Author:
Idan Patelsky, GCP Cloud Security Steward
The Challenge
Historically, managing parsers in Google Security Operations was a highly centralized and manual process. All parser development and maintenance was handled by an internal Google team, and sharing custom or partner-created parsers required direct, manual file sharing with individual customers. This closed parser ecosystem limited the community's ability to collaborate on data ingestion content.
The Solution
To eliminate these barriers, we are excited to announce the launch of SecOps GitHub Support for Parsers. We are expanding our open-source content to log ingestion as well. By hosting partner-created and community-contributed parsers in our public Google SecOps Content Hub repository on GitHub, we are transitioning to a collaborative, transparent, and scalable model.
This launch introduces several core capabilities:
-
Centralized Parser Catalog: A public, version-controlled repository containing partner-created and community-contributed parsers.
-
Partner Empowerment: Certified partners (vendors, service providers) now have dedicated directories to directly upload, update, and maintain their product parsers, significantly reducing release cycles.
-
Community Contributions: Customers, security practitioners, and community members can submit parser enhancements, bug fixes, or entirely new parsers via standard GitHub Pull Requests (PRs).
-
Automated Quality Vetting: Every contribution triggers an automated CI/CD pipeline that runs extensive syntax checks, directory compliance, and unit tests.
We have already uploaded 240 parsers to the SecOps GitHub Parsers folder, and this number is constantly increasing with new content contributions.

Reviewing the parser folder content in the community parsers GitHub repository
How does it work?
There are two main workflows: parser contribution and parser deployment
Workflow A: How to Contribute or Enhance a GitHub Parser
Initial setup is simple and requires signing a Contributor License Agreement (CLA) and setting your SecOps tenant as explained here.
If you are creating a new parser, set-up your folder based on the parser convention as explained here.
Follow these steps to create and validate your Pull Request.

Example of the validation tests process when contributing parsers content
Workflow B: How to Deploy a Community Parser
Once you’ve located the required parser, Open the ‘metadata.json’ file to confirm supported log formats, references, and the associated Google SecOps Log Type identifier, and verify this parser meets your requirements.
Then, follow these steps to deploy the parser in your SecOps tenant.
Wrapping up
SecOps is a team sport, and log normalization is the gatekeeper. Transitioning to a community-driven model on GitHub enables the collective security community to scale ingestion capabilities, roll out parser bug fixes rapidly, and keep pace with a changing threat landscape.
We invite you to explore the repository, deploy community parsers to expand your coverage, and submit your first parser contribution today!
- GitHub Repository: Google SecOps Content Hub on GitHub
- Public Documentation: Working with Community Parsers in Google Security Operations
- Report Bugs & Suggest Enhancements: Open a GitHub Issue
