Re: How can we correlate logs to map VM access to ...

karthikkadewadi · 04-23-2025 11:30 PM

The following logs captures a VM initiating an upload request to Cloud Storage through a Private Service Connect (PSC) endpoint

Is there a unique identifier for all the 3 logs below that they belong to same connection

Firewall Logs

{
  "insertId": "8c1ia9f8gifgs",
  "jsonPayload": {
    "disposition": "ALLOWED",
    "rule_details": {
      "destination_range": [
        "10.0.2.0/32"
      ],
      "priority": 1000,
      "ip_port_info": [
        {
          "port_range": [
            "443"
          ],
          "ip_protocol": "TCP"
        }
      ],
      "direction": "EGRESS",
      "action": "ALLOW",
      "reference": "network:karthik-vm-cloudstorage-vpc/firewall:https-egress-allow"
    },
    "vpc": {
      "project_id": "dev-3-455613",
      "vpc_name": "karthik-vm-cloudstorage-vpc",
      "subnetwork_name": "subnet1"
    },
    "instance": {
      "vm_name": "karthik-vm-cloudstorage",
      "zone": "asia-south1-c",
      "region": "asia-south1",
      "project_id": "dev-3-455613"
    },
    "connection": {
      "dest_ip": "199.36.153.101",
      "src_ip": "10.0.0.3",
      "protocol": 6,
      "dest_port": 443,
      "src_port": 43008
    }
  },
  "resource": {
    "type": "gce_subnetwork",
    "labels": {
      "location": "asia-south1",
      "subnetwork_id": "7303207563399409007",
      "subnetwork_name": "subnet1",
      "project_id": "dev-3-455613"
    }
  },
  "timestamp": "2025-04-22T08:51:19.233187214Z",
  "logName": "projects/dev-3-455613/logs/compute.googleapis.com%2Ffirewall",
  "receiveTimestamp": "2025-04-22T08:51:29.476235817Z"
}

DNS Logs

{
  "insertId": "dc60ghf1t7ly5",
  "jsonPayload": {
    "queryName": "storage-vmcsendpoint.p.googleapis.com.",
    "serverLatency": 3,
    "sourceIP": "10.0.0.3",
    "vmZoneName": "asia-south1-c",
    "vmInstanceName": "283347191889.karthik-vm-cloudstorage",
    "vmProjectId": "dev-3-455613",
    "protocol": "UDP",
    "vmInstanceIdString": "8653066130415295471",
    "dns64Translated": false,
    "vmInstanceId": 8653066130415295000,
    "responseCode": "NOERROR",
    "rdata": "storage-vmcsendpoint.p.googleapis.com.\t60\tIN\ta\t10.0.2.0",
    "authAnswer": true,
    "sourceNetwork": "karthik-vm-cloudstorage-vpc",
    "queryType": "A"
  },
  "resource": {
    "type": "dns_query",
    "labels": {
      "location": "asia-south1",
      "target_type": "service-directory-zone",
      "target_name": "goog-psc-karthik-vm-cloudstor-8255967318381571456",
      "project_id": "dev-3-455613",
      "source_type": "gce-vm"
    }
  },
  "timestamp": "2025-04-22T08:51:19.231419346Z",
  "severity": "INFO",
  "logName": "projects/dev-3-455613/logs/dns.googleapis.com%2Fdns_queries",
  "receiveTimestamp": "2025-04-22T08:51:19.505324299Z"
}

Audit Logs

{
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "status": {},
    "authenticationInfo": {
      "principalEmail": "(PII Removed from Image by Staff)",
      "serviceAccountDelegationInfo": [
        {
          "firstPartyPrincipal": {
            "principalEmail": "service-283347191889@compute-system.iam.gserviceaccount.com"
          }
        }
      ]
    },
    "requestMetadata": {
      "callerIp": "10.0.0.3",
      "callerSuppliedUserAgent": "curl/7.88.1,gzip(gfe)",
      "callerNetwork": "//compute.googleapis.com/projects/dev-3-455613/global/networks/__unknown__",
      "requestAttributes": {
        "time": "2025-04-22T08:51:19.344847273Z",
        "auth": {}
      },
      "destinationAttributes": {}
    },
    "serviceName": "storage.googleapis.com",
    "methodName": "storage.objects.create",
    "authorizationInfo": [
      {
        "resource": "projects/_/buckets/apr-8-test-bucket/objects/random.txt",
        "permission": "storage.objects.create",
        "granted": true,
        "resourceAttributes": {}
      },
      {
        "resource": "projects/_/buckets/apr-8-test-bucket/objects/random.txt",
        "permission": "storage.objects.delete",
        "granted": true,
        "resourceAttributes": {}
      }
    ],
    "resourceName": "projects/_/buckets/apr-8-test-bucket/objects/random.txt",
    "serviceData": {
      "@type": "type.googleapis.com/google.iam.v1.logging.AuditData",
      "policyDelta": {}
    },
    "resourceLocation": {
      "currentLocations": [
        "asia-south1"
      ]
    }
  },
  "insertId": "1maudg2ea0gyp",
  "resource": {
    "type": "gcs_bucket",
    "labels": {
      "bucket_name": "apr-8-test-bucket",
      "location": "asia-south1",
      "project_id": "dev-3-455613"
    }
  },
  "timestamp": "2025-04-22T08:51:19.337801281Z",
  "severity": "INFO",
  "logName": "projects/dev-3-455613/logs/cloudaudit.googleapis.com%2Fdata_access",
  "receiveTimestamp": "2025-04-22T08:51:19.489119524Z"
}

kensan

Hi @karthikkadewadi

Welcome to Google Cloud Community

The correlation between these logs, despite lacking a single shared identifier, is established through consistent evidence. The same source IP, 10.0.0.3, is responsible for the DNS query, the subsequent network connection allowed by the firewall, and the Cloud Storage API call (logged with this private IP). This use of the private IP confirms access via a private route like PSC, with the near-identical timestamps further validating that these events are part of the same sequence.

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.

How can we correlate logs to map VM access to Cloud Storage ?