Skip to main content

I have written a simple parser extension for a specific log type which was coming as unparsed.

Parser Extension

filter {
  mutate {
        replace => {
            "raw_Event" => ""
            "vendor_name" => "Palo Alto Networks"
            "event.idm.read_only_udm.metadata.event_type" => "GENERIC_EVENT"
        }
    }

    grok {
        match => {
            "message" => ["%{GREEDYDATA:raw_Event}"]
        }
        overwrite => ["raw_Event"]
        on_error => "grok_failed"
    }


      if [raw_Event] != "" {
    mutate {
        replace => {
            "raw_Event_label.value.string_value" => "%{raw_Event}"
        }
        on_error => "raw_Event_empty"
    }
    if ![raw_Event_empty] {
        mutate {
            replace => {
                "raw_Event_label.key" => "raw_Event"
            }
        }
        mutate {
            merge => {
                "event.idm.read_only_udm.additional.fields" =>
                "raw_Event_label"
            }
            on_error => "raw_Event_label_empty"
        }
    }
}


    statedump{
      label => "foo"
    }


    mutate {
        merge => {
            "@output" => "event"
        }
    }

}


Output
No UDM events or entities were generated for the current parser configuration. If this is not intended, rectify the code snippet/UDM mappings and then click preview.



SampleLog
<14>Feb 8 12:55:48 ABC_FW1 021201146055,2025/02/08 12:55:48,audit,2817,log-critical-activity,,"type=DEL_GROUP msg=audit(1738079548.016:64651): pid=17128 uid=0 auid=42949295 ses=4294967295 subj=system_u:system_r:useradd_t:s0 msg='op=delete-group grp=""_cliuser"" acct=""_cliuser"" exe=""/usr/sbin/userdel"" hostname=? addr=? terminal=console res=success'",success


Can anyone help me solve this?
@bsalvatore @citreno @jstoner 

I hope you are not  trying to add the raw log into every event.  Also your code, as it stands, will update every event log type to GENERIC_EVENT.  I am sure that's not what you want to do.  Please take a look at your parser logic and make sure what you are doing is what you want.

@anurag.q.singh Please check out this post to see if you could use some of the sample code as a reference. Have you tried using a different data extraction function other than grok? 

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.