Standard parser support policy
Google SecOps provides a wide range of prebuilt, out-of-the-box standard parsers to help you quickly ingest and normalize logs from various data sources. To verify platform stability, predictable performance, and high-quality data normalization, Google SecOps uses a focused support model for Standard parsers.
Parser support levels
Google SecOps offers the following levels of parser support:
| Parser Type | Description and Support |
|---|---|
| Premium parsers | Google SecOps provides high-quality parsers from the most widely used, high-volume data sources. Google typically processes customer requests for premium parsers within a few days. |
| Standard parsers | For other supported data sources, Google SecOps offers best-effort support. Requests for new field mappings are handled as feature requests and are part of the product backlog. To meet immediate needs, you can use the self-service parser extensions and Auto-Extraction capabilities. |
| Custom-built parsers and extensions | Google SecOps does not offer support for these. We recommend that you manage this either independently or with assistance from Google partners. |
For a complete list of Premium and Standard parsers, see Default Parser Configuration.
For an overview of parsing raw logs to the Unified Data Model (UDM) format, see Overview of log parsing.
Focus on Important UDM Fields
With over a million distinct fields ingested across different log formats, Google SecOps focuses its standard parser default mappings on the most critical security data.
Standard parsers are specifically scoped to map the Important UDM Fields. These fields represent the most critical data points required for effective downstream threat detection and context. For any fields outside of this core list, we highly encourage customers to map these using our comprehensive suite of self-service tools, such as Parser Extensions and Auto-Extraction.
Customer Support Tiers
Parser support and SLOs are differentiated based on your Google SecOps entitlement:
- Premium Support customers: Customers holding an Expert or Expert+ entitlement.
- Standard Support customers: Customers with Standard entitlement.
Standard Parser Request Matrix
Google triages and processes standard parser requests based on the nature of the request and your support tier.
| Request Type | Standard Customers | Expert / Expert+ Customers |
|---|---|---|
| Regression / Breakage (Major regressive effects on parsing) | Immediate rollback or fix. | Immediate rollback or fix. |
| New parser Requests OR requests for a new log format / schema in an existing parser | Built as a default parser only if requested by >= 10 customers, or based on Google business discretion. Otherwise, the system routes the request to self-service or partner / PSO paths. | Built as a default prebuilt parser or a Google SecOps GitHub parser based on Google discretion. |
| Missing/Incorrect "Important Fields" OR Incorrect "Non-Important Fields" | Handled using the parser queue and self-service tooling (Best-effort, no SLO). | Prioritized in the parser queue (6 weeks SLO); offer extensions for immediate fix if needed. |
| Missing "Non-Important Fields" | Self-service only. Customers should use self-service tools (Extensions, Auto-Extraction) rather than opening support tickets. | Handle using parser queue and self-service tooling. High-touch support provided if necessary. |
Community and GitHub parsers
To provide a richer, more vibrant ecosystem for log parsing, Google SecOps maintains a dedicated Google SecOps GitHub repository.
This open-source ecosystem allows partners, vendors, and the Google SecOps community to contribute and maintain parsers. This logic verifies that even niche or highly specialized commercial products can have functional parsers available for deployment.
Low-Usage (Longtail) Prebuilt Parsers: To maintain high performance and focus engineering efforts on the most widely utilized data sources, prebuilt parsers used by a low number of customers are transitioned into community-maintained parsers on GitHub.
- Google releases only critical updates (breaking changes or severe normalization degradation for the majority of customers using it) to the prebuilt versions of these low-usage parsers.
- All new, non-critical enhancements or field additions for these parsers will be contributed directly to the GitHub version. This approach will open-source these parsers and enables community contribution to the repository.
- Customers using these parsers are highly encouraged to migrate to the GitHub version to benefit from ongoing community and Google-contributed enhancements, rather than opening support tickets for the prebuilt version.
Comparison between the different parser variants
| Criteria | Prebuilt parsers (Premium + non longtail standard parsers) | Parsers on GitHub - offloaded longtail prebuilt parsers | Parsers on GitHub - community / partner created | Custom parsers |
|---|---|---|---|---|
| Ownership | Google Owned | Initial creation by Google and then community / partner owned (depends on the parser) | Community / partner owned | Customer owned |
| Parser deployment | Automatically deployed | The customer must pull the parser. | The customer must pull the parser. | Customer deploys |
| Changes (parser versions) | All changes done by Google | Community / partner owned. Google can contribute code where relevant. | Changes done based on community / partner contribution | All changes done by the customer |
| Support for user requests | Google supports the requests: Premium - all, Standard - focus on important UDM fields | Maintained by community / partner. Google can contribute code where relevant. | Fully maintained by community / partner | Fully maintained by the customer |
Need more help? Get answers from Community members and Google SecOps professionals.