Troubleshoot Mappers
This article provides guidance for administrators to diagnose, troubleshoot, and escalate issues with Sumo Logic Cloud SIEM log mappers.
Mappers are a critical component in the Cloud SIEM data ingestion pipeline. They serve as the second step in transforming raw log messages into structured records that can be used for threat detection and security analysis. Specifically, mappers:
- Take key-value pairs created during parsing and map them into the Cloud SIEM normalization schema.
- Assign classification to each log coming into Cloud SIEM.
- Determine the entities present in the record.
- Support the creation of high-fidelity detection rules.
For information about creating log mappers, see Create a Structured Log Mapping. For more general information about log mapping, and how it fits into the record creation process, see the Record Processing Pipeline topic. For a complete list of the standard log mappings, see Mappings in the Cloud SIEM Content Catalog.
Interpreting record failures and issuesβ
Failed Records dashboardβ
The Enterprise Audit - Cloud SIEM app provides dashboards and queries for greater visibility into Cloud SIEM activity. Troubleshooting parser failures is aided by the Cloud SIEM - Record Analysis - Failed Records dashboard and query found within the app. (The Enterprise Audit - Cloud SIEM app must be installed).
Common failure types:
- Parser failures. Include parser path and specific parsing error.
- Mapper failures. Usually mention mapper or mapping issues.
- Mixed failures. May indicate parser output doesn't match mapper expectations.
Mapping failure workflowβ
Failure can occur when no mapping matches logType=json
, vendor=<vendor>
set in the parser, product=<product>
set in the parser, or eventId=<event_id>
set in the parser.
Failed recordsβ
Failed records result when a mapper doesnβt match with the metadata set during log parsing:
- Vendor. No mapper exists with the specified vendor metadata defined in the parser. This is likely a mismatch for a custom (non-out-of-the-box) parser where a parser has been created without a corresponding mapper(s).
- Product. No mapper exists with the specified product metadata defined in the parser.
- Depending on the parser, product may be dynamic. Dynamic product parsers support multiple products from a vendor in a single parser.
- A mapper which corresponds to the product metadata coming from the parser may be missing.
- EventId. No mapper exists which matches the pattern of the
event_id
set in the parser. This is the most common failure. This occurs frequently when an event type or types occurs which is not anticipated in the mapper (or the parser as the case may be) and can be due to:- New event types from a vendor.
- Previously unseen event types.
- Unsupported events.
- Events which do not have security relevance.
- Events which do not contain an entity and therefore cannot contribute to signals and insights.
- Events in an unsupported format
- Log Type. For logs processed by parsers,
logType
is always JSON as the output of parsed logs is key value pairs stored in a JSON object. This is the case regardless of the original format the logs were ingested as (CEF, LEEF, XML, and so on).
Incomplete recordsβ
Incomplete records result when a record is created, but key information is not mapped. This can occur for several reasons:
- Fields expected in the mapper are not present in the parsed log.
- Vendor changes to key labels or their location.
- Configuration change.
- The parsed log is not parsed correctly. The parser is not providing key value pairs that are expected by the mapper due to a flaw in the parser.
- Fields parsed are not mapped.
- Only a catch-all or default mapper is present and doesnβt comprehensively normalize the log. Mappers using the default pattern exist where possible to ensure some minimal normalization and classification occurs.
- There is no appropriate schema field to normalize to. The Cloud SIEM records schema is limited, for fields which there is no corresponding normalized field, the original key value pairs extracted during parser which can be referenced in rules and records searches.
Investigating and resolving mapper failuresβ
A mapper does not exist for parsed eventsβ
Another common mapping issue occurs when a log successfully parses, is assigned mapping metadata (vendor
, product
, event_id
), but there is no corresponding mapper for the event_id
. In many cases a default pattern mapper exists which serves as a catch-all, but if this is not present, any logs which do not match a pattern defined in the mapper input will not create a record.
This assumes the data source for which the mapping is failing has a parser and mappers in place already. This applies to net-new data sources and parsers.
Failed record exampleβ
For this example, let's assume no mapping matched logType=json
, vendor=microsoft
, product=azure
, and eventId=AzureDevOpsAuditEvent
.
Troubleshooting workflowβ
- Determine how mapper metadata is assigned during log parsing.
- From the failed record:
- Get the value of
metadata_parser
. - Get value of
metadata_sourceMessageId
. - Get the value of from the reason field to determine:
- Vendor
- Product
- EventId
- Get the value of
- Load the parser found above in
metadata_parser
in step 1.- In the parser UI import messages from Sumo Logic log search using this query:
messageId=<value of metadata_sourceMessageId from step 1>
- Parse messages. Use the parsed field dictionary to determine what the input values of any mapper creation or change will be.
- In the parser UI import messages from Sumo Logic log search using this query:
- From the failed record:
- Examine existing mappers from the Log Mappings page in Cloud SIEM:
- Filter for the output vendor and product gathered in step 1.
- Note the event ID patterns present.
- You can do one of the following:
- If an existing pattern exists which is similar to the event ID captured in step 1 above, the mapper may be able to be adapted to accommodate the variation. Care should be taken to ensure the input fields in any adapted mapper match with the parsed output of the previously unmapped log. Out-of-the-box (system) mappers will need to be duplicated to be modified.
- An existing mapper may be used as a template if appropriate to map the previously unmapped log with the identified pattern.
- A new structured mapper can be created using the same input/output vendor and product info with JSON as the format (all parsed logs are output as JSON regardless of the original raw format) with the identified event ID pattern
A field is not mapped (normalized) in a recordβ
A common mapping issue is where a record is created but certain fields are not normalized and are potentially causing downstream issues, such as false-negative or false-positive signals, or causing searches based on records to fail in some way.
- Analyze the record.
- Determine what field(s) are missing. For example,
user_username
is not mapped, preventing the record from being considered for signals and correlation into insights. - Determine where does the data exist in the parsed log. Use the "fields" element in the record, which contains all parsed key value pairs from the original log, to find the location where the field needs to be mapped from. Note the key name.
- Determine what field(s) are missing. For example,
- Analyze and correct the mapper.
- Determine which mapper a record is mapped from using
metadata_mapperName
ormetadata_mapperUid
. - Determine how the mapper maps the desired field. Look in the mapper input column to determine which value(s) the mapper uses to map the field.
- Determine which mapper a record is mapped from using
- Modify the mapper.
- For OOTB (system) mappers, to make local changes, the mapper must be duplicated (disables the duplicated mapper).
- Assuming there is no obvious error in the original mapper, such as a misspelling of the input field, add the field determined in record analysis to the "Alt. Input Fields" for the desired mapped field. Alternate Input Fields are tried in this order:
- If the primary input field is missing, each alternate is tried until a match is found.
- If there are multiple matches in the list, only the first is considered.
- Validate the change. New mapped records should reflect the modification quickly.
A search for records using the modified/new mapper can be initiated from the log mappings page.
- Open the log mapping.
- Select Actions > Open in Record Search.
- Search records for the log mapping. Previously mapped records will not reflect mapper changes made after they were created.
Escalate mapper issuesβ
Sumo Logic Threat Labs Detection Engineering maintains all out-of-the-box Cloud SIEM content. Content includes parsers, mappers, rules, and normalization schema. For details about this content, see the Cloud SIEM Content Catalog.
Upon identifying an issue with a Cloud SIEM out-of-the-box parser using this article, it may be necessary to contact Support to escalate the issue to the Threat Labs team.
Escalation requirementsβ
Provide the following:
- A concise description of the problem.
- Screenshots are helpful for understanding current and potentially previous behavior if there was a change.
- Impacted mapper(s) (if applicable), including mapper name and or mapper UID (
metadata_mapperName
/metadata_mapperUid
).
- A representative raw log sample.
- Include logs which represent the issue.
- For new support or extension of an already supported source, include logs which represent the types of (possibly new) events.
- A security use case if it is not immediately obvious. Not all logs necessarily will be useful in Cloud SIEM
- Supporting documentation. Esoteric or poorly labelled values may require documentation which is not always publicly available.
- Configuration information.
- Many data sources will have options for configuring logging.
- It is important to understand what those settings are to address issues or develop new global support for a data source or offer advice for a custom solution if a global one is not appropriate.
Gather raw samplesβ
Prior to opening a support request, it is helpful to gather sample raw logs (without field extraction rules overwriting _raw
) which represent the identified issue.
Once a representative sample has been gathered it is recommended to export it as a CSV from Sumo Logic search to ensure no extraneous formatting is applied that might confound further troubleshooting by Sumo Logic Customer Success and Threat Labs teams.
Following are some ways to gather samples.
Search for message IDsβ
Gather a sample by searching for the map logs that are failing using the identified _messageId
(s):
_sourceCategory=<your/source/category>
| where _messageId in (<messageId1>,<messageId2>,<etc.>)
Identify an event IDβ
If a particular event ID or IDs as set in the parser using MAPPER:event_id
are failing to map, gather the failing event IDs. Construct a search query using the failing event IDs and gather unique examples of each _raw per event ID.
_sourceCategory=your/source/category
| fields eventID
| where eventID in ("list","of","eventIDs")
| first(_raw) by eventID
The first field will be _raw
log.
This query only surfaces the first example within the time range to cut down on duplication. It may be necessary to gather multiple examples if there is meaningful variation within each failing sample that may require further mapping changes.