🔥 3-day streak
Professional Security Operations Engineer80 / 241
Question 80 of 241

A security operations engineer is onboarding a third-party web application firewall (WAF) into Google SecOps. The vendor's appliance emits two distinct log formats depending on the event category: HTTP transaction logs in structured JSON and administrative/audit events in syslog key-value pairs. Both formats arrive on the same forwarder feed under one log source. During validation, the engineer notices that only the JSON events are producing correctly normalized UDM records, while the audit events generate parser errors. What is the most appropriate way to ensure both formats are correctly parsed and normalized?

Reviewed for accuracy · Report an issueNext question