in sources/Google.Solutions.IapDesktop.Extensions.Management/Auditing/AuditLogClient.cs [61:111]
internal static string CreateFilterString(
IEnumerable<string>? zones,
IEnumerable<ulong>? instanceIds,
IEnumerable<string>? methods,
IEnumerable<string>? severities,
DateTime startTime)
{
Debug.Assert(startTime.Kind == DateTimeKind.Utc);
var criteria = new LinkedList<string>();
//
// NB. OSLogin logs have the zone and instance_id at the top level:
//
// "labels": {
// "zone": "europe-west4-a",
// "instance_id": "1234567890"
// }
//
// All other logs have these fields under resource.labels.
//
if (zones != null && zones.Any())
{
var zonesClause = string.Join("\" OR \"", zones);
criteria.AddLast($"(resource.labels.zone=(\"{zonesClause}\") OR labels.zone=(\"{zonesClause}\"))");
}
if (instanceIds != null && instanceIds.Any())
{
var instanceIdsClause = string.Join("\" OR \"", instanceIds);
criteria.AddLast($"(resource.labels.instance_id=(\"{instanceIdsClause}\") OR labels.instance_id=(\"{instanceIdsClause}\"))");
}
if (methods != null && methods.Any())
{
criteria.AddLast($"protoPayload.methodName=(\"{string.Join("\" OR \"", methods)}\")");
}
if (severities != null && severities.Any())
{
criteria.AddLast($"severity=(\"{string.Join("\" OR \"", severities)}\")");
}
// NB. Some instance-related events use project scope, for example
// setCommonInstanceMetadata events.
criteria.AddLast($"resource.type=(\"gce_instance\" OR \"gce_project\" OR \"audited_resource\")");
criteria.AddLast($"timestamp > \"{startTime:o}\"");
return string.Join(" AND ", criteria);
}