Skip to content

Update: Make statedump data readable format#179

Open
chase-moxley wants to merge 1 commit intogoogle:mainfrom
chase-moxley:Statedumpfix
Open

Update: Make statedump data readable format#179
chase-moxley wants to merge 1 commit intogoogle:mainfrom
chase-moxley:Statedumpfix

Conversation

@chase-moxley
Copy link

@chase-moxley chase-moxley commented Feb 6, 2026

Having the output of --statedump-allowed outputted in readable format will allow parsing creation and troubleshooting easier.Submitting these changes as a POC. I had Gemini create the code.

Command example

  • statedump{} has to be set in parser

uv run secops parser run --log-type WINEVTLOG --parser-code-file "test.conf" --logs-file "logs.logs" --statedump-allowed

Old output

"statedumpResult": "\n\nInternal State (label=):\n{\n  \"@collectionTimestamp\": {\n    \"nanos\": 0,\n    \"seconds\": 1770346269\n  },\n  \"@createTimestamp\": {\n    \"nanos\": 0,\n    \"seconds\": 1770346269\n  },\n  \"@enableCbnForLoop\": true,\n  \"@onErrorCount\": 0,\n  \"@output\": [],\n  \"@timestamp\": {\n    \"nanos\": 0,\n    \"seconds\": 1770346269\n  },\n  \"@timezone\": \"\",\n  \"application\": \"Salesforce\",\n  \"auth_method\": \"MFA_DUO\",\n  \"browser\": \"Chrome\",\n  \"event\": {\n    \"idm\": {\n      \"read_only_udm\": {\n        \"metadata\": {\n          \"event_type\": \"GENERIC_EVENT\"\n        },\n        \"target\": {\n          \"user\": {\n            \"userid\": \"jdoe_99\"\n          }\n        }\n      }\n    }\n  },\n  \"event_time\": \"2026-02-04T15:30:45.123Z\",\n  \"event_type\": \"USER_LOGIN\",\n  \"geo_city\": \"Texas\",\n  \"message\": \"{\\\"event_time\\\":\\\"2026-02-04T15:30:45.123Z\\\",\\\"event_type\\\":\\\"USER_LOGIN\\\",\\\"status\\\":\\\"SUCCESS\\\",\\\"user\\\":{\\\"user_id\\\":\\\"jdoe_99\\\",\\\"user_email\\\":\\\"jane.doe@example.com\\\",\\\"department\\\":\\\"Sales\\\"},\\\"source_ip\\\":\\\"192.168.1.50\\\",\\\"application\\\":\\\"Salesforce\\\",\\\"auth_method\\\":\\\"MFA_DUO\\\",\\\"browser\\\":\\\"Chrome\\\",\\\"os\\\":\\\"MacOS\\\",\\\"geo_city\\\":\\\"Austin\\\",\\\"session_id\\\":\\\"ABC-123-XYZ\\\"}\",\n  \"os\": \"MacOS\",\n  \"session_id\": \"ABC-123-XYZ\",\n  \"source_ip\": \"192.168.1.50\",\n  \"status\": \"SUCCESS\",\n  \"user\": {\n    \"department\": \"Sales\",\n    \"user_email\": \"jane.doe@example.com\",\n    \"user_id\": \"jdoe_99\"\n  },\n  \"error\": {\n    \"e001\": false,\n    \"e002\": false\n  }\n}\n\n"
        }
      ],
      "parsedEvents": {
        "events": [
          {
            "event": {
              "metadata": {
                "eventTimestamp": "2026-02-06T02:51:09Z",
                "eventType": "GENERIC_EVENT",
                "logType": "WINEVTLOG"
              },
              "target": {
                "user": {
                  "userid": "jdoe_99"
                }
              }
            }
          }

Output with update.

      "statedumpResults": [
        {
          "statedumpResult": {
            "info": "Internal State (label=):",
            "state": {
              "@collectionTimestamp": {
                "nanos": 0,
                "seconds": 1770346650
              },
              "@createTimestamp": {
                "nanos": 0,
                "seconds": 1770346650
              },
              "@enableCbnForLoop": true,
              "@onErrorCount": 0,
              "@output": [],
              "@timestamp": {
                "nanos": 0,
                "seconds": 1770346650
              },
              "@timezone": "",
              "application": "Salesforce",
              "auth_method": "MFA_DUO",
              "browser": "Chrome",
              "event": {
                "idm": {
                  "read_only_udm": {
                    "metadata": {
                      "event_type": "GENERIC_EVENT"
                    },
                    "target": {
                      "user": {
                        "userid": "jdoe_99"
                      }
                    }
                  }
                }
              },
              "event_time": "2026-02-04T15:30:45.123Z",
              "event_type": "USER_LOGIN",
              "geo_city": "Texas",
              "message": "{\"event_time\":\"2026-02-04T15:30:45.123Z\",\"event_type\":\"USER_LOGIN\",\"status\":\"SUCCESS\",\"user\":{\"user_id\":\"jdoe_99\",\"user_email\":\"jane.doe@example.com\",\"department\":\"Sales\"},\"source_ip\":\"192.168.1.50\",\"application\":\"Salesforce\",\"auth_method\":\"MFA_DUO\",\"browser\":\"Chrome\",\"os\":\"MacOS\",\"geo_city\":\"Austin\",\"session_id\":\"ABC-123-XYZ\"}",
              "os": "MacOS",
              "session_id": "ABC-123-XYZ",
              "source_ip": "192.168.1.50",
              "status": "SUCCESS",
              "user": {
                "department": "Sales",
                "user_email": "jane.doe@example.com",
                "user_id": "jdoe_99"
              },
              "zerror": {
                "JSON_Message": false,
                "REPLACE_": false
              }
            }
          }
        }
      ],
      "parsedEvents": {
        "events": [
          {
            "event": {
              "metadata": {
                "eventTimestamp": "2026-02-06T02:57:30Z",
                "eventType": "GENERIC_EVENT",
                "logType": "WINEVTLOG"
              },
              "target": {
                "user": {
                  "userid": "jdoe_99"
                }
              }
            }
          }
        ]
      }
    }
  ]

@chase-moxley
Update: Make statedump data readable format
8991c76 
Statedump is used in parser creation and troubleshooting.
@chase-moxley chase-moxley marked this pull request as ready for review February 6, 2026 03:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mihirvala08 mihirvala08 Awaiting requested review from mihirvala08 mihirvala08 is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@chase-moxley