我想用 Elastic SIEM 分析 gcp 日志。 这些日志使用 Logstash 插入到 Elasticsearch 的索引中。 用弹性 siem 分析它们我没有得到任何命中,这是由于它们的结构吗? 你能告诉我使用什么样的过滤器才能让一切正常吗? 下面是一个日志示例:
{
"protoPayload": {
"authorizationInfo": [
{
"granted": true,
"permission": "logging.sinks.list",
"resource": "projects/myfirstproject-xxxx",
"resourceAttributes": {
"name": "projects/myfirstproject-xxxx",
"service": "logging.googleapis.com"
}
}
],
"request": {
"parent": "projects/myfirstproject-xxxx",
"@type": "type.googleapis.com/google.logging.v2.ListSinksRequest",
"pageSize": 100
},
"resourceName": "projects/myfirstproject-xxxx",
"methodName": "google.logging.v2.ConfigServiceV2.ListSinks",
"serviceName": "logging.googleapis.com",
"requestMetadata": {
"requestAttributes": {
"time": "2021-01-13T18:27:03.019679173Z"
},
"callerIp": "37.182.191.89",
"callerSuppliedUserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36,gzip(gfe),gzip(gfe)"
},
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "xxx"
}
},
"logName": "projects/myfirstproject-xxxx/logs/cloudaudit.googleapis.com%2Fdata_access",
"resource": {
"type": "logging_sink",
"labels": {
"name": "",
"project_id": "myfirstproject-xxxx",
"destination": ""
}
},
"receiveTimestamp": "2021-01-13T18:27:03.947934153Z",
"timestamp": "2021-01-13T18:27:03.012844051Z",
"@version": "1",
"severity": "INFO",
"@timestamp": "2021-01-13T19:58:51.272Z",
"messageId": "1915086580392352",
"insertId": "bxr3dbc7x4",
"_index": "logstash-2021.01.13",
"_type": "_doc",
"_id": "HWNU_XYBn2IF1Ov-WnDH",
"_score": 1,
"fields": {
"@version": [
"1"
],
"insertId": {
"keyword": [
"bxr3dbc7x4"
]
},
"@timestamp": [
"2021-01-13T19:58:51.272Z"
]
}
}