Skip to main content
Solved

metadata.event_type = "NETWORK_FLOW"

  • January 2, 2025
  • 3 replies
  • 27 views
Chris_B
Forum|alt.badge.img+8

Hi all and happy new year!

I'm playing around with my network logs and was puzzled to find we don't have any 

metadata.event_type = "NETWORK_FLOW" logs - at tleaset not according to SIEM 🙂
 
I understood we  have firewall logs and logs from our routers so I expected to see flow also.
 
Would anyone offer which type of logs they see  metadata.event_type = "NETWORK_FLOW" logs in so I can narrow my efforts in examining raw etc.?
 
thanks!

Best answer by Rene_Figueroa

I should have said - I was looking at  NETWORK_CONNECTION, NETWORK_DNS like you said and I was wondering why I didn't see any NETWORK_FLOW or netflow logs .

In this context I'm understanding netflow logs as logs from routers, devices, the network fabric within my external firewalls.

 

This is prolly a simple matter that we're not onboarding  device logs in the manner I want to  yet.


Hi @Chris_B, correct. Different parsers do different mapping according to the logs that come in. Internally, I can see parsers such as CISCO_ISE, CISCO_VPN, CISCO_MERAKI and a few others create UDM events of NETWORK_FLOW type.

3 replies

Rene_Figueroa
Staff
Forum|alt.badge.img+10

Hi @Chris_B ,

Happy New Year! Your network logs might be parsed as NETWORK_CONNECTION. The network telemetry can be categorized as NETWORK_CONNECTION, NETWORK_DNS. For a full list, you can see our documentation.

    Chris_B
    Forum|alt.badge.img+8
    • Chris_BSilver 2
    • Author
    • Silver 2
    • January 2, 2025

    Hi @Chris_B ,

    Happy New Year! Your network logs might be parsed as NETWORK_CONNECTION. The network telemetry can be categorized as NETWORK_CONNECTION, NETWORK_DNS. For a full list, you can see our documentation.


    I should have said - I was looking at  NETWORK_CONNECTION, NETWORK_DNS like you said and I was wondering why I didn't see any NETWORK_FLOW or netflow logs .

    In this context I'm understanding netflow logs as logs from routers, devices, the network fabric within my external firewalls.

     

    This is prolly a simple matter that we're not onboarding  device logs in the manner I want to  yet.

    Rene_Figueroa
    Staff
    Forum|alt.badge.img+10
    • Rene_Figueroa
    • Staff
    • Answer
    • January 2, 2025

    I should have said - I was looking at  NETWORK_CONNECTION, NETWORK_DNS like you said and I was wondering why I didn't see any NETWORK_FLOW or netflow logs .

    In this context I'm understanding netflow logs as logs from routers, devices, the network fabric within my external firewalls.

     

    This is prolly a simple matter that we're not onboarding  device logs in the manner I want to  yet.


    Hi @Chris_B, correct. Different parsers do different mapping according to the logs that come in. Internally, I can see parsers such as CISCO_ISE, CISCO_VPN, CISCO_MERAKI and a few others create UDM events of NETWORK_FLOW type.

    Terms & ConditionsCookie settingsAccessibility statement
    Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

    © 2025 Google. All rights reserved.