I've been trying to fix a dynamic mapping for the GCP audit logs (Google Cloud), and I can't figure out a way to fix the mapping schema. The problem is related to "Object in arrays are not well supported" for a specific filed "authorizationInfo" in the logs.
an array of objects:
"authorizationInfo" : [
{
"resourceAttributes" : {
"service" : "resourcemanager",
"type" : "resourcemanager.projects",
"name" : "some_random_name"
},
"permission" : "compute.instances.list",
"granted" : true
}
],
sample log:
{
"severity" : "INFO",
"host" : null,
"logName" : "/logs/cloudaudit.googleapis.com%2Fdata_access",
"insertId" : "XXXXXXXXX",
"messageId" : "XXXXXXXXX",
"protoPayload" : {
"serviceName" : "compute.googleapis.com",
"@type" : "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo" : {
"principalEmail" : "XXXX@email.com"
},
"authorizationInfo" : [
{
"resourceAttributes" : {
"service" : "resourcemanager",
"type" : "resourcemanager.projects",
"name" : "some_random_name"
},
"permission" : "compute.instances.list",
"granted" : true
}
],
"methodName" : "compute.instances.list",
"resourceLocation" : {
"currentLocations" : [
"east-us"
]
},
"resourceName" : "/zones/instances",
"request" : {
"@type" : "type.googleapis.com/compute.instances.list"
},
"requestMetadata" : {
"callerNetwork" : "/global/networks/__unknown__",
"callerSuppliedUserAgent" : "google-api-nodejs-client/0.10.0,gzip(gfe)",
"requestAttributes" : {
"auth" : {},
"time" : "2010-07-12T06:25:31.891Z"
},
"callerIp" : "xx.xxx.xxx.xx",
"destinationAttributes" : {}
}
},
"timestamp" : "2010-07-12T06:25:31.802Z",
"resource" : {
"type" : "gce_instance",
"labels" : {
"zone" : "east-us",
"instance_id" : "",
"project_id" : "some_random_name"
}
},
"@version" : "1",
"receiveTimestamp" : "2010-07-12T06:25:32.110631747Z",
"@timestamp" : "2010-07-12T06:25:32.338Z"