Configuring a Custom Log Parser

You must have Root scope to use this feature.

Stellar Cyber can ingest data from many different sources. If none of the predefined Stellar Cyber parsers ingests or parses the data you want it to, you can contact Customer Success to request a custom parser. Depending on the request, Stellar Cyber might develop a new parser to ingest logs from a new product, or update an existing parser to support a new field or version or to normalize other fields than it currently does.

To request a custom parser and begin using it, follow these steps:

  1. Make log samples as explained in Configuring Generic Log Capture.

    The purpose of the sample logs is to provide Stellar Cyber developers with all the log formats and typical types of data that you want the Stellar Cyber Platform to ingest.

  2. Log in the Stellar Cyber Customer Success Portal and create a new support ticket.

  3. Attach the log samples to the ticket with your request for either a new parser or an update to an existing parser, include required information, and then submit it.

    To learn what information Stellar Cyber developers require to create a custom parser for you, see What information do I need to collect for a Parser Request? in the Stellar Cyber Customer Success Portal.

    Customer Success evaluates the request and works with Engineering to satisfy it, creating or updating a parser as required.

    When the custom parser is ready, Customer Success sends you a parser file and configuration file through exchanges in the support ticket.

  4. Create a custom parser configuration in the Stellar Cyber UI by adding these two files—without changing their filenames—entering a parser name, and choosing the tenant for which it’s intended.

    By creating a custom log parser configuration, you can immediately begin using the custom parser without having to wait for an upcoming software release. If the parser is useful for other Stellar Cyber customers, it is typically added to the next release for everyone to use. At that point, you no longer need to use the custom parser but can switch over to the one that’s generally available, which will give you the same functionality. By switching over, you can take advantage of future updates and enhancements.

Custom Log Parser Page

The System | Custom Log Parsers page lists configured custom log parsers and allows you to create new ones, and edit and delete existing ones. The table includes columns to help you identify the version of the parser. This value is derived from a date in the first two lines of either of the parser and configuration files you uploaded. If the dates are different, Stellar Cyberuses the most recent one. To support versioning, the date must be in the format #YYYY/MM/DD and must be on the first or second line of at least one of the uploaded files.

Screen capture of the Custom Log Parser Configuration page

The following are the various tasks you can do on this page:

  • Select Create to add a new custom parser, as described in the next section.

  • Select Export to CSV to download a file of the table in CSV format.

  • Select the Edit icon to edit the associated custom parser, as described in the next section. This is also how you update the parser.

  • Select the Delete icon to delete the associated parser.  That parser will cease functioning, and data regarding its setup is discarded.

See the Tables page for more information on working with tables.

Add/Edit Custom Log Parsers

To add or edit a custom log parser, select Create or the Edit icon, enter the following, and then Submit the configuration.

  • Name: Enter the name of the log parser. Don’t change any names in the parser and config files you received from Stellar Cyber Customer Success and make sure the name you enter here exactly matches the name in the files.

    In edit mode this field is read-only.

  • Tenant Name: Choose a tenant for which Stellar Cyber marks all Interflow records that the custom parser generates. To mark the records for all tenants to use, choose Root Tenant. Root Tenant applies the parser to all tenants.

  • Upload Parser File: Choose File, navigate the parser file that you received from Stellar Cyber Customer Success, and select it for upload.

  • Upload Config File: Choose File, navigate the configuration file that you received from Stellar Cyber Customer Success, and select it for upload.

    Screen capture of the "Add Custom Log Parser" dialog box

After you submit the log parser, it immediately becomes active.