Tool: import_logs
Ingest raw logs directly into Chronicle SIEM.
Allows ingestion of raw log data in various formats (JSON, XML, CEF, etc.) into Chronicle for parsing and normalization into UDM format. Supports both single log and batch ingestion.
Agent Responsibilities: 1. Obtain forwarder_id: You MUST provide a valid forwarder_id. Use forwarder management tools if needed. 4. Timestamp Formatting: Ensure any provided timestamps are in the correct ISO 8601 format.
Workflow Integration: - Use this tool to feed external log sources directly into Chronicle for analysis. - Ingested logs are automatically parsed using Chronicle's configured parsers for the specified log type. - Parsed logs become searchable through UDM queries and can trigger detection rules. - Essential for integrating custom applications, legacy systems, or non-standard log sources with Chronicle.
Use Cases: - Ingest OKTA authentication logs for user behavior analysis. - Feed custom application logs into Chronicle for security monitoring. - Batch ingest historical logs during initial Chronicle deployment. - Import logs from external SIEM or log management systems. - Ingest Windows Event logs in XML format for endpoint monitoring.
Args: log_type (str): Chronicle log type identifier (e.g., "OKTA", "WINEVTLOG_XML", "AWS_CLOUDTRAIL"). Use get_available_log_types to see supported types. project_id (str): Google Cloud project ID (required). customer_id (str): Chronicle customer ID (required). region (str): Chronicle region (e.g., "us", "europe") (required). forwarder_id (str): Custom forwarder ID for log routing. This is REQUIRED. logs (List[Dict[str, Any]]): A list of prepared log entry objects as described in Agent Responsibilities.
Returns: str: Success message with operation details, including any operation IDs for tracking. Returns error message if ingestion fails.
Example Usage: # Single OKTA log ingestion ingest_raw_log( log_type="OKTA", project_id="my-project", customer_id="my-customer", region="us", forwarder_id="b1a2d3c4-....", logs=[okta_log] )
# Batch Windows Event log ingestion
import_logs(
log_type="WINEVTLOG_XML",
logs=["<Event>...</Event>", "<Event>...</Event>"],
project_id="my-project",
customer_id="my-customer",
region="us",
forwarder_id="b1a2d3c4-....",
)
Next Steps (using MCP-enabled tools): - Verify ingestion success by searching for the ingested logs using udm_search. - Monitor for any parsing errors or failed ingestion through Chronicle's ingestion status APIs. - Create or update detection rules to analyze the newly ingested log types. - Set up alerting for important events found in the ingested logs. - Use entity lookup tools to analyze indicators found in the ingested data.
The following sample demonstrate how to use curl to invoke the import_logs MCP tool.
| Curl Request |
|---|
curl --location 'https://chronicle.googleapis.com/mcp' \ --header 'content-type: application/json' \ --header 'accept: application/json, text/event-stream' \ --data '{ "method": "tools/call", "params": { "name": "import_logs", "arguments": { // provide these details according to the tool's MCP specification } }, "jsonrpc": "2.0", "id": 1 }' |
Input Schema
Request message for importing logs.
ImportLogsRequest
| JSON representation |
|---|
{ "projectId": string, "customerId": string, "region": string, "logType": string, "logs": [ string ], "forwarderId": string } |
| Fields | |
|---|---|
projectId |
Project ID of the customer. |
customerId |
Customer ID of the customer. |
region |
Region of the customer. |
logType |
Log type of the logs to import. |
logs[] |
Logs to import. |
forwarderId |
Forwarder ID of the logs to import. |
Output Schema
A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance:
service Foo {
rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty);
}
Tool Annotations
Destructive Hint: ❌ | Idempotent Hint: ❌ | Read Only Hint: ❌ | Open World Hint: ❌