I use the dashboard to see which log sources have failed logs. I dont know if theres an api call that allows you to see which log sources have recent fails.

Yes @Ion_Todd I ingested the unsupported logs via windows parser. I was able to view it the SIEM. Since I know the log, I queried it using the values from the raw log.

Event Type is getting tagged as Unparsed Log but I trying to find the UDM field to filter these logs.

View files in slack

Unfortunately, I don't have access to the CBN_CLI

Okay, so im assuming you’re looking at raw log search here?

Try to search for the following in UDM:
metadata.log_type="WINEVTLOG" If this returns nothing then all of your logs aren’t parsing correctly

Note: “WINDOWS” needs to map to the log label you’re using.

View files in slack

If you can safely redact a sample raw log enough to send it to me, I can run it against the default Windows Event parser and tell you what the issue is.

You’re going to run into issues if you can’t use cbn_cli though, if its possible to gain access I would recommend it

What you said it correct.

I will DM you