Hi Community,
Did anyone try to ingest a completely custom log data to Chronicle SIEM?
I mean log data which does not fall under any log sources (JSON, KV, etc.) and does not fall under any log types (Azure AD, Linux Auditing System (AuditD), etc.)?
I can write a parser after ingestion, but it is not too clear how to inject data which cannot be attached to any of current categories (log sources or log types).
P.S. Log data type was created without consideration of existing log types and sources.
Solved! Go to Solution.
Hi aivaras,
Please submit a support case for the creation of a new log type. That new log type can be internal to your Chronicle instance. Once the new log type has been set up, you can configure ingestion and then build a custom parser.
Chris
@cmorris Couple of questions: Do you have to open a support request, or is there a way to create a new data label/source on our own? Also, what's the timeline to turn around the new data label?
You will have to open a support case. You can find existing labels and whether or not there is an existing parser for them here - https://cloud.google.com/chronicle/docs/ingestion/parser-list/supported-default-parsers.
Hi aivaras,
Please submit a support case for the creation of a new log type. That new log type can be internal to your Chronicle instance. Once the new log type has been set up, you can configure ingestion and then build a custom parser.
Chris
@cmorris Couple of questions: Do you have to open a support request, or is there a way to create a new data label/source on our own? Also, what's the timeline to turn around the new data label?
You will have to open a support case. You can find existing labels and whether or not there is an existing parser for them here - https://cloud.google.com/chronicle/docs/ingestion/parser-list/supported-default-parsers.
User | Count |
---|---|
3 | |
2 | |
1 | |
1 | |
1 |