Conduct a raw log search

Supported in:

You can use Google Security Operations to search the raw logs in your Google Security Operations account and get relevant context with related events and entities.

Raw log searches show you the correlation between raw events and the UDM events generated using those raw logs. A raw log search helps you to understand how log fields are parsed and normalized and helps you to investigate any gaps in the normalization process.

After you complete a raw log search, each matching raw log line is replaced with the events and entities contained in the log line. The number of events and entities extracted from each log line is limited to a maximum of 10.

To perform a raw log search, follow these steps:

  1. Go to Investigation > SIEM Search.

  2. In the search field, add the prefix raw = to your search and enclose your search term in quotation marks (for example, raw = "example.com").

  3. Select the raw log search from the menu option. Google Security Operations finds the associated raw logs, UDM events, and associated entities. You can also run the same search (raw = "example.com") from the UDM Search page.

You can use the same quick filters used to refine UDM search results. Select the filter you want to apply to the raw log results to refine them further.

Optimize raw log queries

Raw log searches are typically slower than UDM searches. To improve your search performance, limit the amount of data you conduct your query over by changing the search settings:

  • Time range selector: Limits the time range of the data over which you run your query.
  • Log Source selector: Limits your raw log search to only the logs from specific sources, as opposed to all of your log sources. From the Log sources menu, select one or more log sources (the default is all).
  • Regular expressions: Use a regular expression. For example, raw = /goo\w{3}.com/ would match against google.com, goodle.com, goog1e.com to further limit the scope of your raw log search.

Trend over time

Use the trend graph to understand the distribution of raw logs over the time of your search. You can apply filters on the graph to look for parsed logs and raw logs.

Raw log results

When you run a raw log search, the results are a combination of UDM events and entities generated by the raw logs that match your searches, along with the raw logs. You can explore the search results further by clicking any of the results:

  • UDM event or entity: If you click a UDM event or entity, Google Security Operations shows any related events and entities, along with the raw log associated with that item.

  • Raw log: If you click a raw log, Google Security Operations shows you the entire raw log line, along with the source for that log.