- Exabeam Auto Parser Generator
- Create a Custom Parser Using Auto Parser Generator
- Duplicate a Parser Using Auto Parser Generator
- Import a Custom Parser Into Auto Parser Generator
- Edit a Custom Parser in Auto Parser Generator
- Delete a Custom Parser In Auto Parser Generator
- Tokenize Non-Standard Log Files
- Event Types in Custom Parsers
- What's New in Auto Parser Generator
Event Types in Custom Parsers
An event type is a schema that all events are mapped to so components — including the Analytics Engine, models, rules, and Smart Timelines — process them consistently. To ensure that your custom event builder creates an event from your sample logs that other components can process correctly, you must categorize your logs into an event type.
To simplify this process, you can only choose one event type. To categorize the logs into another event type, you must create another parser. Typically, after a parser parses a log, the event builder matches the log to an appropriate event type in two ways: using fields in the event builder definition, or the parser name. Currently, an event builder you create with Auto Parser Generator only uses the parser name, and not the event builder definition fields.
For example, let's look at login-success and login-failure events. These events differ only on the result field. For login-success, result = success; for login-failure, result = failure. If the event builder matches logs to event types using event builder definition fields, one parser parses both events and the event builder decides on the appropriate event type, based on the results field. Since Auto Parser Generator event builders only use the parser name, you must create two different parsers, then associate each event builder with a different event type.
If you can't find the appropriate event type for your sample logs:
The event type may be named differently in Auto Parser Generator than what you had in mind. To find your event type, you might find it helpful to review a list of all supported event types.
The event type may not best be detected or investigated using Advanced Analytics because it doesn't indicate much useful information about a user or asset; for example, when a user logs out or terminates a process. Instead, consider storing and investigating the log in Exabeam Data Lake. Data Lake .