This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Ingesting a generic Syslog RFC 5424 into Chronicle?

Posted on 04-22-2023 09:10 AM
kbprogrammer
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi. I've got a RFC 5424 Syslog message I am attempting to ingest into Google Chronicle using the REST ingestion API.  The vendor is Mako Networks. I do not see a parser for this particular vendor listed here (https://cloud.google.com/chronicle/docs/ingestion/parser-list/supported-default-parsers). 

Is there a vendor neutral Syslog parser for Chronicle? Do I need to convert this to UDM? Any guidance would be greatly appreciated? 

Solved Solved
0 2 838
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
kbprogrammer
Bronze 1
Bronze 1
In response to Rene_Figueroa
Reply posted on --/--/---- --:-- AM

Hi! I did some research and the Mako Network logs conforms to the Netfilter spec (https://www.netfilter.org/) and luckily, there is a NETFILTER_IP parser already written. I had to do some debugging and formatting of the original syslog message coming from the mako devices before sending it to Chronicle as the Grok parser would fail to parse.

View solution in original post

Jump to Solution
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
Rene_Figueroa
Staff
Reply posted on --/--/---- --:-- AM

Hello @kbprogrammer,

The link you provided is for supported default parsers. Not all available log types have a parser, so it is possible to ingest a log even if there is no parser; the data will be unparsed though. 

For your case, if there is no "Mako Networks" log type under the supported data sets, requesting a new log type for it will be the first step:

https://cloud.google.com/chronicle/docs/supported-datasets

Please open a new support case and ask for a new log label for "Mako Networks" and provide the public documentation for this log source. Once the label is created, the next step will be for you to start sending logs and once we have the logs, you can request a parser for "Mako Networks".

 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
kbprogrammer
Bronze 1
Bronze 1
In response to Rene_Figueroa
Reply posted on --/--/---- --:-- AM

Hi! I did some research and the Mako Network logs conforms to the Netfilter spec (https://www.netfilter.org/) and luckily, there is a NETFILTER_IP parser already written. I had to do some debugging and formatting of the original syslog message coming from the mako devices before sending it to Chronicle as the Grok parser would fail to parse.

Jump to Solution
0 Likes
Top Solution Authors
View all