Question on cbn-tool/chronicle_cli output format

rav1and3 · 03-01-2024 11:20 AM

Why we are getting the output in the below format when we validate the sample log with parser using cbn-tool/chronicle_cli?

Is there any other purpose behind this output format. It will be easier if the output is like below format

metadata.event_timestamp.seconds = 1709320262

metadata.event_timestamp.nanos = 997191328

metadata.event_type = "GENERIC_EVENT"

metadata.vendor_name = "Vendor Name"

metadata.product_name = "Product Name"

dnehoda

Hello - can you share the actual log you are using?

rav1and3

It is not about the specific log or log type. cbn-tool/chronicle_cli ouput is same for all types of log types. I am talking about the format of output. Why can't the output be in json format or udm field = value?

yomiolugbenga

Is there any tool to generate a parser

Former Community Member

Hi,
When you write the parser in CBN-CLI you get in the output in the mentioned format

Write the parser in the chronicle GUI, you will get the UDM in the proper format.

ion_

@rav1and3Did you find a solution to this?

As Manoj pointed out, the UI makes use of an api call that formats this information correctly. This is only available on BYOP as runParser relies on v1alpha. If this is available to you, you can perform the call on the CLI as follows:

chronicle_cli parsers run_parser  --env prod --v2 {PROJECT ID-from-GCP} {Customer-ID-from-UI} GCP_CLOUDAUDIT GCP_CLOUDAUDIT.conf gcp_cloudaudit_1.log

If BYOP isnt available to you, i'm happy to share some really bad parsing of the original syntax to json.

It doesn't make sense to me that all clients who want to use this data have to individually write a parser. Is this what others are doing?

matthewnichols

Thank you @ion_ & @Former Community Member for your suggestions. @rav1and3 Did the options they suggested help you solve what you were looking for?