Skip to main content
Question

Parser extension for syslog header

  • January 13, 2026
  • 1 reply
  • 22 views
L
Forum|alt.badge.img+3

Hello,

below is my scenario:

for the logs that are sent to google secops, there is already a pre-built parser available, but it does not parse the logs.

when i check, grok pattern to match the syslog header of logs is not available in the parser code.

i have created the grok pattern and i can see that all the other fields are parsed to udm field correctly.

 

now, my question: is it possible to create a parser extension to match only the syslog header and leave everything else as optional ?

if the above is possible, i tried no-code option → i put my grok pattern in syslog box and target field, it is validated sucessfully. but when i tried to preview udm, it does not give me the output, the logs are still droped due to the pattern that are available in pre-built parser.

 

can you please help me with this ?

 

Thanks,

1 reply

Eoved
Forum|alt.badge.img+8
  • EovedBronze 2
  • Bronze 2
  • January 14, 2026

Yes, you can create a parser extension to handle the header, you will need to use the code-based approach.
But I guess that if this is the scenario, it means the data wasn’t ingested using the supported method.
Depending on the log type, it might be easier and more beneficial in the long term to switch to the supported ingestion method.
If you can share some information about the logs here.

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.