Hello Community,
I am currently building a parser for a custom data source sending CEF logs via Syslog. I’ve encountered a structural issue with the keys in the CEF extension that I’m struggling to map to UDM.
The Problem: The logs contain keys that are dynamic and non-static, making it impossible to create individual UDM field mappings for them. Specifically:
-
IP-embedded Keys: I have fields like
affected_assets.<ip_address>.hostsandaffected_assets.<ip_address>.mac. Since the IP address is part of the key name itself, the potential number of unique keys is infinite. -
Indexed Keys: I also see fields like
priority_events.1,priority_events.2, and so on, where the count varies with every log entry.
The Challenge: In Google SecOps, it is not technically feasible to create thousands of unique UDM fields or write static regex mappings to cover every possible IP address or index number that might appear in a key name.
My Questions:
-
Does Google SecOps support a dynamic field type or a specific mechanism to "catch" all keys matching a certain prefix (e.g., anything starting with
affected_assets.)? -
Can the parser logic loop through the CEF extension to identify and extract these variable keys automatically?
-
What is the recommended UDM strategy for storing this type of dynamic data so that it remains searchable without violating a fixed schema?
I’d appreciate any insights or examples of how you have handled these types of dynamic keys in your own parsers.
Thanks in advance!
