Skip to main content

Ingest logs V1 Alpha

  • December 6, 2024
  • 7 replies
  • 135 views
L
Forum|alt.badge.img+3

Hello,

Can you please let us know if there is way to ingest log through chronicle v1 alpha API ?

i see the document[https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/] and i dont find alternatives to /v2/unstructuredlogentries:batchCreate

do we have any documentations with clear explanation ?

Thank you.

7 replies

mikewilusz
Staff
Forum|alt.badge.img+10
  • mikewilusz
  • Staff
  • December 6, 2024

I've tested the new APIs with my Unofficial API Collectors. You can check here for the specific part of the code where I use the new API to upload logs.

Hope this helps!

-mike

DanDye
Staff
Forum|alt.badge.img+5
  • DanDye
  • Staff
  • December 10, 2024

I think what you are looking for is:
https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/projects.locations.instances.logTypes.logs/import

NPC0101
Forum|alt.badge.img+2
  • NPC0101Bronze 2
  • Bronze 2
  • March 20, 2025

Hi,

 

I'm struggling to figure out the exact endpoint format for importing UDM events using the Google SecOps API. I've been looking at the documentation here: https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/projects.locations.instances.events/import

 

The docs specify that the HTTP request should bePOST https://chronicle.googleapis.com/v1alpha/{parent}/events:import

 
But the documentation does not clearly explain what the {parent} value should actually be.
 
I had a similar issue with the logs import endpoint:

https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/projects.locations.instances.logTypes.logs/import

 

In that case, endpoint format was logTypes/{log_type}/logs:import like mentionned previously.

 

Could someone please help me understand what the correct format for the parent parameter should be for UDM event imports? Is it something like projects/{project}/locations/{location}/instances/{instance} or is there a different format?

 

Thanks in advance,

raybrian
Staff
Forum|alt.badge.img+6
  • raybrian
  • Staff
  • March 20, 2025

Here is some sample code that will be helpful: https://github.com/chronicle/api-samples-python/blob/efde6b579d14e188e8c5ea832935d3fbff00f1a6/ingestion/v1alpha/create_udm_events.py#L67

    DanDye
    Staff
    Forum|alt.badge.img+5
    • DanDye
    • Staff
    • March 20, 2025

    I've also got some work-in-progress on covering the logs:import endpoint:

     
    Chris Martin describes configuring a Forwarder before using that API in this post:
      NPC0101
      Forum|alt.badge.img+2
      • NPC0101Bronze 2
      • Bronze 2
      • March 20, 2025

      Hi everyone,

       
       

      Thank you all for your very helpful responses. I have looked at the sample code you shared, but I'm still having trouble getting the API to work.

       
       

       want to clarify that the log import works perfectly fine for me, but I'm encountering a 400 error: "Client Error: Bad Request" for the following URL when trying to import UDM events:

      https://eu-chronicle.googleapis.com/v1alpha/projects/{my-project}/locations/eu/instances/{my-instance}/events:import
       
      Here’s the body of the POST request I’m trying to send:
      {
        "inline_source"{
          "events"[
            {
              "udm"[
                {
                  "metadata"{
                    "eventTimestamp""2021-07-01T19:39:08.304950563Z",
                    "eventType""SCAN_HOST",
                    "vendorName""Telemetry4u",
                    "productName""Inspectotron"
                  },
                  "target"{
                    "hostname""workbox10"
                  },
                  "securityResult"[
                    {
                      "category"["DATA_AT_REST"],
                      "summary""Personal",
                      "description""Files Labeled: 21+"
                    },
                    {
                      "category"["DATA_AT_REST"],
                      "summary""PCI",
                      "description""Files Labeled: 21+"
                    }
                  ]
                }
              ]
            }
          ]
        }
      }
       
      If anyone has suggestions on what might be causing this error, I would greatly appreciate it. Thanks again for your help
      raybrian
      Staff
      Forum|alt.badge.img+6
      • raybrian
      • Staff
      • March 23, 2025

      While it's not for UDM, we added raw log ingestion to the wrapper SDK: https://github.com/google/secops-wrapper?tab=readme-ov-file#log-ingestion

      Terms & ConditionsCookie settingsAccessibility statement
      Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

      © 2025 Google. All rights reserved.