Upload a Custom Parser Provided by Customer Success

Root-level users

Stellar Cyber ingests data from many different sources and processes it through parsers that convert raw log messages into normalized fields. Parser Studio is the preferred method for creating and managing these custom parsers. In some cases, Stellar Cyber Customer Success might provide a custom parser for your environment. This topic explains how to upload the files for a custom parser.

If Customer Success asked you to provide sample logs for a parser already being handled through support, follow the guidance in Configuring Generic Log Capture.

Use the following procedure only if Customer Success has already provided a pair of parser files. To add the parser, upload the files through Parser Studio.

Before You Upload

Confirm the following before starting:

Upload Steps

  1. Navigate to System | DATA SOURCE MANAGEMENT | Parser Studio | Parsers and select + Create Parser.

  2. (EAP only) Select Upload Custom Parser and in Select the type of custom parser you want to upload, select Legacy Parser or Modular Parser.

    Do this only if you are participating in the Early Access Program (EAP). Otherwise skip this step.

  3. In Tenant, choose the tenant for which you are creating the parser.

    This must be the tenant whose ID matches the cust_id value in the routing step of your configuration file.

  4. Either upload two files for a legacy custom parser or one file for modular custom parser (EAP only).

    Legacy Custom Parser

    Select Upload Parser File, navigate to your JSON file, and select it.

    Select Upload Configuration File, navigate to the CONF file, and select it.

    Legacy Custom Parser Upload (EAP)

    Screen capture of the "Upload Custom Parser" option in Parser Studio for Legacy Parser (EAP)

    Legacy Custom Parser Upload

    Screen capture of the "Upload Custom Parser" option in Parser Studio for Legacy Parser

    Modular Custom Parser

    Select Upload Parser File, navigate to your JSON file, and select it.

    Modular Custom Parser Upload (EAP)

    Screen capture of the "Upload Custom Parser" option in Parser Studio for Modular Parser (EAP)

  5. Select Create Parser.

    If the upload succeeds, Stellar Cyber adds the parser to the Parser Studio table.

    If the upload fails, an error message explains the reason. The most common cause is a mismatch between the cust_id in the routing step in the configuration file and the Stellar Cyber tenant ID of the selected tenant. If this occurs, open the CONF file, locate the cust_id field in the routing step, and replace its value with the correct tenant ID. Save the file and repeat the upload.

  6. After a successful upload, review the parser in the table and confirm the following:

    • The parser name clearly identifies its purpose.

    • The assigned port does not conflict with another custom parser.

    • The parser is configured for the correct tenant.

    • The custom parser status is enabled. (All legacy custom parsers are enabled and cannot be disabled.)