|
| 1 | +--- |
| 2 | +id: cloud-siem-parsers |
| 3 | +title: Troubleshoot Parsers |
| 4 | +sidebar_label: Parsers |
| 5 | +description: Learn how to troubleshoot problems with log parsers. |
| 6 | +--- |
| 7 | + |
| 8 | +import useBaseUrl from '@docusaurus/useBaseUrl'; |
| 9 | + |
| 10 | +This article provides guidance for administrators to diagnose, troubleshoot, and escalate issues with Sumo Logic Cloud SIEM log parsers. |
| 11 | + |
| 12 | +Parsers are a critical component in the Cloud SIEM data ingestion pipeline. They serve as the first step in transforming raw log messages into structured Records that can be used for threat detection and security analysis. Specifically, parsers: |
| 13 | +* Extract key-value pairs from raw log messages. |
| 14 | +* Enable proper log mapping to Cloud SIEM schema attributes by: |
| 15 | + * Applying mapping metadata to properly route parsed logs to mappers. |
| 16 | + * Transforming any variety of log data into a structured form. |
| 17 | +* Support the creation of high-fidelity detection rules. |
| 18 | + |
| 19 | +Parsing issues can manifest in several ways: |
| 20 | +* Failed Records. Insufficient or incorrect information causing a mapping failure. |
| 21 | +* Incorrect mapping. What the mapper expects to map is not present or is different than expected. |
| 22 | +* Parsing failures. All or part of a parser is not handling logs as intended. |
| 23 | +* Incorrect parsing. Specific fields or metadata being parsed incorrectly (wrong key value pairs or event_id metadata) |
| 24 | + |
| 25 | + |
| 26 | + |
| 27 | +Forwarding Logs to Cloud SIEM with Parsers |
| 28 | + |
| 29 | +Forwarding Methods |
| 30 | +SIEM Forward + Parser (recommended) |
| 31 | + |
| 32 | +The recommended method is to set _siemForward = true and _parser = path/to/parser. This can be set several ways: |
| 33 | +At the source |
| 34 | +Logs from an entire source will be forwarded to Cloud SIEM and the specified parser |
| 35 | +At the collector |
| 36 | +Logs from the collector and its child sources will be forwarded to Cloud SIEM and the specified parser |
| 37 | +Using a Field Extraction Rule (FER) |
| 38 | +Often used to specify SIEM forwarding and the parser path by sourceCategory, but can also be used to filter specific subsets of logs for forwarding to Cloud SIEM (or not forwarded). |
| 39 | +Sending subsets of logs to Cloud SIEM is useful as not all log data is useful from a security context. |
| 40 | + |
| 41 | +Many Cloud-To-Cloud (C2C) sources set the _parser and _siemForward metadata within the parser bypassing the need to manually specify for these sources. |
| 42 | + |
| 43 | +Other Methods |
| 44 | + |
| 45 | +Other methods depend upon legacy methods which bypass parsers and are generally not recommended. These include: |
| 46 | + |
| 47 | +Setting _siemForward without a parser |
| 48 | +For structured logs, this will use a Sumo Logic Ingest Mapping and has limited options for specific parsing or relies on setting mapping metadata in fields or via an FER. |
| 49 | +For unstructured logs, this will utilize legacy “Grok” parsers which are approaching EOL and are not maintained outside of critical bug fixes. |
| 50 | +Older C2C sources set _siemForward and mapper metadata fields within the C2C. |
| 51 | + |
| 52 | +Best Practices |
| 53 | + |
| 54 | +Always use a parser when possible |
| 55 | +Provides consistent field extraction |
| 56 | +Enables proper schema mapping |
| 57 | +Supports future content updates |
| 58 | +Avoid FERs that modify _raw |
| 59 | +Makes parser troubleshooting more difficult by obfuscating the format of the original raw log which the parser receives. |
| 60 | +Use appropriate parser paths |
| 61 | +Ensure parser matches the data format |
| 62 | +Use system parsers when available |
| 63 | +Create custom parsers only when necessary |
| 64 | +Following these fundamentals will help prevent common parsing issues and simplify troubleshooting when problems occur. |
| 65 | +Identifying Parser Issues |
| 66 | + |
| 67 | +Using the Failed Records Dashboard |
| 68 | + |
| 69 | +The Cloud SIEM Enterprise Audit App provides dashboards and queries for greater visibility into Cloud SIEM activity. Troubleshooting parser failures is aided by the Failed Record Analysis dashboard and query found within Enterprise Audit - Cloud SIEM>Record Analysis>Failed Record Analysis (Enterprise Audit - Cloud SIEM app must be installed). |
| 70 | + |
| 71 | +Common Failure Types |
| 72 | + |
| 73 | +Parser Failures: Include parser path and specific parsing error |
| 74 | +Mapper Failures: Usually mention mapper or mapping issues |
| 75 | +Mixed Failures: May indicate parser output doesn't match mapper expectations |
| 76 | + |
| 77 | + |
| 78 | +Investigating Failed Records |
| 79 | + |
| 80 | +Identify the Pattern |
| 81 | + |
| 82 | +Look for commonalities in failed records |
| 83 | +Note specific error messages |
| 84 | +Check if failures are limited to certain sources |
| 85 | + |
| 86 | +Analyze Error Messages |
| 87 | + |
| 88 | +Common Errors |
| 89 | +Fatal: /Parsers/System/Vendor/Product Name did not produce an event. |
| 90 | +Indicates the parser is likely failing immediately |
| 91 | +Fatal: /Parsers/System/Vendor/Product Name parse failed |
| 92 | +Indicates the parser is likely failing immediately |
| 93 | +Fatal:/Parsers/System/Vendor/Product Name - transform_name - none of the transforms in cascade successfully parsed event (transform_name_1, transform_name_2). |
| 94 | +Indicates a specific component of the parser is failing, in this case a transform cascade, logs may be partially parsed, but are failing further into processing |
| 95 | +Fatal:/Parsers/System/Vendor/Product Name- transform_name parse failed. |
| 96 | +Indicates a specific transform within a parser is failing, logs may be partially parsed, but are failing further into processing |
| 97 | +Fatal:/Parsers/System/Vendor/Product Name- transform_name - no value found in required transform target field parsed_field_name. |
| 98 | +Indicates an required key value pair is missing from the parsed log and the log is failing to parse as a result |
| 99 | +Fatal:/Parsers/System/Vendor/Product Name- wrapper did not return the wrapped log entry |
| 100 | +A parser utilizing a wrapper transform did not find the log that is supposed to be present causing the parser failure |
| 101 | + |
| 102 | +Check for Recent Changes |
| 103 | +For log sources which were previously parsed successfully: |
| 104 | +Vendors will occasionally make modifications to the log format or field names within the logs which cannot be handled by existing parsers |
| 105 | +Source configuration changes to logging on the appliance, service, or application sending logs may result in parsing issues or failures |
| 106 | +Sumo Logic is continuously making updates to our parser catalog. While these changes undergo regression testing, there can be unforeseen cases not caught in regression testing. Cloud SIEM Content Release Notes will note any modifications to out-of-the-box parsers by date with a brief summary of the changes. |
| 107 | + |
| 108 | +Other Considerations |
| 109 | +Parsing failures can occur when there is no issue with the parser for a variety of reasons: |
| 110 | +The parser was designed for a different version or log format than the ingested logs |
| 111 | +A new parser may be needed to accommodate these logs |
| 112 | +Clues this may be the case can be found by examining the parser name to see if it includes a format specifically such as JSON, LEEF, CEF, XML, CSV etc. |
| 113 | +If the parser name does not specify the format, the parser itself often will within the FORMAT stanza. |
| 114 | +Some parsers will include sample logs in comments which follow the format the parser was designed to accommodate. |
| 115 | +The logs failing to parse are not security relevant |
| 116 | +While some parsers can be designed to explicitly define what logs are supported or not, there are circumstances where this is not practical, most commonly in unstructured log formats, and logs fail to parse solely because they are not useful in Cloud SIEM. |
| 117 | +They do not contain an entity and therefore cannot be used to correlate any activity or generate signals |
| 118 | +The activity captured in the log does not have any clear security use case |
| 119 | +There are niche use cases which can be accounted for by customizing a parser that aren’t always practical to support globally. |
| 120 | +Verbose and Debug level logging frequently fall into this category |
| 121 | + |
| 122 | + |
| 123 | +Pivot to Raw Logs and Troubleshoot with the Parser |
| 124 | +With the error(s) identified, pivot to the raw message(s) for further troubleshooting. Note the specific parser(s) which are failing. |
| 125 | + |
| 126 | +Extract metadata_sourcemessageId from the failed record |
| 127 | +Use _messageId (same as metadata_sourcemessageId) in a search to locate the original raw log. |
| 128 | +Copy the raw message(s) and paste into the parser UI |
| 129 | +Use the parser UI to search for _messageID(s) with the appropriate timeframe to bring the logs into the UI to test |
| 130 | + |
| 131 | +Troubleshooting Existing Parsers |
| 132 | +If you have identified a log message that should be parsed by an existing parser (the format is right, there is a clear security use case etc.) then it helps to understand the structure of the parser first to begin troubleshooting. |
| 133 | + |
| 134 | +Some parsers are very simple (most often structured log formats) |
| 135 | +A format is defined |
| 136 | +Parser expects mapping metadata and where they come from to be static or come from the same templated key value pair in the log. |
| 137 | +Parser expects time parsing to be formulated using a single attribute and for time to be in a single format |
| 138 | +For simple parsers that fail it is often an edge case or a previously unseen event which diverges from the format the parser was initially developed. This often necessitates adding complexity to the parser to handle these cases, or to refactor the parser to handle logs differently, often more broadly. With a broader case, that may be defining a higher level event_id which is consistent with all logs from a source). |
| 139 | + |
| 140 | + |
| 141 | +Some parsers are more complex (most often unstructured or complex structured log formats) |
| 142 | +There may be a single high level format a log takes but: |
| 143 | +There are nested structures within the log that differ from the overall structure |
| 144 | +This occurs frequently with JSON sources with a nested message using human readable or key value pairs in non-JSON format within certain fields |
| 145 | +Individual event types from a source follow different conventions for labeling key value pairs |
| 146 | +This particularly can make defining mapping metadata challenging as it will require individual event types define these attributes per-transform instead of for an entire source |
| 147 | +Timestamps may be stored in different places depending on the nature of an event type. |
| 148 | +A transaction log may have a concept of a start and end time |
| 149 | +Multiple timestamps may be present depending on the event type |
| 150 | +Some logs may be missing a timestamp and _messagetime from the Sumo collector or source may need to be used/fallen back on. |
| 151 | +Unstructured logs with many different event types or variations between events |
| 152 | +Each event type must be handled by its own transform and often requires a regular expression to parse. |
| 153 | +These will often use variable transforms and/or transform cascades. |
| 154 | +Example Scenario |
| 155 | +Linux Syslog Parsing Failure |
| 156 | +This is a particularly illustrative example of how a more complex parser processes a log. |
| 157 | + |
| 158 | +Example: |
| 159 | +Fatal: /Parsers/System/Linux/Linux OS Syslog - parse_systemd - none of the transforms in cascade successfully parsed event (parse_systemd_format_1, parse_systemd_format_2). |
| 160 | + |
| 161 | +For log: |
| 162 | +`Nov 20 21:11:08 ip-1-2-3-4 systemd[1]: motd-news.service: Deactivated successfully.` |
| 163 | + |
| 164 | +In this parser, the log is first processed for its header to determine how it should be routed in the parser. After that routing it is failing to parse specifically in a parser cascade, and then failing to match either parse_systemd_format_1, parse_systemd_format_2 which are the transforms called in the cascade for the specific log. While still failing, this provides useful clues as to where the failure occurred. |
| 165 | + |
| 166 | + |
| 167 | + |
| 168 | +Here we can see the header and process are parsed successfully. Examining the parser we find that there is a VARIABLE TRANSFORM which uses the syslog process to route the logs to another transform. |
| 169 | + |
| 170 | +# Direct parser based on the syslog process name |
| 171 | +# Process Name = Transform Parser |
| 172 | +VARIABLE_TRANSFORM_INDEX:syslog_message = syslog_process |
| 173 | + |
| 174 | +In this case there is a transform called for `systemd` processes called `parse_systemd` which takes the contents of syslog_message and passes it along to the named transform. Looking further down the parser we can find that specific transform. |
| 175 | + |
| 176 | + |
| 177 | +[transform:parse_systemd] |
| 178 | +TRANSFORM_CASCADE:_$log_entry = parse_systemd_format_1,parse_systemd_format_2 |
| 179 | + |
| 180 | + |
| 181 | +This particular transform passes along the contents of what it received from the variable transform and instructs it to pass along the field value stored in _$log_entry (syslog_message) to two additional parse transforms which it then attempts to use in the order shown in the transform cascade until a match is found. |
| 182 | + |
| 183 | + |
| 184 | +[transform:parse_systemd_format_1] |
| 185 | +``` |
| 186 | +#<86>Jan 01 00:00:00 hostname systemd[20460]: pam_unix(systemd-user:session): session opened for user root by (uid=0) |
| 187 | +TRANSFORM_CASCADE:_$log_entry = parse_su_format_6,parse_sudo_format_2,parse_systemd_user_format_1 |
| 188 | +``` |
| 189 | + |
| 190 | +[transform:parse_systemd_format_2] |
| 191 | +``` |
| 192 | +#<30>Jan 01 00:00:00 hostname systemd[1]: Started Session c513458 of user ewqadm. |
| 193 | +REGEX = (?P<action>Started\sSession)\s(?P<session_id>\S+)\sof\s(?i)user\s(?P<user>.+)\. |
| 194 | +SET:event_id = systemd-session-start |
| 195 | +``` |
| 196 | + |
| 197 | + |
| 198 | +In these transforms we helpfully have an example log for which the transform is intended to parse using a regular expression and then sets an event_id if there is a match. From the examples and the regex we can clearly see that neither transform is intended to match the example log we are seeing a failure for. |
| 199 | + |
| 200 | +Were this a useful log from a security context (it’s not) the failure could be addressed in a few ways, either by modifying one of the existing transform regular expressions (whichever is closer in format) or by creating a new transform as part of the transform cascade being called for the systemd process log. Since the particular log example is a significant departure from the intent of either existing transforms, a new one would be most appropriate. It would only require a modification to the parse_systemd transform cascade and the addition of a third transform with a regular expression to handle the particular log and then set the appropriate event_id. |
| 201 | + |
| 202 | + |
| 203 | +Escalating Parsing Issues |
| 204 | +Sumo Logic Threat Labs Detection Engineering maintains all Out-Of-The-Box (OoTB) Cloud SIEM Content. Content includes Parsers, Mappers, Rules, and Normalization Schema. |
| 205 | + |
| 206 | +Upon identifying an issue with a Cloud SIEM OoTB parser using this guide, it may be necessary to escalate the issue to Threat Labs. |
| 207 | + |
| 208 | +Escalation requirements |
| 209 | +A concise description of the problem |
| 210 | +Screenshots are helpful for understanding current and potentially previous behavior if there was a change |
| 211 | +A representative raw log sample |
| 212 | +Logs which represent the issue |
| 213 | +For new support or extension of an already supported source |
| 214 | +Logs which represent the types of (possibly new) events a data source well |
| 215 | +A security use case if it is not immediately obvious |
| 216 | +Not all logs necessarily will be useful in Cloud SIEM |
| 217 | +Supporting documentation |
| 218 | +Esoteric or poorly labelled values may require documentation which is not always publicly available |
| 219 | +Configuration Information |
| 220 | +Many data sources will have options for configuring logging. |
| 221 | +It is important to understand what those settings are to develop new global support for a data source or offer advice for a custom solution if a global one is not appropriate. |
| 222 | + |
| 223 | +Gathering Raw Samples |
| 224 | +Prior to opening a support request, it is helpful to gather sample raw logs (without Field Extraction Rules overwriting _raw) which represent the identified issue. |
| 225 | + |
| 226 | +Ways to gather samples |
| 227 | +Find Samples |
| 228 | +Search using the identified _messageId(s) of the failing to parse logs |
| 229 | +Example query: |
| 230 | +_sourceCategory=your/source/category |
| 231 | +| where _messageId in (messageId1,messageId2 etc.) |
| 232 | +If an entire source is failing to parse because it is not presently supported OoTB |
| 233 | +Gather a sample by first identifying a likely event ID |
| 234 | +An event ID can be thought of as a key in a log which represents a lowest common denominator which can be used to identify the type of message. |
| 235 | +Example query |
| 236 | +_sourceCategory=your/source/category |
| 237 | +| fields eventID |
| 238 | +| first(_raw) by eventID |
| 239 | +Utilizing the first operator lets you cut down on extraneous samples. |
| 240 | +It may be necessary to gather multiple examples if there is meaningful variation within each failing sample that may require further parsing beyond per-event-ID |
| 241 | +If a particular event ID or IDs as set in the parser using `MAPPER:event_id` are failing |
| 242 | +Gather the failing event IDs |
| 243 | +Construct a search query using the failing event IDs and gather unique examples of each _raw per event ID. |
| 244 | +Example query: |
| 245 | +_sourceCategory=your/source/category |
| 246 | +| fields eventID |
| 247 | +| where eventID in (“list”,”of”,”eventIDs”) |
| 248 | +| first(_raw) by eventID |
| 249 | +_first field will be _raw log |
| 250 | +This query only surfaces the first example within the time range to cut down on duplication |
| 251 | +It may be necessary to gather multiple examples if there is meaningful variation within each failing sample that may require further parsing changes |
| 252 | + |
| 253 | +Once a representative sample has been gathered it is recommended to export as a CSV from Sumo Logic search to ensure no extraneous formatting is applied that might confound further troubleshooting by Sumo Logic Customer Success and Threat Labs teams. |
0 commit comments