+4Why we are getting the output in the below format when we validate the sample log with parser using cbn-tool/chronicle_cli?
Is there any other purpose behind this output format. It will be easier if the output is like below format
metadata.event_timestamp.seconds = 1709320262
metadata.event_timestamp.nanos = 997191328
metadata.event_type = "GENERIC_EVENT"
metadata.vendor_name = "Vendor Name"
metadata.product_name = "Product Name"
+16Hello - can you share the actual log you are using?
+4It is not about the specific log or log type. cbn-tool/chronicle_cli ouput is same for all types of log types. I am talking about the format of output. Why can't the output be in json format or udm field = value?
Hi,
When you write the parser in CBN-CLI you get in the output in the mentioned format
Write the parser in the chronicle GUI, you will get the UDM in the proper format.
+6@rav1and3Did you find a solution to this?
As Manoj pointed out, the UI makes use of an api call that formats this information correctly. This is only available on BYOP as runParser relies on v1alpha. If this is available to you, you can perform the call on the CLI as follows:
chronicle_cli parsers run_parser --env prod --v2 {PROJECT ID-from-GCP} {Customer-ID-from-UI} GCP_CLOUDAUDIT GCP_CLOUDAUDIT.conf gcp_cloudaudit_1.log
If BYOP isnt available to you, i'm happy to share some really bad parsing of the original syntax to json.
It doesn't make sense to me that all clients who want to use this data have to individually write a parser. Is this what others are doing?
+20Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
