Skip to main content

Hi,

 

I want to verify that Cloud Armor logs are indeed visible in Chronicle through the Load Balancer logs.

From what I understand, Cloud Armor events are included in the external load balancer logs and should appear in Chronicle with

event_type = "NETWORK_CONNECTION".

 

When I filter the logs in secops ingestion, I currently use:

OR log_id("loadbalancing.googleapis.com/external_regional_requests")

OR log_id("requests")

 

Is this filter sufficient to capture all relevant Cloud Armor activity (such as allowed or blocked requests),

or are there additional log_id values that I should include to ensure full coverage of Cloud Armor logs in Chronicle?

 

Thank you!

 

log_id("requests") will be sufficient. Pasting the docs here for reference: 

 

https://cloud.google.com/chronicle/docs/ingestion/default-parsers/ingest-gcp-logs#supported-logs-for-export

 

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.