Forcepoint WebProxy logs goes into the S3 bucket(Format: export_timestamp.csv.gz) from where Google Chronicle pulls it in and within Chronicle>Settings>Feeds we have give the path to the S3 bucket.I am able to see the raw logs within SIEM but it isn't getting parsed. I click on the Raw log>Manage Parser>Create New Custom Parser>Start with Exisiting Prebuilt Parser>I am using the Forcepoint Web Proxy Parser. Error: generic::unknown: invalid event 0: LOG_PARSING_GENERATED_INVALID_EVENT: "generic::invalid_argument: *events_go_proto.Event_Webproxy: invalid target device: device is empty" The raw log doesn't have quotes. When I directly give a single row input after manually downloading the S3 log file which consists of double quotes, the issue gets fixed. When I view the raw log as CSV in the parser I get additional coulmns, reason is one user can be part of multiple groups. This is the main reason for the error! The column count should remain same. Example:Category: metadata.event_timestamp, metadata.event_type, principal.url, metadata.event_group, actionValues1 : today_date_time, abcdef, web_url, group1, group2, group3, AllowedValues2 : "today_date_time", "abcdef", "web_url", "group1, group2, group3", "Allowed"Values 2 works but not Values 1 because of the additional groups.Question: How do I ensure that the Raw log within Chronicle still holds the "" without removing it? :) The main issue here is group1, group2 and group3 should all come under metadata.event_group key.

Unable to parse Forcepoint WebProxy Logs

Forcepoint WebProxy logs goes into the S3 bucket(Format: export_timestamp.csv.gz) from where Google Chronicle pulls it in and within Chronicle>Settings>Feeds we have give the path to the S3 bucket.

I am able to see the raw logs within SIEM but it isn't getting parsed.

I click on the Raw log>Manage Parser>Create New Custom Parser>Start with Exisiting Prebuilt Parser>I am using the Forcepoint Web Proxy Parser. Error: generic::unknown: invalid event 0: LOG_PARSING_GENERATED_INVALID_EVENT: "generic::invalid_argument: *events_go_proto.Event_Webproxy: invalid target device: device is empty"
The raw log doesn't have quotes. When I directly give a single row input after manually downloading the S3 log file which consists of double quotes, the issue gets fixed.
When I view the raw log as CSV in the parser I get additional coulmns, reason is one user can be part of multiple groups. This is the main reason for the error! The column count should remain same.

Example:
Category: metadata.event_timestamp, metadata.event_type, principal.url, metadata.event_group, action
Values1 : today_date_time, abcdef, web_url, group1, group2, group3, Allowed
Values2 : "today_date_time", "abcdef", "web_url", "group1, group2, group3", "Allowed"

Values 2 works but not Values 1 because of the additional groups.

Question: How do I ensure that the Raw log within Chronicle still holds the "" without removing it? The main issue here is group1, group2 and group3 should all come under metadata.event_group key.

Page 1 / 1

Happy Monday,

My first thought on this one is to not use CSV format. CSV can be a challenge with multi-valued fields. If it is possible to export the logs in CEF format to S3, it will be a much cleaner process.

Also, please take a peek at https://cloud.google.com/chronicle/docs/ingestion/default-parsers/forcepoint-proxy to see how the fields in CEF format will be mapped to UDM.

Hi @TomAtGoogle ,

While I am checking with Forcepoint on if its possible to export the logs in CEF format, are there any other options that I can explore?

Happy Tuesday,

I guess I should qualify this first by saying, none of the options below this line are elegant, quick or cheap.

Option 1 - Custom code that pre-processes the CSV to put backslashes in front of the double quotes to delimit them. The double quotes should stay intact. This could be done with Python in a Lambda or SED, Python, etc. in a container.

Option 2 - Instead of sending directly to Chronicle in the feed, pass it through Bindplane, Cribl or a similar log processing application. Bindplane license is included with some Chronicle subscriptions, but would have to run somewhere with access to the S3 bucket.

Option 3 - This one requires some explanation. CSV originally stood for Comma Separated Values . However, in modern practice, nearly any character can be used as the delimiter. If Forcepoint allows using a pipe (‘|”) as a delimiter, Chronicle should process that successfully since the column breaks are not commas.

Option 4 - Custom python code that uses Pandas library to convert the CSV to JSON before being sent to Chronicle. This could again be done in a Lambda or a container.

Option 5 - Open a support ticket and see if they have any other suggestions.

I truly hope just exporting as CEF is the chosen option. If not, let me know how these other options work out.

That’s impressive, thanks sremoved by moderator] . Will let you know how this goes

The lambda function options seem interesting! Will have a gander.

@shashank_bindulbavi Is this issue resolved for you ?

@TomAtGoogle I’m using Bindplane agent to read CSV files but events getting unparsed even I can see double quotes on raw event.

We have Forcepoint on cloud and support has provided a Perl script to download logs in CSV files and they don’t have an option for CEF.

Any suggestion for me?

Happy Wednesday,

Inside the Perl script, add a line to add a backslash (\) before the double quotes. That is the delimiter I mentioned above.

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded