This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Chronicle Ingestion Script errors

Posted on 10-10-2023 03:05 PM
stefancoook1
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Recently we've been having trouble getting several Chronicle Ingestion scripts working (found here https://github.com/chronicle/ingestion-scripts) and have been having to build custom workarounds that output to GCS buckets instead, however this is undesirable.

When trying to debug these ingestion scripts, we have been getting errors that are not detailed or actionable, like the following errors attached. Has anyone in the SecOps commnuity been able to successfully debug errors found like this in an ingestion script? We're getting a 400 error with extremely little context. Since we are using the scripts provided to us by Chronicle,  we are unsure where the invalid argument is originating from.

Can anyone from the community provide context or assistance?


Chronicle_ingestion_error.png

1 2 720
Topic Labels
2 REPLIES 2

Posted on --/--/---- --:-- AM
ion_
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Are you able to share what the data looks like for a dummy log right before it is submitted?

In the back of my mind i'm thinking this might have something to do with json parsing, could that be an avenue to explore?

Posted on --/--/---- --:-- AM
stefancoook1
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

 so since we were implementing it for a client, we don't have good data to use, but it was a standard json format that matches the type chronicle was looking for