Pomerium¶
About¶
Pomerium builds secure, clientless connections to internal web apps and services without a corporate VPN.
Product Details¶
Vendor URL: Pomerium docs
Product Type: Identity-aware proxy
Product Tier: Tier II
Integration Method: Cloud Storage
Integration URL: GCP GCS bucket
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 100%
Data Label: POMERIUM
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| jsonPayload.check-request-id | additional.fields |
| jsonPayload.deny | additional.fields |
| jsonPayload.allow | additional.fields |
| Pomerium | metadata.vendor_name |
| Pomerium | metadata.product_name |
| jsonPayload.message | metadata.description |
| jsonPayload.method | network.http.method |
| jsonPayload.request-id | network.session_id |
| jsonPayload.allow-why-false | security_result.category_details |
| jsonPayload.deny-why-false | security_result.category_details |
| resource.labels.namespace_nam | target.namespace |
| jsonPayload.email | target.user.email_addresses |
| jsonPayload.user | target.user.userid |
| jsonPayload.path | target.file.full_path |
| jsonPayload.host | target.hostname |
| jsonPayload.service | target.application |
| jsonPayload.ip | target.ip |
| severity | security_result.severity |
| resource.type | target.resource.resource_type |
| resource.type | target.resource.resource_subtype |
| resource.labels.project_id | target.resource.product_object_id |
| resource.labels.container_name | target.resource.name |
| resource.labels.cluster_name | target.resource.attribute |
| resource.labels.pod_name | target.resource.attribute |
| labels.compute.googleapis.com/resource_name | target.resource.attribute |
| labels.k8s-pod/app_kubernetes_io/name | target.resource.attribute |
| labels.k8s-pod/pod-template-hash | target.resource.attribute |
| resource.labels.location | target.resource.attribute |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| all others | GENERIC_EVENT |
Log Sample¶
{
"insertId": "aaaaabbbbbcccccc",
"jsonPayload": {
"allow": true,
"allow-why-true": [
"accept"
],
"check-request-id": "9b3caaaa-addd-aaaa-9c9d-6db955c01111",
"deny": false,
"deny-why-false": [
"valid-client-certificate-or-none-required"
],
"email": "",
"host": "hostname.com",
"ip": "10.10.0.1",
"level": "info",
"message": "authorize check",
"method": "POST",
"path": "/api/v1/chat",
"query": "",
"request-id": "9b3caaaa-addd-aaaa-9c9d-6db955c01111",
"service": "authorize",
"user": ""
},
"labels": {
"compute.googleapis.com/resource_name": "gke-prod-cluster-prod-cluster",
"k8s-pod/app_kubernetes_io/name": "pomerium",
"k8s-pod/linkerd_io/control-plane-ns": "linkerd",
"k8s-pod/linkerd_io/proxy-deployment": "pomerium",
"k8s-pod/linkerd_io/workload-ns": "pomerium",
"k8s-pod/pod-template-hash": "fd86f9aaa"
},
"logName": "projects/prod-cluster/logs/stdout",
"receiveTimestamp": "2023-11-08T13:58:52.90692332Z",
"resource": {
"labels": {
"cluster_name": "prod-cluster",
"container_name": "pomerium",
"location": "us-central1",
"namespace_name": "pomerium",
"pod_name": "pomerium-pod",
"project_id": "prod-cluster-aaaabbbb"
},
"type": "k8s_container"
},
"severity": "INFO",
"timestamp": "2023-11-08T13:58:51Z"
}
Sample Parsing¶
additional.fields["allow"] = true
additional.fields["check-request-id"] = "9b3caaaa-addd-aaaa-9c9d-6db955c01111"
additional.fields["deny"] = false
metadata.base_labels.allow_scoped_access = true
metadata.base_labels.log_types = "POMERIUM"
metadata.base_labels.namespaces = "pomerium"
metadata.description = "authorize check"
metadata.event_timestamp.seconds = 1699452502
metadata.event_timestamp.nanos = 749021000
metadata.event_type = "GENERIC_EVENT"
metadata.product_name = "Pomerium"
metadata.vendor_name = "Pomerium"
network.http.method = "POST"
network.session_id = "9b3caaaa-addd-aaaa-9c9d-6db955c01111"
security_result.category_details = "valid-client-certificate-or-none-required"
security_result.severity = "INFORMATIONAL"
target.application = "authorize"
target.file.full_path = "/api/v1/chat"
target.hostname = "hostname.com"
target.ip = "10.10.0.1"
target.namespace = "pomerium"
target.resource.attribute.labels.key = "cluster_name"
target.resource.attribute.labels.value = "prod-cluster"
target.resource.attribute.labels.key = "pod_name"
target.resource.attribute.labels.value = "pomerium-pod"
target.resource.attribute.labels.key = "compute.googleapis.com/resource_name"
target.resource.attribute.labels.value = "gke-prod-cluster-prod-cluster"
target.resource.attribute.labels.key = "k8s-pod/app_kubernetes_io/name"
target.resource.attribute.labels.value = "pomerium"
target.resource.attribute.labels.key = "k8s-pod/pod-template-hash"
target.resource.attribute.labels.value = "fd86f9aaa"
target.resource.attribute.labels.key = "location"
target.resource.attribute.labels.value = "us-central1"
target.resource.name = "pomerium"
target.resource.product_object_id = "prod-cluster-aaaabbbb"
target.resource.resource_subtype = "k8s_container"
target.resource.resource_type = "CONTAINER"
Rules¶
Coming Soon