Skip to main content
Solved

Ingesting custom log data to Chronicle SIEM - Not existing Log Source and Log type

  • April 18, 2024
  • 4 replies
  • 107 views
aivaras
Forum|alt.badge.img

Hi Community,

Did anyone try to ingest a completely custom log data to Chronicle SIEM?

I mean log data which does not fall under any log sources (JSON, KV, etc.) and does not fall under any log types (Azure AD, Linux Auditing System (AuditD), etc.)?

I can write a parser after ingestion, but it is not too clear how to inject data which cannot be attached to any of current categories (log sources or log types).

P.S. Log data type was created without consideration of existing log types and sources.

Best answer by cmorris

Hi aivaras,

Please submit a support case for the creation of a new log type. That new log type can be internal to your Chronicle instance. Once the new log type has been set up, you can configure ingestion and then build a custom parser.

Chris

N

4 replies

cmorris
Staff
Forum|alt.badge.img+10
  • cmorris
  • Staff
  • Answer
  • April 18, 2024

Hi aivaras,

Please submit a support case for the creation of a new log type. That new log type can be internal to your Chronicle instance. Once the new log type has been set up, you can configure ingestion and then build a custom parser.

Chris

aivaras
mikewilusz
Zack_Cutler
J
Forum|alt.badge.img
  • jjkroneBronze 1
  • Bronze 1
  • May 13, 2024

Hi aivaras,

Please submit a support case for the creation of a new log type. That new log type can be internal to your Chronicle instance. Once the new log type has been set up, you can configure ingestion and then build a custom parser.

Chris


@cmorris Couple of questions:  Do you have to open a support request, or is there a way to create a new data label/source on our own?  Also, what's the timeline to turn around the new data label?

aivaras
M
N
cmorris
Staff
Forum|alt.badge.img+10
  • cmorris
  • Staff
  • May 16, 2024

@cmorris Couple of questions:  Do you have to open a support request, or is there a way to create a new data label/source on our own?  Also, what's the timeline to turn around the new data label?


You will have to open a support case. You can find existing labels and whether or not there is an existing parser for them here - https://cloud.google.com/chronicle/docs/ingestion/parser-list/supported-default-parsers.

aivaras
M
N
JSpoorSonic
Forum|alt.badge.img+9
  • JSpoorSonicBronze 3
  • Bronze 3
  • October 31, 2025

You can actually add a custom Log_Type,

Settings> SIEM Settings > Available LogTypes, then hit the “Request a Log Type” button, top right

 

You will have to create  your own parser for this.

Settings> SIEM Settings > Parsers, then hit the “CREATE PARSER” button, top right. 

Look for the name you gave your Log Type in step 1.

 

Then follow this to ingest:

https://docs.cloud.google.com/chronicle/docs/secops/secops-ingestion

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.