Skip to main content

Hello everyone,
I have tried to create a parser without success
Can anyone help me identify the error?

Reference Log:
<190>1 2024-11-11T20:24:37.752440+00:00 CoreX tpmd 655 - - Event|13601|LOG_INFO|||TPM_Sign requested by hpe-restd was successful

 

filter {
mutate {
 replace => {
      "event.idm.read_only_udm.metadata.event_type" => "tpmd"
      "event.idm.read_only_udm.principal.process.pid" => "655"
      "event.idm.read_only_udm.metadata.product_event_type" => "Event|13601|LOG_INFO"
      "event.idm.read_only_udmmetadata.description" => "TPM_Sign requested by hpe-restd was successful"
    }
  }

mutate {
    replace => {
      "event.idm.read_only_udm.metadata.event_type" => "%{event_type}"
      "event.idm.read_only_udm.principal.process.pid" => "%{product_name}"
      "event.idm.read_only_udm.metadata.product_event_type"  => "%{product}"
      "event.idm.read_only_udmmetadata.description" => "%{description}"
   }
 }
 grok {
    match => {
      "message" => [
        "%{SYSLOGTIMESTAMP:2024-11-11T20:24:37.752440+00:00} %{HOST:CoreXBTJ2}
      ]
    }
    on_error => "grok_message_fail"
  }
 #Parse date format: 2019-06-18T15:31:57.5530000Z
  date {
    match => ["syslogtime", "RFC3339"]
  }
  mutate {
    merge => {
      "@output" => "event"
    }
  }
}

 

 

You have several issues

  1. Missing close quote on line 22
  2. Undeclared variables with missing on_error in replace statement on line 12
  3. metadata.event_type is a UDM enum field, "tpmd" is not allowed (https://cloud.google.com/chronicle/docs/reference/udm-field-list#Metadata.EventType)
  4. Your grok pattern is incorrect (https://www.elastic.co/guide/en/logstash/current/plugins-filters-grok.html), variable names go after the : in the grok pattern shorthand notation. Like this: %{SYSLOGTIMESTAMP:syslogtime}

Here are some docs on parsing, I recommend reviewing these and making sure your code is compliant with the parser language and UDM.

parser syntax reference: https://cloud.google.com/chronicle/docs/reference/parser-syntax

UDM usage guide: https://cloud.google.com/chronicle/docs/unified-data-model/udm-usage#metadataevent_type

UDM field list: https://cloud.google.com/chronicle/docs/reference/udm-field-list 

Hi MadAre,


It looks like you may have a typo on this line:
"event.idm.read_only_udmmetadata.description" => "TPM_Sign requested by hpe-restd was successful"


Corrected: "event.idm.read_only_udm.metadata.description"


Hope this helps.


 

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.