I have a situation where I need to advise some clients and users that the default `Unix System` parser will parse N event types from the Unix System log source.
This leads me down a path of investigating from the documentation on what that actually will parse.
So from there, I travel over to the documentation page for default parsers, which should give me some information.
With regards to Linux itself, I did some digging and found 3 possible parsers, or at least 3 log types that will parse, but I then asked "what events does this parse?"
The documentation is a bit encapsulating with it stating things like "system logs". I'm trying to figure out what goes where to advise users and clients on how to configure a forwarder setup to ensure it picks up the typical security telemetry you'd expect from a Linux server.
I don't see stuff for like "cron" or "sudo" etc. I also don't know if you can just simply configure those to just go to syslog instead and then it gets parsed. Does Chronicle expect those types of things (SSH, Sudo, cron, logins, etc) to be in auditd or syslog? What are the limitations of the event types that a parser will parse out of the box?
TLDR - When you have a vague parser type, how do you understand what events the parser will parse from that log source? Ex: Windows Events, Linux OS logs
Ultimately, if there's a short list of "these are the events that we can parse from linux and here is the log_type associated with a default parser" that would be outstanding. This question is extended for all vague parsers such as anything which is an OS Related Log which can potentially include 10s to 1000s of different event types.
Solved! Go to Solution.
We are updating the documentation and parser for NIX_SYSTEM this quarter. The documentation will include all of the field mappings and event types that the parser supports. These are the logs that it supports:
We are updating the documentation and parser for NIX_SYSTEM this quarter. The documentation will include all of the field mappings and event types that the parser supports. These are the logs that it supports:
Excellent info!
Follow-up:
Do you have an ETA on when the Ops Agent will be viable for ingesting these logs? I was told that currently, only Windows Security Events will be parsed via the Ops Agent with other improvements in time. Any info you can release publicly on this?
You should be able to use the Ops Agent in GCE to collect these logs: https://cloud.google.com/stackdriver/docs/solutions/agents/ops-agent/configuration#logging-receivers
The direct ingestion method that streams logs from Cloud Logging to Chronicle can be configured to send these 3 log filters to Chronicle and they'll be automatically parsed as NIX_SYSTEM:
You may need to configure the Ops Agent to ensure you're using one or more of those logName values.
I was advised by a Chronicle Engineer that the ops agent shouldn't be used for Linux as it was not supported by the parser.
I know it can ship it but there were some issues happening.
We were advised to use the forwarder/collector instead.
This was only a few weeks ago unless this changed.
Hi @Mustache,
Here we are using ops agent to send logs to cloud logging and using direct ingestion with export filters for NIX_SYSTEM without any problem.