I have a situation where I need to advise some clients and users that the default `Unix System` parser will parse N event types from the Unix System log source.
This leads me down a path of investigating from the documentation on what that actually will parse.
So from there, I travel over to the documentation page for default parsers, which should give me some information.
https://cloud.google.com/chronicle/docs/ingestion/parser-list/supported-default-parsers#with-default....
Once here, I look for the unix system parser/log_type
I see that the vendor/product is `
Unix System` and the category =
OS and then i see the label and that the format accepted is
syslog or
json.
Great!
So I now know what types of files can be ingested.
I still need to know what types of events this will parse as I have questions regarding Cron, SSHD, auth/security(depending on OS flavor), sudo, messages, syslog, among others.
So I investigate a bit more via this documentation hoping it might clue me in on what to expect the collector to collect and ship with regards to event types and configuring filters for the forwarder/collectors.
I even read here in hopes that it will tell me something of "these events etc" with regards to what chronicle is exptecting to ingest and can parse:
Now, in a perfect world, something such as "Unix OS logs" would have a detailed list of what events one would expect that parser to cover. These pages, I fear, do not exist.
Most vague categories or vendor/products with default parsers would also, naturally, lead to the question of "if I ingest my data from that source, what events are going to be parsed for me to use in rules?"
So, with all this said, I believe the only viable option to determine what events a parser would parse would be to reverse engineer it from the actual parser itself. Hopefully, I am wrong, and details on this exists somewhere as this would be a common curiosity from a seasoned Security practitioner.
That said:
Is there a place that provides details on what events will be parsed with particular parsers? How do we know if a parser can parse all events one would assume from a vendor and category such as Windows Events or Unix System?
With regards to Linux itself, I did some digging and found 3 possible parsers, or at least 3 log types that will parse, but I then asked "what events does this parse?"
- AuditD in the syslog format can be parsed. What events can it parse and are expected to be parsed for a users knowledge?
- Linux Sysmon, noted as DNS via the Chronicle docs, can be ingested and parsed but only in XML format. What events can it parse and are expected to be parsed for a users knowledge?
- Unix System Logs can be parsed, which are the OS only logs, in the format of SYSLOG and/or JSON. What events can it parse and are expected to be parsed for a users knowledge?
The documentation is a bit encapsulating with it stating things like "system logs". I'm trying to figure out what goes where to advise users and clients on how to configure a forwarder setup to ensure it picks up the typical security telemetry you'd expect from a Linux server.
I don't see stuff for like "cron" or "sudo" etc. I also don't know if you can just simply configure those to just go to syslog instead and then it gets parsed. Does Chronicle expect those types of things (SSH, Sudo, cron, logins, etc) to be in auditd or syslog? What are the limitations of the event types that a parser will parse out of the box?
TLDR - When you have a vague parser type, how do you understand what events the parser will parse from that log source? Ex: Windows Events, Linux OS logs
Ultimately, if there's a short list of "these are the events that we can parse from linux and here is the log_type associated with a default parser" that would be outstanding. This question is extended for all vague parsers such as anything which is an OS Related Log which can potentially include 10s to 1000s of different event types.
LinkedIn
Twitter
