Solved: Re: How to parse JSON logs to UDM?

NastyaS · 09-27-2023 08:09 AM

Hello everyone!
I recently started using Fluent Bit to send DNS logs from Windows Server to Google Chronicle Forwarder which then forwards them to Google Chronicle SIEM.

But I have a doubt.

Im able to send dns logs in JSON raw format, using the following configuration:

[INPUT]
Name winlog
Channels DNS Server
Interval_Sec 5
[OUTPUT]
Name tcp
Match *
Host IP of Chronicle forwarder
Port PORT of Chronicle
Format json_lines

However, the logs are sent in raw (json) format and are not parsed to UDM (structured data format of Chronicle).

Should I modify the configuration ?

Or the problem is with SIEM?

Thank you in advance!

Rene_Figueroa

Hi,

I am not sure if by DNS logs, you mean WINDOWS_DNS logs. If that is the case, we support JSON format. You can read more details in our doc:

https://cloud.google.com/chronicle/docs/ingestion/parser-list/supported-default-parsers

If they are in JSON format and our parser supports the format, then please open a support case, so we can take a closer look.

Thanks!

View solution in original post

Rene_Figueroa

Hi,

I am not sure if by DNS logs, you mean WINDOWS_DNS logs. If that is the case, we support JSON format. You can read more details in our doc:

https://cloud.google.com/chronicle/docs/ingestion/parser-list/supported-default-parsers

If they are in JSON format and our parser supports the format, then please open a support case, so we can take a closer look.

Thanks!

Webinar May 14th: Gemini's generative AI within Google SecOpsWebinar May 29th: Log Ingestion: Bindplane + Google SecOps

How to parse JSON logs to UDM?

Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps