VPC Flow Logs¶
Chronicle supports the ingestion of GCP VPC Flow logs via a GCS Bucket.
Chronicle Data Types¶
- GCP_VPC_FLOW
Configuration¶
- Create a new GCS bucket for the GCP VPC Flow logs to be stored in. A pre-existing GCS bucket may be used. GCP Guide.
- Follow this GCP Guide on how to enable VPC Flow Logging.
- Once the VPC Flow Logs have been enabled follow this GCP Guide to export them into a GCS bucket. Add the following line to the inclusion filter on the sink:
resource.type="gce_subnetwork"
. - Once VPC Flow Logging is enabled and confirmed to be flowing into the GCS bucket, follow the GCP GCS Bucket guide to configure the GCS bucket so Cyderes can access the logs.