Skip to main content

Parser Custom "FortiSwitch"

  • November 29, 2023
  • 4 replies
  • 21 views
M
Forum|alt.badge.img

Hello everyone,
I come from years of experience from Qradar where to create a custom parser was almost child's play...
unfortunately with Chronicle I am having a lot of problems....
can you help me? specifically i am trying to create a custom parser for a "Forti Switch" is there a place where i can find a base already created for custom parsers or do you have to create them right from scratch? thanks to anyone who will answer.

Ray_a

4 replies

stefancoook1
Forum|alt.badge.img+2
  • stefancoook1Bronze 3
  • Bronze 3
  • November 29, 2023

Look at the built in list of custom parsers, you should be able to extend an existing Fortinet parser, which should be able to parse some of the data.

Ray_a
M
M
Forum|alt.badge.img+4
  • MustacheBronze 3
  • Bronze 3
  • November 29, 2023

To add to @stefancoook1 , if you're working on a custom parser for a switch, then the firewall might be a closer place to start: 

See if the FortiGate will get you a good start. 

Unfortunately, you might have to ingest some logs into that Log Label first so that Chronicle will populate the Default Fortigate Parser for you and then allow you to edit it. Without logs, Chronicle doesn't seem to let you touch the default parser, even to create a custom one based on that parser. It might be useful to add that as a feature request! 

Ray_a
M
cmmartin_google
Staff
Forum|alt.badge.img+11

To add to @stefancoook1 , if you're working on a custom parser for a switch, then the firewall might be a closer place to start: 

See if the FortiGate will get you a good start. 

Unfortunately, you might have to ingest some logs into that Log Label first so that Chronicle will populate the Default Fortigate Parser for you and then allow you to edit it. Without logs, Chronicle doesn't seem to let you touch the default parser, even to create a custom one based on that parser. It might be useful to add that as a feature request! 


You can call the Chronicle Backstory API and download a Parser without having code samples, e.g.,

DOWNLOAD_PARSER = '{}/tools/cbnParsers/{}'.format(BACKSTORY_API_V1_URL, "WINEVTLOG")

Raising up Feature Requests via support is always encouraged and welcomed for feedback. 

M
Tonio
Forum|alt.badge.img+6
  • TonioBronze 5
  • Bronze 5
  • February 16, 2024

You can call the Chronicle Backstory API and download a Parser without having code samples, e.g.,

DOWNLOAD_PARSER = '{}/tools/cbnParsers/{}'.format(BACKSTORY_API_V1_URL, "WINEVTLOG")

Raising up Feature Requests via support is always encouraged and welcomed for feedback. 


Hi @cmmartin_google , that is a very nice feature. Is that API still available? would you mind share some updated reference bout it? It's my understanding that the cbn has been recently deprecated.

Thanks

 

A

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.