Architectural Integration of the Elastic Stack with Google Cloud Platform Audit and Telemetry Frameworks

The implementation of the Elastic Stack (ELK) within the Google Cloud Platform (GCP) ecosystem represents a sophisticated convergence of distributed search, analytics, and cloud-native observability. By leveraging the Elastic Agent and specific GCP integrations, organizations can transition from fragmented logging to a unified telemetry pipeline. This integration focuses heavily on the ingestion of audit logs, VPC flow logs, compute metrics, and DNS queries, transforming raw JSON payloads from GCP Pub/Sub into structured, actionable intelligence via the Elastic Common Schema (ECS). The technical objective is to provide full-spectrum visibility into cloud operations, ensuring that every API call, network packet, and resource state change is indexed and searchable in real-time.

GCP Audit Log Telemetry and Authorization Analysis

The Elastic Stack provides a granular decomposition of GCP audit logs, which are critical for security forensics and compliance monitoring. These logs are not merely text strings but structured data objects that define the "who, what, when, and where" of every administrative action.

The gcp.audit.authorization_info field serves as the primary mechanism for tracking access control decisions. Within this object, the gcp.audit.authorization_info.granted boolean indicates whether the requested permission was successfully granted or denied. This is a critical metric for detecting "permission probing" or unauthorized access attempts. The gcp.audit.authorization_info.permission field identifies the specific IAM (Identity and Access Management) permission required for the operation, while gcp.audit.authorization_info.resource provides the REST-style string of the accessed resource.

To ensure a complete audit trail, the system tracks resource attributes through the following specifications:

  • gcp.audit.authorization_info.resource_attributes.name: The specific name of the resource involved.
  • g.audit.authorization_info.resource_attributes.service: The identifier of the service being accessed.
  • gcp.audit.authorization_info.resource_attributes.type: The classification type of the resource.

The technical implementation of these fields allows security analysts to build complex queries to identify anomalies, such as a specific user attempting to access a resource they are not authorized for across multiple services.

For complex operations that span multiple log entries, the gcp.audit.logentry_operation object provides sequence tracking. The gcp.audit.logentry_operation.id acts as a unique identifier for the entire operation. The gcp.audit.logentry_operation.first and gcp.audit.logentry_operation.last boolean flags allow the Elastic Stack to reconstruct the chronological flow of a multi-step administrative process. The gcp.audit.logentry_operation.producer field identifies the entity that generated the log, ensuring provenance.

Network Observability via VPC Flow and DNS Logging

Network visibility in GCP is achieved through the ingestion of VPC Flow logs and DNS queries, which are routed via gcp-pubsub into the Elastic Stack.

VPC Flow logs enable the tracking of every connection attempt within the virtual network. According to the telemetry data, the gcp.vpcflow dataset captures the reporter (e.g., SRC for source) and the round-trip time (rtt) measured in milliseconds (e.g., 220 ms). This allows for the detection of network latency issues and the mapping of traffic patterns between project IDs and subnetworks.

The following table details the mapping of VPC and instance identifiers:

Field Description Data Type
gcp.source.instance.project_id ID of the project containing the source VM keyword
gcp.source.instance.region Region of the source VM keyword
gcp.source.instance.zone Zone of the source VM keyword
gcp.source.vpc.project_id ID of the project containing the VM keyword
gcp.source.vpc.subnetwork_name Subnetwork where the VM is operating keyword
gcp.source.vpc.vpc_name VPC where the VM is operating keyword

DNS logging provides a deeper layer of insight into service discovery and potential Command and Control (C2) traffic. The gcp.dns object captures essential query data:

  • gcp.dns.query_name: The domain being queried (e.g., asdf.gcp.example.com.).
  • gcp.dns.query_type: The type of record requested (e.g., A records).
  • gcp.dns.response_code: The status of the query (e.g., NOERROR).
  • gcp.dns.protocol: The transport protocol used (e.g., UDP).
  • gcp.dns.destination_ip: The IP address of the DNS server.
  • gcp.dns.auth_answer: A boolean indicating if the answer was authoritative.

This level of detail allows for the creation of dashboards that monitor for DNS tunneling or the use of unauthorized external DNS providers.

Compute Engine Performance and Firewall Metrics

The gcp.compute dataset is designed to monitor the health and security posture of Google Compute Engine (GCE) instances. This includes both resource utilization and the effectiveness of firewall rules.

Resource monitoring focuses on the gcp.compute.instance object. The system tracks CPU usage as a percentage (gcp.compute.instance.cpu.usage.pct) and the time spent in usage (gcp.compute.instance.cpu.usage_time.sec). Memory metrics are captured via the gcp.compute.instance.memory object, which includes:

  • gcp.compute.instance.memory.balloon.ram_size.value: Total RAM size.
  • gcp.compute.instance.memory.balloon.ram_used.value: Actual RAM utilized.
  • gcp.compute.instance.memory.balloon.swap_in.bytes: Amount of data swapped in.
  • gcp.compute.instance.memory.balloon.swap_out.bytes: Amount of data swapped out.

Firewall telemetry is critical for verifying the "Least Privilege" security model. The gcp.firewall.rule_details object provides the specific parameters of a rule, including:

  • gcp.firewall.rule_details.priority: The numerical priority of the rule (long).
  • gcp.firewall.rule_details.source_range: The IP ranges the rule applies to.
  • gcp.firewall.rule_details.source_tag: The network tags used for filtering.
  • gcp.firewall.rule_details.target_tag: The tags identifying the destination targets.
  • gcp.firewall.rule_details.ip_port_info: A nested list of protocols and port ranges.

When a packet is dropped by the firewall, the system records gcp.compute.firewall.dropped.bytes and gcp.compute.firewall.dropped_packets_count.value, enabling the identification of blocked traffic patterns.

Data Ingestion and the Elastic Common Schema (ECS)

The Elastic Stack utilizes the Elastic Common Schema (ECS) to normalize data from GCP, ensuring that fields from different sources (e.g., Pub/Sub, API polls) are consistent. For example, the @timestamp field is used universally to mark the event time, regardless of whether the data comes from gcp.vpcflow or gcp.compute.

The ingestion pipeline typically follows this path:
GCP Service -> Cloud Logging -> Pub/Sub Topic -> Elastic Agent -> Elasticsearch.

The input.type for these logs is typically defined as gcp-pubsub, allowing the agent to pull messages from a queue. The log.offset is tracked as a long integer to ensure no data loss during ingestion.

A typical event payload from the GCP integration contains the following structural elements:

  • agent: Details the Elastic Agent version (e.g., 8.18.0) and its unique ephemeral_id.
  • cloud: Identifies the provider as gcp and includes the specific cloud.account.id.
  • event: Categorizes the log, such as category: ["network"] and type: ["connection"].
  • destination: Provides geospatial data, including continent_name, country_iso_code, and precise location (latitude and longitude).

Advanced Audit and Service Analysis

The gcp.audit integration allows for the tracking of service-specific operations. The gcp.audit.service_name field identifies the API service, such as datastore.googleapis.com or compute.googleapis.com.

When a policy change occurs, the gcp.audit.service_data.policy_delta.binding_deltas.role field records the role assigned to members, such as roles/viewer, roles/editor, or roles/owner. This provides a historical audit of IAM changes.

The status of an operation is tracked via gcp.audit.status.code, which uses an integer mapping to google.rpc.Code. If an error occurs, the gcp.audit.status.message provides a developer-facing error string in English, while gcp.audit.status.details provides a flattened list of further error specifics.

For forensic analysis, the gcp.audit.source_log_ids object captures:

  • gcp.audit.source_log_ids.insert_id: A unique identifier for the log entry.
  • gcp.audit.source_log_ids.log_time: The date and time of the log.
  • gcp.audit.source_log_ids.query_uri: The specific URI used for the query.
  • gcp.audit.source_log_ids.resource_container: The container identifying the resource.

Integration with Specialized GCP Datasets

Beyond general compute and audit logs, the Elastic Stack integrates with specialized GCP services to provide holistic visibility.

The dataproc dataset is specifically designed to fetch metrics from Dataproc clusters, allowing for the monitoring of Spark and Hadoop job performance within the GCP environment. Similarly, the loadbalancing_logs dataset collects all request data handled by GCP Load Balancers, providing insights into traffic spikes, 5xx error rates, and latency.

For resource management, the resourcemanager.projects type is used to track project-level changes. This is often seen in google.cloud.audit.AuditLog entries where the resource_name might be projects/elastic-beats/global/instances.

Conclusion

The integration of the Elastic Stack with Google Cloud Platform transforms the way cloud infrastructure is monitored and secured. By moving beyond simple log aggregation and utilizing a deeply structured schema, administrators can correlate a DNS query (gcp.dns) with a specific VPC flow (gcp.vpcflow), a compute instance's resource spike (gcp.compute.instance.cpu), and the administrative action that triggered the change (gcp.audit).

The use of gcp-pubsub as the ingestion mechanism ensures that the system is scalable and resilient. The ability to track gcp.audit.logentry_operation.id allows for the reconstruction of complex attack chains or operational failures. Ultimately, the synergy between GCP's telemetry and the Elastic Stack's analytical capabilities provides an authoritative framework for maintaining the availability, integrity, and confidentiality of cloud-native workloads.

Sources

  1. Elastic GCP Integration Documentation

Related Posts