Request prebuilt and create custom log types
This document describes options to help you process log data that isn't processed by existing Google Security Operations parsers. In such cases, Google SecOps supports the creation of log types to enable parsing and ingestion.
You can choose between the following types:
Prebuilt log types: You can request Google SecOps to create and manage prebuilt log types. These work in conjunction with prebuilt and preconfigured parsers. 2–3 weeks after your request, these prebuilt log types are made available to all Google SecOps customers.
Custom log types: Created and managed by your organization. You need to configure corresponding custom parsers in-house, where the custom log types and parsers become internally (only to your organization) available 10 minutes after creation.
For information about corresponding prebuilt parsers and custom parsers, see Manage prebuilt and custom parsers.
Create a custom log type
To create a custom log type, do the following:
Go to SIEM settings > Available Log Types. You can view available log types using the Search feature.
Click Request a Log Type.
Under the Create a custom log type on your own, enter details for your log type.
For example, to create a custom log type for Azure Key Vault logging, complete the following:
In the Vendor/Product field, enter
Azure Key Vault logging
.In the Log Type field, enter
AZURE_KEYVAULT_LOGGING
.
Click Create Log Type.
Wait 10 minutes to ensure that the new log type is available in all components before creating feeds with it.
The custom log type limitations are:
Total: 400
Daily: 25
Hourly: 8
Need more help? Get answers from Community members and Google SecOps professionals.