This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Ingesting custom log data to Chronicle SIEM - Not existing Log Source and Log type

Posted on 04-18-2024 05:12 AM
aivaras
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hi Community,

Did anyone try to ingest a completely custom log data to Chronicle SIEM?

I mean log data which does not fall under any log sources (JSON, KV, etc.) and does not fall under any log types (Azure AD, Linux Auditing System (AuditD), etc.)?

I can write a parser after ingestion, but it is not too clear how to inject data which cannot be attached to any of current categories (log sources or log types).

P.S. Log data type was created without consideration of existing log types and sources.

Solved Solved
1 3 184
Topic Labels
Jump to Solution
3 ACCEPTED SOLUTIONS

Posted on --/--/---- --:-- AM
cmorris
Staff
Reply posted on --/--/---- --:-- AM

Hi aivaras,

Please submit a support case for the creation of a new log type. That new log type can be internal to your Chronicle instance. Once the new log type has been set up, you can configure ingestion and then build a custom parser.

Chris

View solution in original post

Jump to Solution

Posted on --/--/---- --:-- AM
jjkrone
Bronze 1
Bronze 1
In response to cmorris
Reply posted on --/--/---- --:-- AM

@cmorris Couple of questions:  Do you have to open a support request, or is there a way to create a new data label/source on our own?  Also, what's the timeline to turn around the new data label?

View solution in original post

Jump to Solution

Posted on --/--/---- --:-- AM
cmorris
Staff
In response to jjkrone
Reply posted on --/--/---- --:-- AM

You will have to open a support case. You can find existing labels and whether or not there is an existing parser for them here - https://cloud.google.com/chronicle/docs/ingestion/parser-list/supported-default-parsers.

View solution in original post

Jump to Solution
3 REPLIES 3

Posted on --/--/---- --:-- AM
cmorris
Staff
Reply posted on --/--/---- --:-- AM

Hi aivaras,

Please submit a support case for the creation of a new log type. That new log type can be internal to your Chronicle instance. Once the new log type has been set up, you can configure ingestion and then build a custom parser.

Chris

Jump to Solution

Posted on --/--/---- --:-- AM
jjkrone
Bronze 1
Bronze 1
In response to cmorris
Reply posted on --/--/---- --:-- AM

@cmorris Couple of questions:  Do you have to open a support request, or is there a way to create a new data label/source on our own?  Also, what's the timeline to turn around the new data label?

Jump to Solution

Posted on --/--/---- --:-- AM
cmorris
Staff
In response to jjkrone
Reply posted on --/--/---- --:-- AM

You will have to open a support case. You can find existing labels and whether or not there is an existing parser for them here - https://cloud.google.com/chronicle/docs/ingestion/parser-list/supported-default-parsers.

Jump to Solution
Top Solution Authors
View all