Hello Community ,
How i can identify parsing and normalization errors in Chronicle SIEM please ?
Thanks
PARSING-NORMALIZATION errors
+8- Silver 2
+6
+6- Bronze 1
Hi @Rached1996 ,
In Google SecOps under SIEM Dashboards Data ingestion and Health Dashboard there is a Tile named Ingestion - Events by Log Type there you can see the normalized events, parsing errors, etc.
+8- Silver 2
There is an API for it.
How can i use this API please ?
+8- Silver 2
Hi @Rached1996 ,
In Google SecOps under SIEM Dashboards Data ingestion and Health Dashboard there is a Tile named Ingestion - Events by Log Type there you can see the normalized events, parsing errors, etc.
Can i search these errors through UDM ?
Iwant to know where exactly the error is , for exemple for o365 log type
+4Hi Rached,
You this link to get the parser errors.
Google Security Operations CLI User Guide | Google Cloud
+6- Bronze 1
Can i search these errors through UDM ?
Iwant to know where exactly the error is , for exemple for o365 log type
Hi @Rached1996 ,
I'm not sure about getting the error through UDM, but if you do raw log search and then if you see the event_type there will unparsed logs and you can check which logs are getting error and finetune the parser accordingly.
+8- Silver 2
Hi @Rached1996 ,
I'm not sure about getting the error through UDM, but if you do raw log search and then if you see the event_type there will unparsed logs and you can check which logs are getting error and finetune the parser accordingly.
Thanks for the reply
how can i know where the problem is in the parser ? i mean the problem causing the unparsed log
+6- Bronze 1
Thanks for the reply
how can i know where the problem is in the parser ? i mean the problem causing the unparsed log
Hi @Rached1996 ,
While validating the parser you will get which particular log is having an error.
with that particular log you will see what is the error and make necessary changes in the parser.
+6Also, you can look for the unparsed logs in the UI. You should go to Legacy Raw Log Search (top right on SIEM search) and then do a RLS on the log type you are interested in. Once the results show up, on the right side in the Procedural Filtering, choose Even Type drop down and look for Unparsed logs and choose show only on that.
+1- Bronze 1
I was wondering why the current search capability does not have either the procedural filter. I can see events tagged as Type of "unparsed_raw_log" in the raw logs table but the Aggregations filter does not recognize these and there is no filter to only show "unparsed_raw_log" types in the current UI. Why is this? I'd assume the legacy search will one day go away, seems inefficient to keep two search tools.
+2can we group the results of this API by the error message, like suppose there are 200 results, but exact errors are due to 2 reasons and there are 100 logs for each, so if we can group the error message or if we can limit the results
+4Aggregation filters within UDM search are only for parsed logs. Raw log search is available outside of legacy search - https://docs.cloud.google.com/chronicle/docs/investigation/raw-log-search-in-investigate
Regarding the CBN filters - it filters on errors, for any aggregation or filtering you can modify the output or use any python function(s).
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.