This blog post is the second and final in our “Be Audit You Can Be” series. Be sure to check out part one, which covers how to securely send and monitor your audit logs with InsightIDR.
I could look at logs all day long. If you are reading this article, you probably feel the same way! There are so many hidden gems nested in logs, although admittedly sometimes they are hard to find, especially when the logs are not normalized as you want.
Let’s take a look at how InsightIDR’s Custom Data Parsing tool can make quick work of parsing out those interesting fields in the logs. I am using as my example logs both the audit and auth logs from InsightVM, our vulnerability management tool , but you can bring in a lot of different types of logs into InsightIDR, our SIEM security tool.
[embedded content]
First, you do need to collect the logs and get them into InsightIDR.
For the audit.log and auth.log, I have followed the steps in this detailed blog post.
Let’s begin by finding the logs in Log Search. You can use the Custom Data Parser to parse out unparsed fields of data from already parsed logs, but in this article I will discuss using it for completely unparsed logs. I don’t want to call anyone’s baby ugly, but as you know, some of those unparsed logs can be messy and just downright difficult! The Custom Data Parser is going to help us wit ..
Support the originator by clicking the read the rest link below.
