This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Ingestion API: Chronicle

Posted on 06-09-2024 05:21 AM
Aravind3
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Dear All,
Could anyone please give me the script for ingestion UDM events directly to Chronicle via an Ingestion API and also to send a local file via ingestion API.

Thank you in advance.

Best Regards,
Aravind S

Solved Solved
0 8 1,002
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
Rene_Figueroa
Staff
In response to Aravind3
Reply posted on --/--/---- --:-- AM

Correct. You can add search for metadata.vendor_name or some other identifier in UDM search to find what logs were ingested.

View solution in original post

Jump to Solution
8 REPLIES 8

Posted on --/--/---- --:-- AM
Aravind3
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Dear All,
Can anyone help me in rectifying this error?
python3 ingest.py
Traceback (most recent call last):
File "/home/CBN-CLI/ingestion/ingest.py", line 50, in <module>
from common import regions
ImportError: cannot import name 'regions' from 'common' (/home/CBN-CLI/venv/cli/common/__init__.py)

Reference:api-samples-python/forwarders/create_collector.py at master ยท chronicle/api-samples-python ยท GitHub

Thanks

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Rene_Figueroa
Staff
Reply posted on --/--/---- --:-- AM

The correct script to send data in UDM format is https://github.com/chronicle/api-samples-python/blob/master/ingestion/create_udm_events.py

 

If you want to send raw logs, then you can use the following:

https://github.com/chronicle/api-samples-python/blob/master/ingestion/create_unstructured_log_entrie...

 

Note that you need the Ingestion API key to send data to Chronicle.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Former Community Member
Not applicable
In response to Rene_Figueroa
Reply posted on --/--/---- --:-- AM

Hi @Rene_Figueroa,
Thank you for the reply.
I tried running the script with the credential file in ~/.chronicle_credentials.json and ran the below command but I'm not getting any result or error. Please find the below image.

AravindSree_0-1718084241764.png

AravindSree_1-1718084330911.png

Thank you,

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Rene_Figueroa
Staff
In response to Former Community Member
Reply posted on --/--/---- --:-- AM

Normally, if you do not get any errors, that means a successful request. Our UDM endpoint does not ask for a log type though. See our reference:

https://cloud.google.com/chronicle/docs/reference/ingestion-api#udmevents

Did you happen to use the endpoint to send raw log data by any chance? 

I normally call the UDM script in our sample code in the following manner:

 

~/api-samples-python$ python3 -m ingestion.create_udm_events --customer_id mycustomerid  --json_events_file ingestion/example_input/sample_udm_events.json

 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Former Community Member
Not applicable
In response to Rene_Figueroa
Reply posted on --/--/---- --:-- AM

Hi @Rene_Figueroa,
I tried both the ways but same result, Its not giving any error or result.
Is it because the service account (JSON file) doesn't have enough permission?
Thanks,
Aravind 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Rene_Figueroa
Staff
In response to Former Community Member
Reply posted on --/--/---- --:-- AM

Note that the data inside SIEM will be tagged as UDM if you send data using our UDM API endpoint.

Jump to Solution

Posted on --/--/---- --:-- AM
Aravind3
Bronze 4
Bronze 4
In response to Rene_Figueroa
Reply posted on --/--/---- --:-- AM

Hi @Rene_Figueroa,
Thank you for the reply.
Right, But I can't see the logs which are ingesting.
Thanks,
Aravind

Jump to Solution

Posted on --/--/---- --:-- AM
Rene_Figueroa
Staff
In response to Aravind3
Reply posted on --/--/---- --:-- AM

Correct. You can add search for metadata.vendor_name or some other identifier in UDM search to find what logs were ingested.

Jump to Solution
Top Solution Authors
View all