Create a New Log Parser
Use the New Log Parser page to create your own log parser by using sample logs. You can build your own parser by mapping fields in your sample logs to Security Director Insights event fields, indicating which types of events will generate an incident.
To create a new log parser:
- Select Configure > Insights > Log Parsers.
The Log Parsers page appears.
- Select the plus icon (+).
The New Log Parser page appears.
- Complete the configuration according to the guidelines provided in Table 1.
- Click Finish, and you are presented with the
results of your flexible log parser as they are applied to the sample
logs provided.
Review the results carefully to determine whether your mapping, filtering, and assignment conditions are as expected.
Table 1: Add New Log Parser
Setting | Guideline |
|---|---|
Create/Edit Parser | |
Name | Enter a unique and descriptive name for the log parser. |
Description | Enter a description for the log parser. |
Parse Log File | |
Raw Log | Upload the raw log file by browsing to it, or paste the log data in a separate field provided below the Browse button. Ensure the log file contains an RFC-compliant syslog header. |
Log File Format | Specify the format of the sample log file. The available options are:
|
CSV Headers (if the log file format is CSV) | If your log file is in CSV format, you may provide a comma-delimited list of field names in this field. If the CSV headers are not provided, the fields will be named as csvN, where N is the field position. |
Grok Pattern (if the log file format is others) | If you select the Others option for the log file format, you must supply a grok pattern for the log file. A grok pattern may consist of one or more lines. The grok pattern line beginning with LOGPATTERN is the pattern that will be applied to the logs. A grok pattern must include a pattern named LOGPATTERN, otherwise the parser will not have any pattern to use. |
Field Mapping | |
Mapped Fields and Unmapped Fields | In the Unmapped Field section, select a field in the Parsed Fields column and then select a value in the Insights Fields column to map. After selecting both the fields, click Map. The mapped fields now appear in the Mapped Fields section, which lists all fields that have been mapped to each other. You can perform the following actions from the Field Mapping page:
Note: Fields marked with * are mandatory. |
Date Format | |
Field Mapping: Format Date and Time | This is an optional configuration. You can leave this field blank, if your log file is using a standard time as dictated by RFC 3164 or RFC 5424. Those headers are automatically parsed. If the timestamp cannot be parsed, use the Ruby strftime to provide a format string so that Security Director Insights can interpret the date and time in your log file as the event start time. For more information about the Ruby strftime format, see https://ruby-doc.org/core-2.3.0/Time.html#method-i-strftime. |
Log Filtering | |
Log Filtering | You can create filters to notify Security Director Insights about malicious and unmalicious events as you decide what logs are to be kept and which ones can be ignored. Log filtering removes logs that are “noisy” and not of particular interest and retains logs that are related to malicious events. With these filters, you can select exact match or contains filter for the string you enter. Click Add and configure filtering conditions as follows:
Click OK and your condition is added to the filter. You can add multiple filters. An “or” condition is applied to the list of filters; therefore, the order of filters is not relevant. Note: Select the check box for a filter and click Delete to remove that filter. |
Conditions Assignment | |
Assign Conditions | You can assign different conditions to an event, based on the filtering parameters you configure.
|