ingestion_labels[project_metadata_keys_modified]

protoPayload.methodName

metadata.product_event_type

jsonPayload.event_subtype

metadata.product_event_type

jsonPayload._AUDIT_TYPE_NAME

metadata.product_event_type

insertId

metadata.product_log_id

metadata.product_name

If the protoPayload.serviceName log field value matches the regular expression (compute.googleapis.com) , then the metadata.product_name UDM field is set to Google Compute Engine .

Else, if the protoPayload.serviceName log field value matches the regular expression (bigquery.googleapis.com) , then the metadata.product_name UDM field is set to BigQuery .

Else, if the protoPayload.serviceName log field value matches the regular expression (admin.googleapis.com or login.googleapis.com or cloudidentity.googleapis.com) , then the metadata.product_name UDM field is set to G Suite .

Else, if the protoPayload.serviceName log field value matches the regular expression (k8s.io) , then the metadata.product_name UDM field is set to Google Kubernetes Engine .

Else, if the protoPayload.serviceName log field value matches the regular expression (servicemanagement.googleapis.com) , then the metadata.product_name UDM field is set to Google Service Management .

Else, if the protoPayload.serviceName log field value matches the regular expression (storage.googleapis.com) , then the metadata.product_name UDM field is set to Google Cloud Storage .

Else, if the protoPayload.serviceName log field value matches the regular expression (cloudsql.googleapis.com) , then the metadata.product_name UDM field is set to Google Cloud SQL .

Else, if the protoPayload.serviceName log field value matches the regular expression (dataproc.googleapis.com) , then the metadata.product_name UDM field is set to Google Dataproc .

Else, if the protoPayload.serviceName log field value matches the regular expression (iam.googleapis.com) , then the metadata.product_name UDM field is set to Google Cloud IAM .

Else, if the protoPayload.serviceName log field value matches the regular expression (accesscontextmanager.googleapis.com) , then the metadata.product_name UDM field is set to Context Manager API .

Else, if the protoPayload.serviceName log field value matches the regular expression (storage.googleapis.com) , then if the message log field value matches the regular expression dns.googleapis.com then the metadata.product_name UDM field is set to Google Cloud DNS .

Else the metadata.product_name UDM field is set to Google Cloud Platform .

If the resource.type log field value matches the regular expression gce_instance , then the metadata.product_name UDM field is set to GCP Compute Engine .

metadata.vendor_name

The metadata.vendor_name UDM field is set to Google Cloud Platform .

protoPayload.metadata.request_id

network.community_id

protoPayload.request.direction

network.direction

If the protoPayload.request.direction log field value is equal to INGRESS , then the network.direction UDM field is set to INBOUND .

Else, if the protoPayload.request.direction log field value is equal to EGRESS , then the network.direction UDM field is set to OUTBOUND .

protoPayload.resourceOriginalState.direction

network.direction

If the protoPayload.resourceOriginalState.direction log field value is equal to INGRESS , then the network.direction UDM field is set to INBOUND .

Else, if the protoPayload.resourceOriginalState.direction log field value is equal to EGRESS , then the network.direction UDM field is set to OUTBOUND .

httpRequest.requestMethod

network.http.method

httpRequest.requestUrl

network.http.referral_url

protoPayload.resourceOriginalState.network

network.http.referral_url

httpRequest.status

network.http.response_code

protoPayload.response.code

network.http.response_code

protoPayload.status.code

network.http.response_code

If the protoPayload.status.code log field value is equal to 0 , then the network.http.response_code UDM field is set to 200 .

Else, if the protoPayload.status.code log field value is equal to 1 , then the network.http.response_code UDM field is set to 499 .

Else, if the protoPayload.status.code log field value contains one of the following values, then the network.http.response_code UDM field is set to 500 .

Else, if the protoPayload.status.code log field value contains one of the following values, then the network.http.response_code UDM field is set to 400 .

Else, if the protoPayload.status.code log field value is equal to 4 , then the network.http.response_code UDM field is set to 504 .

Else, if the protoPayload.status.code log field value is equal to 5 , then the network.http.response_code UDM field is set to 404 .

Else, if the protoPayload.status.code log field value contains one of the following values, then the network.http.response_code UDM field is set to 409 .

Else, if the protoPayload.status.code log field value is equal to 7 , then the network.http.response_code UDM field is set to 403 .

Else, if the protoPayload.status.code log field value is equal to 8 , then the network.http.response_code UDM field is set to 429 .

Else, if the protoPayload.status.code log field value is equal to 12 , then the network.http.response_code UDM field is set to 501 .

Else, if the protoPayload.status.code log field value is equal to 14 , then the network.http.response_code UDM field is set to 503 .

Else, if the protoPayload.status.code log field value is equal to 16 , then the network.http.response_code UDM field is set to 401 .

httpRequest.userAgent

network.http.user_agent

protoPayload.requestMetadata.callerSuppliedUserAgent

network.http.user_agent

jsonPayload.connection.protocol

network.ip_protocol

jsonPayload.current.ports.0.protocol

network.ip_protocol

httpRequest.responseSize

network.received_bytes

httpRequest.requestSize

network.sent_bytes

network.session_duration

The log_message field is extracted from textPayload log field using Grok pattern,

If the log_message field value matches the regular expression pattern disconnection , then the session_time field is extracted from log_message log field using Grok pattern, and the session_time field is mapped to the network.session_duration UDM field.

protoPayload.response.clientCert.certInfo.expirationTime

network.tls.client.certificate.not_after

protoPayload.response.clientCert.certInfo.createTime

network.tls.client.certificate.not_before

protoPayload.response.clientCert.certInfo.certSerialNumber

network.tls.client.certificate.serial

protoPayload.request.sha1Fingerprint

network.tls.client.certificate.sha1

protoPayload.response.clientCert.certInfo.sha1Fingerprint

network.tls.client.certificate.sha1

protoPayload.response.clientCert.certInfo.commonName

network.tls.client.certificate.subject

protoPayload.response.serverCaCert.expirationTime

network.tls.server.certificate.not_after

protoPayload.response.serverCaCert.createTime

network.tls.server.certificate.not_before

protoPayload.response.serverCaCert.certSerialNumber

network.tls.server.certificate.serial

protoPayload.response.serverCaCert.sha1Fingerprint

network.tls.server.certificate.sha1

protoPayload.response.serverCaCert.commonName

network.tls.server.certificate.subject

jsonPayload.queryName

principal.domain.name

jsonPayload._HOSTNAME

principal.hostname

principal.ip

If the logName log field value matches the regular expression pattern mysql-general , then the src_ip field is extracted from textPayload log field using Grok pattern, and the src_ip field is mapped to the principal.ip UDM field.

protoPayload.requestMetadata.callerIp

principal.ip

httpRequest.serverIp

principal.ip

jsonPayload.current.clusterIPs

principal.ip

protoPayload.requestMetadata.requestAttributes.reason

principal.labels[request_attributes_reason] (deprecated)

protoPayload.requestMetadata.requestAttributes.reason

additional.fields[request_attributes_reason]

protoPayload.redactions.field

protoPayload.redactions.reason

protoPayload.redactions.type

principal.labels[protoPayload.redactions.field]

The value of the UDM field principal.labels.value is determined by combining the values of the log fields protoPayload.redactions.reason and protoPayload.redactions.type , which are separated by a : delimiter.

protoPayload.request.policy.bindings.members

principal.labels[req_bindings_members]

protoPayload.request.requestId

principal.labels[request_id] (deprecated)

protoPayload.request.requestId

additional.fields[request_id]

protoPayload.requestMetadata.requestAttributes.time

principal.labels[request_attributes_time] (deprecated)

protoPayload.requestMetadata.requestAttributes.time

additional.fields[request_attributes_time]

jsonPayload.sourceNetwork

principal.labels[source_network] (deprecated)

jsonPayload.sourceNetwork

additional.fields[source_network]

protoPayload.request.metadata.namespace

additional.fields[request_metadata_namespace]

jsonPayload.connection.nat_port

principal.nat_port

jsonPayload.connection.src_port

principal.port

jsonPayload.current.ports.0.port

principal.port

principal.process.command_line

If the logName log field value matches the regular expression pattern mysql-general , then the command field is extracted from textPayload log field using Grok pattern, and the command field is mapped to the principal.process.command_line UDM field.

principal.process.pid

The process_id field is extracted from textPayload log field using Grok pattern, and the process_id field is mapped to the principal.process.pid UDM field.

protoPayload.request.properties.disks.0.type

principal.resource.attribute.labels[disks_type]

protoPayload.request.properties.disks.0.initializeParams.diskSizeGb

principal.resource.attribute.labels[disk_size_gb]

protoPayload.request.properties.disks.0.initializeParams.diskType

principal.resource.attribute.labels[disk_type]

protoPayload.request.properties.disks.0.initializeParams.guestOsFeatures.0.type

principal.resource.attribute.labels[guest_os_features_type]

protoPayload.request.properties.disks.0.initializeParams.labels.0.key

principal.resource.attribute.labels[protoPayload.request.properties.disks.0.initializeParams.labels.0.key]

protoPayload.request.properties.disks.0.initializeParams.labels.0.value

principal.resource.attribute.labels[protoPayload.request.properties.disks.0.initializeParams.labels.0.key]

protoPayload.request.properties.disks.0.initializeParams.sourceImage

principal.resource.attribute.labels[source_image]

protoPayload.resourceName

principal.resource.name

If the protoPayload.methodName log field value is equal to cloudsql.instances.clone , then the protoPayload.resourceName log field is mapped to the principal.resource.name UDM field.

protoPayload.resourceOriginalState.name

principal.resource.name

protoPayload.authorizationInfo.authorizationLoggingOptions.permissionType

principal.user.attribute.permissions.type

protoPayload.metadata.membershipDelta.roleDeltas.action