Skip to main content
Solved

Need Assistance with Custom Parser

  • February 7, 2025
  • 1 reply
  • 69 views
A
Forum|alt.badge.img+7
filter {
  mutate {
        replace => {
            "raw_Event" => ""
            "src" => ""
            "StatusCode" => ""
            "AttackURI" => ""
            "AttackData" => ""
            "UserAgent" => ""
            "dhost" => ""
            "act" => ""
            "requestMethod" => ""
            "event.idm.read_only_udm.metadata.vendor_name" => "Indusface"
            "event.idm.read_only_udm.metadata.product_name" => "WAF"
            "event.idm.read_only_udm.metadata.event_type" => "NETWORK_CONNECTION"
        }
    }


  grok {
      match => {
          "message" => ["CEF%{GREEDYDATA}src=%{IP:src} cn1=%{INT:StatusCode}%{GREEDYDATA}cs2=%{GREEDYDATA:AttackData} cs2%{GREEDYDATA} cs4=%{WORD:act}%{GREEDYDATA} cs5=%{GREEDYDATA:UserAgent}  cs5%{GREEDYDATA}dhost=%{GREEDYDATA:dhost} requestMethod=%{WORD:requestMethod}", "CEF%{GREEDYDATA}src=%{IP:src}"]
      }
      overwrite => ["src", "act" , "StatusCode", "UserAgent", "dhost", "requestMethod", "AttackData"]
      on_error => "grok_failed1"
  }


  mutate {
    uppercase => ["act"]
    }
 

    if [act] not in ["", "null", "None"] {
      mutate {
        replace => {
          "event.idm.read_only_udm.security_result.action_details" => "%{act}"
        }
      }
    }


    mutate {
        merge => {
            "@output" => "event"
        }
    }

}


I have written a parser. But how am I supposed to create a UDM field for device action?
This parser is throwing an error which is as followed : 

generic::unknown: pipeline.ParseLogEntry failed: LOG_PARSING_CBN_ERROR: "generic::invalid_argument: failed to convert raw output to events: failed to convert raw message 0: field \\"idm\\": index 0: recursive rawDataToProto failed: field \\"read_only_udm\\": index 0: recursive rawDataToProto failed: field \\"security_result\\": failed to make strategy: received non-slice or non-array raw output for repeated field"




Can you tell me what do I need to change exactly to fix this.
@bsalvatore @citreno @jstoner 

Best answer by bsalvatore

Hi, 

In this case, the error is related to security_result UDM field because it's an repeated field (UDM field list  |  Google Security Operations  |  Google Cloud), you need to convert the act variable from string to array in the following way:

 

 

.... mutate { replace => { "action_details" => "%{act}" } } mutate { replace => { "security_result.action_details" => "%{action_details}" } } mutate { merge => { "event.idm.read_only_udm.security_result" => "security_result" } }

 

 

1 reply

bsalvatore
Forum|alt.badge.img+6
  • bsalvatoreBronze 1
  • Bronze 1
  • Answer
  • February 7, 2025

Hi, 

In this case, the error is related to security_result UDM field because it's an repeated field (UDM field list  |  Google Security Operations  |  Google Cloud), you need to convert the act variable from string to array in the following way:

 

 

.... mutate { replace => { "action_details" => "%{act}" } } mutate { replace => { "security_result.action_details" => "%{action_details}" } } mutate { merge => { "event.idm.read_only_udm.security_result" => "security_result" } }

 

 

    Terms & ConditionsCookie settingsAccessibility statement
    Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

    © 2025 Google. All rights reserved.