This document describes options to help you process log data that isn't
processed by existing Google Security Operations parsers. In such cases,
Google SecOps supports the creation of log types to enable
parsing and ingestion.
You can choose between the following types:
Prebuilt log types: You can request Google SecOps to create
and manage prebuilt log types. These work in conjunction with prebuilt and
preconfigured parsers. 2–3 weeks after your request, these prebuilt log
types are made available to all Google SecOps customers.
Custom log types: Created and managed by your organization. You need to
configure corresponding custom parsers in-house, where the custom log types
and parsers become internally (only to your organization) available 10
minutes after creation.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Request prebuilt and create custom log types\n============================================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis document describes options to help you process log data that isn't\nprocessed by existing Google Security Operations parsers. In such cases,\nGoogle SecOps supports the creation of log types to enable\nparsing and ingestion.\n\nYou can choose between the following types:\n\n- *Prebuilt log types*: You can request Google SecOps to create\n and manage prebuilt log types. These work in conjunction with prebuilt and\n preconfigured parsers. 2--3 weeks after your request, these prebuilt log\n types are made available to all Google SecOps customers.\n\n- *Custom log types*: Created and managed by your organization. You need to\n configure corresponding custom parsers in-house, where the custom log types\n and parsers become internally (only to your organization) available 10\n minutes after creation.\n\nFor information about corresponding **prebuilt parsers** and\n**custom parsers** , see\n[Manage prebuilt and custom parsers](/chronicle/docs/event-processing/manage-parser-updates).\n\nCreate a custom log type\n------------------------\n\nTo create a custom log type, do the following:\n\n1. Go to **SIEM settings \\\u003e Available Log Types** . You can view\n available log types using the **Search** feature.\n\n2. Click **Request a Log Type**.\n\n3. Under the **Create a custom log type on your own**, enter details for your log type.\n\n For example, to create a custom log type for *Azure Key Vault logging*,\n complete the following:\n - In the **Vendor/Product** field, enter\n `Azure Key Vault logging`.\n\n - In the **Log Type** field, enter `AZURE_KEYVAULT_LOGGING`.\n\n4. Click **Create Log Type**.\n\n5. Wait 10 minutes to ensure that the new log type is available in all\n components before creating feeds with it.\n\nThe custom log type limitations are:\n\n- Total: 400\n\n- Daily: 25\n\n- Hourly: 8\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
