generic::unknown: invalid event 0: LOG_PARSING_GENERATED_INVALID_EVENT: "generic::invalid_argument: *events_go_proto.Event_Webproxy: invalid target device: device is empty"

Question

I am getting stuck with both a custom parser, as well as parser extension, on this error

I already have a lot of the UDM mapped out, which am I missing?

 "@output": [
 {
 "idm": {
 "read_only_udm": {
 "metadata": {
 "event_timestamp": {
 "nanos": 0,
 "seconds": [removed by moderator] 
 },
 "event_type": "NETWORK_CONNECTION"
 },
 "network": {
 "ip_protocol": "UDP",
 "session_id": "SJL0VM-SMAEXT01:691dd63a:00000000"
 },
 "principal": {
 "asset": {
 "ip": [
 "2.0.0.56"
 ]
 },
 "hostname": "SJL0VM-SMAEXT01",
 "ip": [
 "2.0.0.56"
 ],
 "user": {
 "user_display_name": "(user)@(Colo Access)",
 "userid": "user"
 }
 },
 "src": {
 "ip": [
 "2.0.0.56"
 ]
 },
 "target": {
 "user": {
 "userid": "user"
 }
 }
 }
 }
 }
 ]

JSpoorSonic · Accepted Answer

Solved already, I had an error in my code whereby target.ip was not populated.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded