I've set up a webhook feed collection in SecOps. The logs are being indexed in json object blocks:
{
content 1
}
...
{
content n
}
I've added a line break delimiter, but it's not working. I'd like to understand a few points:
by unchecking the option to compress text, am I changing the original format of the logs? Should I set the default format to RAW to get a closer view of the actual log saved in SecOps Cloud Spanner?
Some pictures of the environment below.
Unchecking the option to compress text in SecOps does not change the original format of the logs. It simply prevents the logs from being compressed during ingestion. This can be helpful for troubleshooting parsing issues, as it allows you to see the logs in their raw, uncompressed form.
The issue you are encountering with the line break delimiter is likely due to the fact that the logs are not properly formatted for parsing. Here's a forum thread might help:
https://www.googlecloudcommunity.com/gc/SIEM-Forum/Chronicle-Parser-JSON/m-p/669258
Unchecking the option to compress text in SecOps does not change the original format of the logs. It simply prevents the logs from being compressed during ingestion. This can be helpful for troubleshooting parsing issues, as it allows you to see the logs in their raw, uncompressed form.
The issue you are encountering with the line break delimiter is likely due to the fact that the logs are not properly formatted for parsing. Here's a forum thread might help:
https://www.googlecloudcommunity.com/gc/SIEM-Forum/Chronicle-Parser-JSON/m-p/669258
Thanks @ErikaB, I've used the thread that you've replied and solved the line break problem. Thanks.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.