I was wondering how is Cribl implementing OCSF mappings?

Michael Katz

Hello all, I was wondering how is Cribl implementing OCSF mappings?

David Maislin

<@U02ELKX57CH&gt; <@U02PA4EAP1S&gt; ^^^

asc_me

Hi <@U04S0RP486P&gt;, I can walk you through how we do it. Currently we only support the network activity class, but several more classes are 'work in progress'. If you don't mind me asking, what is your use case for it?

Michael Katz

Hello <@U02ELKX57CH&gt; I was thinking for example use cases to structure like syslog messages better, putting it in OCSF format

asc_me

will DM you so we can go into this further

Clint Sharp

We have a need for this internally <@U02ELKX57CH&gt; so I'd like to see how we could expand our support. <@U01LSBF5953&gt; does this factor into your Rosetta pack?

Brendan Dalpe

If there's mappings for Windows OS logs for OCSF I can add them to the Rosetta pack

Clint Sharp

Not really sure what your intentions were for Rosetta, it's for Windows logs only?

Clint Sharp

In general, there's a market need for an any to any mapper. Not sure the product is helping us as much as it could there. It's certainly a set of ideas on the backlog to make mapping schemas easier.

Brendan Dalpe

> it's for Windows logs only Yes

Clint Sharp

I mean naming wise, maybe quality it more then :slightly_smiling_face:

Brendan Dalpe

https://github.com/bdalpe/cribl-rosetta-pack

asc_me

Ocsf is massive in structure, we should chat <@U01LSBF5953&gt;

Clint Sharp

OCSF, OTel, its like when big vendors get together they just want to make things more complicated

asc_me

It's a meta-schema

asc_me

Lol

asc_me

I use that in my slides for ocsf when talking about it