Configuring a Custom Log Parser

You must have Root scope to use this feature.

Stellar Cyber can ingest data from many different sources. If the data you want to ingest does not have a pre-defined Stellar Cyber connector, you can use a custom parser definition to import log files from your services into Stellar Cyber. This screen provides a way to introduce custom log parsers into the system that will then start processing data. Creating a custom log parser requires two separate files:

  • A parser file that is the custom log parser program itself

  • A configuration file that provides parameters to the instance

Typically, one custom log parser program is used with multiple configuration files.

To create a custom log processor, you first capture a generic log and work with Stellar Cyber to create your custom parser program and configuration files.

Custom Log Processor Table

The System | Collection | Custom Log Processors table lists configured custom parsers and allows you to create, edit, and delete the custom log parsers. The table includes columns to help you identify the version of the parser. This value is derived from the contents of the files you uploaded (either a parser program or parser configuration file), which contain a date in the first two lines of the files. If you update both, Stellar Cyber uses the most recent date between the two files. To support versioning, the date must be in the format: #YYYY/MM/DD and must be on the first or second line of the uploaded parser program or configuration file.

Parsers loaded prior to the v4.2.0 release have a blank value in this field.

  • Click the Create button to add a new custom parser, as described in the next section.

  • Click to edit the associated custom parser. A dialog box similar to the one described in the section below will appear. This is also how you update the parser.

  • Click to delete the associated parser.  That parser will cease functioning and data regarding its setup (see the following section) will be discarded.

See the Tables page for more information on working with tables.

Add/Edit Custom Log Processors

When a parser is either added or edited the dialog box shown below appears.

The Custom Log Parser dialog box has the following fields:

  • Name—Each log parser is identified by the unique name entered here. In edit mode this field is read-only.

  • Tenant Name—The tenant for whom all records generated by the custom parser will be marked. If no specific tenant is associated with the log parser, choose Root Tenant. Root Tenant applies the parser to all tenants.

  • Upload Parser File—Click Choose File to locate the parser program file as described above.

  • Upload Config File—Click Choose File to locate the configuration file as described above.

Once you have supplied valid values, the SUBMIT button is enabled and can be clicked to save the settings. The log parser becomes active in the system. Alternatively, you can click button in the upper right corner to dismiss the dialog box without saving any changes.