How do we query the list of unparsed logs from the SIEM?
How do we query the list of unparsed logs from the SIEM?
+3
+6- Bronze 2
Do you mean logs that failed parsing?
You can do that with cbn_cli, e.g.
cbn_cli.py --region EUROPE error -l WORKSPACE_ACTIVITY -sd 2023-08-01T00:00:00Z -ed 2023-08-16T07:50:00Z
+6- Bronze 2
I use the dashboard to see which log sources have failed logs. I dont know if theres an api call that allows you to see which log sources have recent fails.
+3Yes @ion_ I ingested the unsupported logs via windows parser. I was able to view it the SIEM. Since I know the log, I queried it using the values from the raw log.
+3
Event Type is getting tagged as Unparsed Log but I trying to find the UDM field to filter these logs.
View files in slack
+6- Bronze 2
Okay, so im assuming you’re looking at raw log search here?
Try to search for the following in UDM:
metadata.log_type="WINEVTLOG"
If this returns nothing then
all
of your logs aren’t parsing correctly
Note: “WINDOWS” needs to map to the log label you’re using.
View files in slack
+6- Bronze 2
If you can safely redact a sample raw log enough to send it to me, I can run it against the default Windows Event parser and tell you what the issue is.
You’re going to run into issues if you can’t use cbn_cli though, if its possible to gain access I would recommend it
Login to the community
Login with SSO
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.