How to simply inject syslog without any parser?

ipfsec · 06-04-2023 04:36 AM

Hi there!
Is there a way to simply inject syslog without any parser (because there is none available for the product itself yet) to get the raw log into the SIEM and to look into the format itself to create a parser later maybe?

Ion_Todd

I played with the MACOS log type for this. Maybe thats a good place to start. It pretty much just does the grok matching on SYSLOG formatted data.

What logs are you trying to pull through though? If you just grep syslog on this page you might find something closer to your logs to use as a base:
https://cloud.google.com/chronicle/docs/ingestion/parser-list/supported-default-parsers

ipfsec

Hi ion,

ok, so basically it doesn't matter what data_type i choose.

I want to inject custom logs for example. I thought there is a way without explicit data_types. So that I only have a collector which is waiting on a TCP Port for syslog messages and imports/redirect them into chronicle as raw log.

Will look into your link and try it tomorrow I guess.

Thank you for the input! :)

Daniel_Love

Chronicle had a catch all data type at one point

Daniel_Love

You can also request Chronicle to create a new data type

Daniel_Love

The data type does matter because that is how Chronicle determines which parser to apply.

Daniel_Love

as for ingesting the logs without a parser, yes. The logs will show in Chronicle as unparsed raw logs