How do i retrieve the data from the "_raw" field for Chronicle destination
Hello,Currently testing the process of sending logs to the Chronicle destination.
How do i retrieve the data from the "_raw" field.
I came across a blog post that seemed to be relevant to my use case, where it mentioned using the log text field as "_raw."
https://cribl.io/blog/google-chronicle-ingestion/
However, despite following the instructions, I have not been successful in getting it to work.
Appreciate any help.
Answers
-
Hey Lou, Chronicle parsers are very particular. There is a test event in that blog post for PAN Firewall, any chance you were able to get that to parse in chronicle?
0 -
I just tried your sample and the sample from the blog in the parser validator, and it looks like the sample in the blog parses but yours doesn't... I think yours may be missing fields/misaligned fields/etc, that doesn't align to the PAN_FIREWALL parser from Chronicle
0 -
I found this page to be helpful to understand what Chronicle is expecting
https://cloud.google.com/chronicle/docs/ingestion/parser-list/supported-default-parsers0 -
looking at the screenshots you may have _raw, source, host, etc. fields inside the _raw field.
0 -
The _raw payload looks okay and the default Chronicle parser should parse it. Since you are using sample data, you may need to modify the timestamps from 2020 to current time in GMT. This is what it looks like in Chronicle:
0 -
ok noted
tried using the same sample log from the blog. doesn't work for it eitherdad manual change the sample log to match the timing but it doesn't sync
how do i tweak the timestmap ?
0
