Dear All,
Could anyone please give me the script for ingestion UDM events directly to Chronicle via an Ingestion API and also to send a local file via ingestion API.
Thank you in advance.
Best Regards,
Aravind S
Solved
Ingestion API: Chronicle
+8- Bronze 2
Best answer by Rene_Figueroa
Hi @Rene_Figueroa,
Thank you for the reply.
Right, But I can't see the logs which are ingesting.
Thanks,
Aravind
Correct. You can add search for metadata.vendor_name or some other identifier in UDM search to find what logs were ingested.
+8- Bronze 2
Dear All,
Can anyone help me in rectifying this error?
python3 ingest.py
Traceback (most recent call last):
File "/home/CBN-CLI/ingestion/ingest.py", line 50, in <module>
from common import regions
ImportError: cannot import name 'regions' from 'common' (/home/CBN-CLI/venv/cli/common/__init__.py)
Reference:api-samples-python/forwarders/create_collector.py at master · chronicle/api-samples-python · GitHub
Thanks
+10The correct script to send data in UDM format is https://github.com/chronicle/api-samples-python/blob/master/ingestion/create_udm_events.py.
If you want to send raw logs, then you can use the following:
Note that you need the Ingestion API key to send data to Chronicle.
The correct script to send data in UDM format is https://github.com/chronicle/api-samples-python/blob/master/ingestion/create_udm_events.py.
If you want to send raw logs, then you can use the following:
Note that you need the Ingestion API key to send data to Chronicle.
Hi @Rene_Figueroa,
Thank you for the reply.
I tried running the script with the credential file in ~/.chronicle_credentials.json and ran the below command but I'm not getting any result or error. Please find the below image.
Thank you,
+10Hi @Rene_Figueroa,
Thank you for the reply.
I tried running the script with the credential file in ~/.chronicle_credentials.json and ran the below command but I'm not getting any result or error. Please find the below image.
Thank you,
Normally, if you do not get any errors, that means a successful request. Our UDM endpoint does not ask for a log type though. See our reference:
https://cloud.google.com/chronicle/docs/reference/ingestion-api#udmevents
Did you happen to use the endpoint to send raw log data by any chance?
I normally call the UDM script in our sample code in the following manner:
~/api-samples-python$ python3 -m ingestion.create_udm_events --customer_id mycustomerid --json_events_file ingestion/example_input/sample_udm_events.json
Normally, if you do not get any errors, that means a successful request. Our UDM endpoint does not ask for a log type though. See our reference:
https://cloud.google.com/chronicle/docs/reference/ingestion-api#udmevents
Did you happen to use the endpoint to send raw log data by any chance?
I normally call the UDM script in our sample code in the following manner:
~/api-samples-python$ python3 -m ingestion.create_udm_events --customer_id mycustomerid --json_events_file ingestion/example_input/sample_udm_events.json
Hi @Rene_Figueroa,
I tried both the ways but same result, Its not giving any error or result.
Is it because the service account (JSON file) doesn't have enough permission?
Thanks,
Aravind
+10Hi @Rene_Figueroa,
I tried both the ways but same result, Its not giving any error or result.
Is it because the service account (JSON file) doesn't have enough permission?
Thanks,
Aravind
Note that the data inside SIEM will be tagged as UDM if you send data using our UDM API endpoint.
+8- Bronze 2
Note that the data inside SIEM will be tagged as UDM if you send data using our UDM API endpoint.
Hi @Rene_Figueroa,
Thank you for the reply.
Right, But I can't see the logs which are ingesting.
Thanks,
Aravind
+10Hi @Rene_Figueroa,
Thank you for the reply.
Right, But I can't see the logs which are ingesting.
Thanks,
Aravind
Correct. You can add search for metadata.vendor_name or some other identifier in UDM search to find what logs were ingested.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.