This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Requesting Assistance : Identifying Unparsed Logs in Chronicle SIEM UI

Posted a month ago
Indrajeet_D
New Member
Reply posted on --/--/---- --:-- AM

Namaste everyone,

Since the raw search function has a limitation of 10,000 logs, it's difficult to identify which logs are failing to parse. Does anyone know how to find unparsed logs using the SIEM UI? We don't have CLI access, so solutions that leverage the SIEM UI would be greatly appreciated.

1 3 134
3 REPLIES 3

Posted on --/--/---- --:-- AM
AymanC
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hey @Indra,

Does this help at all - performing a raw log (it could be a regex with a .*), then applying a procedural filter on 'Event Type' to 'Unparsed Log'.

AymanC_0-1719755025536.png

Kind Regards,

Ayman C

Posted on --/--/---- --:-- AM
Indrajeet_D
New Member
In response to AymanC
Reply posted on --/--/---- --:-- AM

Namaste @AymanC ,

The device is generating excessive traffic, and the provided solution is not working.

Posted on --/--/---- --:-- AM
jkephsecru
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hi @Indrajeet_D 

If you have access to the backstory key for the tenant you could use the Colab notebook written by Eugene (@google). There is a section titled "List CBN Parser Errors";

When customer-specific and default parsers encounter errors, they are captured and saved. This endpoint retrieves the errors generated by a specific logType over a defined time range. It returns a maximum of 1000 errors with each request.

Using the backstory key for a tenant you can pull the errors in JSON (up-to 1000 events) and download for review.

Contact your Google SecOps partner for access to the Colab notebook.

0 Likes
Top Solution Authors
View all