Chronicle Exporter: add support for ingestion labels

Question

Chronicle Exporter: add support for ingestion labels

DougManton opened this issue 10 months ago · 1 comments

The Chronicle Exporter makes it really easy to push logs onto my Chronicle tenants, but traceability of those logs is limited -- without any ingestion labels, Chronicle has limited metadata and cannot show which agent forwarded which logs. The upcoming data RBAC leverages labelling to define and apply access control policies.

This gap would be solved by supporting ingestion labels configured per exporter configuration or, even better, if a subset of resource attributes could be automatically included as ingestion labels.

For my team, the most important label is ingestion_source, a label used by GCP Cloud Monitoring to enable alert policies and dashboards at a log source level.

Here's sample submission to Chronicle Ingestion API v2 that includes three ingestion labels:

{
    "customer_id": "2eceace9-c5ef-405c-9e73-d76c73175450",
    "log_type": "WINEVTLOG",
    "labels": [
        {
            "key": "ingestion_source",
            "value": "server.example.com"
        },
        {
            "key": "environment",
            "value": "development"
        },
        {
            "key": "site",
            "value": "london"
        }
    ],
    "entries": [
        {
            "log_text": "<Windows Log 1>"
        },
        {
            "log_text": "<Windows Log 2>"
        },
        {
            "log_text": "<Windows Log 3>"
        },
    ]
}

Answer 1 · 2024-03-20T01:10:11.000Z

Completed by #1586