Skip to main content

Hey all, I am trying to build some parser extensions and I am running into a wall. I'm trying to extract out a specific message from Checkpoint Firewall logs specifically I want to extract out the "TCP packet out of state="First packet isn't SYN". This is the current message that I am getting when I try the Preview UDM Output:
generic::unknown: pipeline.ParseLogEntry failed: LOG_PARSING_CBN_ERROR: "generic::invalid_argument: failed to convert raw output to events: failed to convert raw message 0: field \\"about\\": no descriptor found"

Im not really sure what I am missing. And any help is much appreciated, thanks!

Raw log:
<85>1 2025-05-21T03:00:03--4:00 172.16.1.243 CP-GW - Log [Fields@1.3.6.1.4.1.2620 TCP packet out of state="First packet isn't SYN" tcp_flags="ACK" src="196.251.83.238" dst="209.66.73.51" proto="6" ProductName="VPN-1 & FireWall-1" svc="443" sport_svc="60734" ProductFamily="Network" ]

This is my current parser logic:

filter {
  mutate {
    replace => {
      "debug_state" => "entered_parser"
      "raw_message" => "%{message}"
    }
  }

  statedump {
    label => "before_grok"
  }

  grok {
    match => {
      "message" => '.*TCP packet out of state="(?<out_of_state>[^""]+)"'
    }
    on_error => "no_out_of_state"
  }

  mutate {
    replace => {
      "security_result.about.network.application_protocol" => "%{out_of_state}"
    }
  }

  statedump {
    label => "before_merge"
  }

  mutate {
    merge => {
      "@output" => "security_result"
    }
  }
}

And this is the Statedump that I currently see - I can see the result that I am looking for
Internal State (label=before_grok):
{
  "@createTimestamp": {
    "nanos": 0,
    "seconds": 1747856587
  },
  "@enableCbnForLoop": true,
  "@onErrorCount": 0,
  "@output": [],
  "@timezone": "",
  "debug_state": "entered_parser",
  "message": "\\u003c85\\u003e1 2025-05-21T03:00:03--4:00 172.16.1.243 CP-GW - Log [Fields@1.3.6.1.4.1.2620 TCP packet out of state=\\"First packet isn't SYN\\" tcp_flags=\\"ACK\\" src=\\"196.251.83.238\\" dst=\\"209.66.73.51\\" proto=\\"6\\" ProductName=\\"VPN-1 \\u0026 FireWall-1\\" svc=\\"443\\" sport_svc=\\"60734\\" ProductFamily=\\"Network\\" ]",
  "raw_message": "\\u003c85\\u003e1 2025-05-21T03:00:03--4:00 172.16.1.243 CP-GW - Log [Fields@1.3.6.1.4.1.2620 TCP packet out of state=\\"First packet isn't SYN\\" tcp_flags=\\"ACK\\" src=\\"196.251.83.238\\" dst=\\"209.66.73.51\\" proto=\\"6\\" ProductName=\\"VPN-1 \\u0026 FireWall-1\\" svc=\\"443\\" sport_svc=\\"60734\\" ProductFamily=\\"Network\\" ]"
}

Internal State (label=before_merge):

{
  "@createTimestamp": {
    "nanos": 0,
    "seconds": 1747856587
  },
  "@enableCbnForLoop": true,
  "@onErrorCount": 0,
  "@output": [],
  "@timezone": "",
  "debug_state": "entered_parser",
  "message": "\\u003c85\\u003e1 2025-05-21T03:00:03--4:00 172.16.1.243 CP-GW - Log [Fields@1.3.6.1.4.1.2620 TCP packet out of state=\\"First packet isn't SYN\\" tcp_flags=\\"ACK\\" src=\\"196.251.83.238\\" dst=\\"209.66.73.51\\" proto=\\"6\\" ProductName=\\"VPN-1 \\u0026 FireWall-1\\" svc=\\"443\\" sport_svc=\\"60734\\" ProductFamily=\\"Network\\" ]",
  "no_out_of_state": false,
  "out_of_state": "First packet isn't SYN",
  "raw_message": "\\u003c85\\u003e1 2025-05-21T03:00:03--4:00 172.16.1.243 CP-GW - Log [Fields@1.3.6.1.4.1.2620 TCP packet out of state=\\"First packet isn't SYN\\" tcp_flags=\\"ACK\\" src=\\"196.251.83.238\\" dst=\\"209.66.73.51\\" proto=\\"6\\" ProductName=\\"VPN-1 \\u0026 FireWall-1\\" svc=\\"443\\" sport_svc=\\"60734\\" ProductFamily=\\"Network\\" ]",
  "security_result": {
    "about": {
      "network": {
        "application_protocol": "First packet isn't SYN"
      }
    }
  }
}

Nice work on your first pass of a parser extension! One thing to keep in mind is that any time you're dealing with fields in a parser, you have to prepend the fields with something like "<event_variable>.idm.read_only_udm.<your UDM Fields). So without that, you're attempting to merge into the event and the system is saying that the field you're parsing isn't valid (due to missing the "idm.read_only_udm"). You can look at a parser extension example I have here to see this in action as an example: https://github.com/pilot006/google-secops-parser-extension-gcp-model-armor/blob/main/gcp_cloudaudit_model_armor_extension.conf

-mike

Nice work on your first pass of a parser extension! One thing to keep in mind is that any time you're dealing with fields in a parser, you have to prepend the fields with something like "<event_variable>.idm.read_only_udm.<your UDM Fields). So without that, you're attempting to merge into the event and the system is saying that the field you're parsing isn't valid (due to missing the "idm.read_only_udm"). You can look at a parser extension example I have here to see this in action as an example: https://github.com/pilot006/google-secops-parser-extension-gcp-model-armor/blob/main/gcp_cloudaudit_model_armor_extension.conf

-mike


Hi Mike,

Thank you for the response that makes more sense, I finally was able to get the parser working and showing the output in the UDM preview!

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.