HI team, I require assistance in developing a custom parser for processing raw logs. Additionally, I seek guidance on constructing a filter within the Chronicle environment. Would you please guide me ? Thank you !
Page 1 / 1
Assuming that you have already ingested the raw logs in Chronicle. Now on the development part - You should know two things:
1 - How to parse - Pls note that Chronicle uses logstash feature for custom parsing. So if you haven't worked on Logstash yet, I would suggest to explore the documentation of logstash filter plugins. The most used plugins while developing a parser are - grok, mutate, json, split, xml, dissect, syslog_pri.
https://cloud.google.com/chronicle/docs/reference/parser-syntax
https://www.elastic.co/guide/en/logstash/current/filter-plugins.html
2- Mapping to UDM fields - While writing the parser you should know the correct UDM fields to map the data fields. Read below two documents if you haven't done yet.
https://cloud.google.com/chronicle/docs/reference/important-udm-fields
https://cloud.google.com/chronicle/docs/reference/udm-field-list
Your second ask --- What do you mean by constructing a filter?
Assuming that you have already ingested the raw logs in Chronicle. Now on the development part - You should know two things:
1 - How to parse - Pls note that Chronicle uses logstash feature for custom parsing. So if you haven't worked on Logstash yet, I would suggest to explore the documentation of logstash filter plugins. The most used plugins while developing a parser are - grok, mutate, json, split, xml, dissect, syslog_pri.
https://cloud.google.com/chronicle/docs/reference/parser-syntax
https://www.elastic.co/guide/en/logstash/current/filter-plugins.html
2- Mapping to UDM fields - While writing the parser you should know the correct UDM fields to map the data fields. Read below two documents if you haven't done yet.
https://cloud.google.com/chronicle/docs/reference/important-udm-fields
https://cloud.google.com/chronicle/docs/reference/udm-field-list
Your second ask --- What do you mean by constructing a filter?
Thank you @deeshu !
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.