Hello,
I’m looking to build a new parser for the GKE logs.
Should I go with a custom parser for this?
Also, how can I access the GKE logs while I’m working on the parser? I’d like to use them as a reference during development.
Thank you
Solved
Chronicle SIEM GKE Parser
Best answer by cmorris
I noticed that I can go from the events to the managed parser and then set one up with the logs next to it.
There are serval options - to create custom parser or to create an extension. If I go with the extension, will I get to see any updates for this parser from Google?
Also, if I create a custom parser, how will the logs I want to use it with know to use the new one instead of the default parser that was used before?
Thanks
A parser extension extends an existing parser (either prebuilt or custom). It does not create a new parser; instead, it adds additional mapping instructions to extract more data from the original raw log and insert it into UDM. You will see parser updates if you are using an extension on a prebuilt parser. If you use a custom parser, you will need to manage any changes directly.
When you choose to create the custom parser, after writing it, SecOps will validate it against the logs and then you can make it active.
I noticed that I can go from the events to the managed parser and then set one up with the logs next to it.
There are serval options - to create custom parser or to create an extension. If I go with the extension, will I get to see any updates for this parser from Google?
Also, if I create a custom parser, how will the logs I want to use it with know to use the new one instead of the default parser that was used before?
Thanks
+10I noticed that I can go from the events to the managed parser and then set one up with the logs next to it.
There are serval options - to create custom parser or to create an extension. If I go with the extension, will I get to see any updates for this parser from Google?
Also, if I create a custom parser, how will the logs I want to use it with know to use the new one instead of the default parser that was used before?
Thanks
A parser extension extends an existing parser (either prebuilt or custom). It does not create a new parser; instead, it adds additional mapping instructions to extract more data from the original raw log and insert it into UDM. You will see parser updates if you are using an extension on a prebuilt parser. If you use a custom parser, you will need to manage any changes directly.
When you choose to create the custom parser, after writing it, SecOps will validate it against the logs and then you can make it active.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.