Log Parser Quality Check
Skyhigh Cloud Connector can perform a quality check for the configured log parser against the sample log file and analyze the output to determine whether the intended results are achieved or not.
The Log Parser Quality Check allows you to execute the quality check for the log parser without contacting Skyhigh CASB Support for self-service onboarding.
- Quality Check cannot be run if it is accessed from an external network or if the CC is not reachable. You need to be inside your company's network and the CC instance needs to be up and running.
- Currently, the log parser Quality Check is supported for all the log parser wizards: Upload Sample Log File, Ingest Log from Syslog, Import Existing Configuration, and Manual Configuration.
- When you run Quality Check for log parser wizards: Import Existing Configuration and Manual Configuration, you may encounter improper results. Because currently on the Sub Configuration page, the fields Preprocessor Class Name supports only the Rule-Based Preprocessor option, and the File Format supports only the Bluecoat option. If you select other options from the list besides the specified options on the Sub Configuration page, you will find invalid results. This issue will be fixed in an upcoming release.
You can perform the log parser Quality Check in two ways:
- Quality Check for New Sub Configuration.
- Quality Check for Existing Sub Configuration.
Quality Check for New Sub Configuration
To run a quality check for your new sub configuration, perform the following activities:
- Create a sub configuration and configure the log parser against your sample log file. For details, see Upload Sample Log File.
- Once you save your log parser configuration on the Sub Configuration page, you see the following screen:
- To run a quality check now, click Run Quality Check.
- On the Quality Check Summary page, review your Quality Check Results, and make sure your parser configuration attributes are mapped to the appropriate fields. To learn more about the Summary page, see Quality Check Summary. If these results do not match your requirements, you can always modify the log parser configuration. For detail, see Log Processing Sub Configuration - Upload Sample Log File.
Quality Check for Existing Sub Configuration
To run a quality check for your exiting sub configuration, perform the following activities:
- Once you save your log parser configuration on the Sub Configuration page, you can view the following screen:
- To run a quality check later, click Not Now.
NOTE: The uploaded sample log file is discarded. Later, you must upload it again to perform a Quality Check.
- Under Log Processing > Sub Configuration section, your parser configuration is saved.
- Click Quality Check.
- Select your Sub Configuration. To add a sample log file, click Add test file.
- Select the required data source to add your sample log file:
- Upload Sample Log File. Upload the sample log file which you have uploaded for log parser configuration.
- Ingest Log File from CC. To upload a log file from CC, you have to be on the same network where the Cloud Connector instance is up and running.
NOTE: The maximum size limit to upload a sample log file is 5 MB.
- Once the sample log file is uploaded, click Add.
- Click Run.
- On the Quality Check Summary page, review your Quality Check Results. To learn more about the Summary page, see Quality Check Summary.
Quality Check Summary
The Quality Check Summary provides the following information:
- Results Bar. Displays the total percentage of the successful and failed attribute matches in log parser configuration.
- Executive Summary. The Executive Summary displays an at-a-glance view of the total number of mapped attributes in the log parser configuration. It also shows the number of filtered events, and other details of the metadata of the parsed log file, such as total events generated, total upload size, file process rate, and file used.
- Quality Check Table. Provides the validation details of matched attributes and sample event output of log parser configuration.
Executive Summary provides the following information:
- Total Attributes. The total number of mapped attributes in parser configuration.
- Required Matched. The number of required attributes successfully mapped in parser configuration.
- Required Failed. The number of required attributes failed to map in parser configuration.
- Events Filtered Out. The number of filtered events out of the total log line due to CSP Check and Skip URL is displayed on a funnel chart.
- Total Log Line. The total number of log lines present in the parsed log file.
- CSP Check. The number of CSP IDs failed to map to the registry.
- Other Details. You can view the below details:
- Total Event Generated. The total number of events generated using log parser.
- Total Upload Size. The total size of the uploaded log file in parser configuration.
- File Process Rate. The total size of the file parsed per second.
- File Used. The number of sample log files parsed.
Quality Check Table
The Quality Check table comprises Attributes and Sample Event Output tabs.
- Click the Attributes tab. The Attribute table provides the following information:
|Attribute||The name of the attribute in the log parser file.|
|Valid Match||The parsed attributes mapped to the appropriate field values.|
|Invalid Match||The parsed attributes mapped to the inappropriate field values.|
The type of the mapped attribute in log parser configuration. The available Attribute Types are:
- Click any attribute in the table to see the Cloud Card for that attribute.
The Attribute Cloud Card provides the following information:
- Event Match
- Total Event Match
- Total Event Valid Match
- Max frequency Attributes. The number of attribute entries to the IP addresses.
- To view the parser configuration results, click the Sample Event Output tab. Make sure the parser configuration attributes are mapped to the appropriate field values. If these results do not match your requirement, you can always modify the log parser configuration here.