Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Log Parser Quality Check

Skyhigh Cloud Connector can perform a quality check for the configured log parser against the sample log file and analyze the output to determine whether the intended results are achieved or not.

The Log Parser Quality Check allows you to execute the quality check for the log parser without contacting Skyhigh CASB Support for self-service onboarding.

NOTES:

  • Quality Check cannot be run if it is accessed from an external network or if the CC is not reachable. You need to be inside your company's network and the CC instance needs to be up and running.
  • Currently, the log parser Quality Check is supported for all the log parser wizards: Upload Sample Log File, Ingest Log from Syslog, Import Existing Configuration, and Manual Configuration.
  • When you run Quality Check for log parser wizards: Import Existing Configuration and Manual Configuration, you may encounter improper results. Because currently on the Sub Configuration page, the fields Preprocessor Class Name supports only the Rule-Based Preprocessor option, and the File Format supports only the Bluecoat option. If you select other options from the list besides the specified options on the Sub Configuration page, you will find invalid results. This issue will be fixed in an upcoming release. 

You can perform the log parser Quality Check in two ways:

  1. Quality Check for New Sub Configuration.
  2. Quality Check for Existing Sub Configuration.

Quality Check for New Sub Configuration

To run a quality check for your new sub configuration, perform the following activities:

  1. Create a sub configuration and configure the log parser against your sample log file. For details, see Upload Sample Log File.
  2. Once you save your log parser configuration on the Sub Configuration page, you see the following screen:
    clipboard_ed61760eb27c66c5cfbf56b77a417590b.png
  3. To run a quality check now, click Run Quality Check. 
  4. On the Quality Check Summary page, review your Quality Check Results, and make sure your parser configuration attributes are mapped to the appropriate fields. To learn more about the Summary page, see Quality Check Summary. If these results do not match your requirements, you can always modify the log parser configuration. For detail, see Log Processing Sub Configuration - Upload Sample Log File.

Quality Check for Existing Sub Configuration

To run a quality check for your exiting sub configuration, perform the following activities:

  1. Once you save your log parser configuration on the Sub Configuration page, you can view the following screen:
    clipboard_e6f89c31ddfac90a09f74d837b1c99a61.png
  2. To run a quality check later, click Not Now.

NOTE: The uploaded sample log file is discarded. Later, you must upload it again to perform a Quality Check. 

  1. Under Log Processing > Sub Configuration section, your parser configuration is saved.
  2. Click Quality Check.
    clipboard_e2b984a6ec30b9dbdec8a6adb3c3bb447.png
  3. Select your Sub Configuration. To add a sample log file, click Add test file.
    clipboard_ed03c641af489abf0b1322becca6013fc.png
  4. Select the required data source to add your sample log file:
    • Upload Sample Log File. Upload the sample log file which you have uploaded for log parser configuration.
    • Ingest Log File from CC. To upload a log file from CC, you have to be on the same network where the Cloud Connector instance is up and running.

NOTE: The maximum size limit to upload a sample log file is 5 MB.

  1. Once the sample log file is uploaded, click Add.
    clipboard_e73e61926a8b61156ce912198241c7476.png
  2. Click Run
    clipboard_e9b355bb919f9823549a5984e2920c18a.png
  3. On the Quality Check Summary page, review your Quality Check Results. To learn more about the Summary page, see Quality Check Summary.
    clipboard_edd0bef6b0ac6389656dccb672ac87ead.png

Quality Check Summary

The Quality Check Summary provides the following information:

  • Results Bar. Displays the total percentage of the successful and failed attribute matches in log parser configuration.
    clipboard_eb4bce28609d333a38006111701ce730d.png
  • Executive SummaryThe Executive Summary displays an at-a-glance view of the total number of mapped attributes in the log parser configuration. It also shows the number of filtered events, and other details of the metadata of the parsed log file, such as total events generated, total upload size, file process rate, and file used.
  • Quality Check Table. Provides the validation details of matched attributes and sample event output of log parser configuration.

Executive Summary

Executive Summary provides the following information:

clipboard_ee8565d0ff7f7de945e68ae5cf9e2c137.png

  • Total Attributes. The total number of mapped attributes in parser configuration.
    • Required Matched. The number of required attributes successfully mapped in parser configuration.
    • Required Failed. The number of required attributes failed to map in parser configuration.
  • Events Filtered Out. The number of filtered events out of the total log line due to CSP Check and Skip URL is displayed on a funnel chart.  
    • Total Log Line. The total number of log lines present in the parsed log file.
    • CSP Check. The number of CSP IDs failed to map to the registry.
    • Skip URL. The URLs are skipped based on the format of the log line such as JavaScript, Images, CSS, MIME Type, and HTTP Status code.
  • Other Details. You can view the below details:
    • Total Event Generated. The total number of events generated using log parser.
    • Total Upload Size. The total size of the uploaded log file in parser configuration.
    • File Process Rate. The total size of the file parsed per second.
    • File Used. The number of sample log files parsed.

Quality Check Table

The Quality Check table comprises Attributes and Sample Event Output tabs.
clipboard_e79014fb350527a961174fa3285b5dde0.png

  1. Click the Attributes tab. The Attribute table provides the following information:
Column Name Description
Attribute The name of the attribute in the log parser file.
Valid Match The parsed attributes mapped to the appropriate field values.
Invalid Match The parsed attributes mapped to the inappropriate field values.

Attribute Type

The type of the mapped attribute in log parser configuration. The available Attribute Types are: 

  • Required
  • Optional
  1. Click any attribute in the table to see the Cloud Card for that attribute.
    clipboard_e0f96b15a6fd0fd1750a16924d8550928.png

The Attribute Cloud Card provides the following information:

  • Attribute
  • Configuration
  • Event Match
    • Total Event Match
    • Total Event Valid Match
  • Max frequency Attributes. The number of attribute entries to the IP addresses.
  1. To view the parser configuration results, click the Sample Event Output tab. Make sure the parser configuration attributes are mapped to the appropriate field values. If these results do not match your requirement, you can always modify the log parser configuration here.
    clipboard_ed76a500bbb71ad206a519b5f8192183d.png