- Advanced Analytics
- Understand the Basics of Advanced Analytics
- Configure Log Management
- Set Up Admin Operations
- Set Up Authentication and Access Control
- Additional Configurations
- Configure Rules
- Exabeam Threat Intelligence Service
- Threat Intelligence Service Prerequisites
- View Threat Intelligence Feeds
- Threat Intelligence Context Tables
- View Threat Intelligence Context Tables
- Assign a Threat Intelligence Feed to a New Context Table
- Create a New Context Table from a Threat Intelligence Feed
- Check ExaCloud Connector Service Health Status
- Exabeam Cloud Telemetry Service
- Manage Security Content in Advanced Analytics
- Health Status Page
Reprocess Jobs
Two types of reprocessing are available in Advanced Analytics. You can reparse raw logs in order to generate new events, or you can run the analytics engine to reprocess the log feeds,
To access any of the Exabeam reprocessing options, navigate to the Exabeam Engine page in Advanced Analytics:
From the left sidebar, click SETTINGS
, then select Analytics.Under Admin Operations, select Exabeam Engine.
Procedures for reprocessing vary depending on which type of reprocessing you want to start. See the appropriate sections below for more information.
Reparse Raw Logs to Create New Events
Use this option when you want to re-ingest raw log data to parse new events. The procedure for re-parsing log data varies depending on which version of Advanced Analytics you are using. For more information, see the appropriate section below.
In this Advanced Analytics version, you can use the UIP Log Reprocessing option located in the Exabeam Unified Log Ingestion Engine panel. When you click this option, you are redirected to the cloud-based Log Stream functionality. Log Stream provides visibility into the unified ingestion pipeline with the following tabs:
Re-parsing Jobs – You can opt to re-parse logs by scheduling a re-parsing job.
Live Tail – View samples of incoming data in real time to ensure proper processing.
In this Advanced Analytics version, you can use the Ingest Log Feeds option located in the Exabeam Log Ingestion Engine panel. When you click this option, the LIME engine is restarted so that it ingests logs from log feeds that are defined in the Advanced Analytics Log Feeds settings.
To restart the LIME engine:
Click Ingest Log Feeds, and select specific log feeds for restart.
Select a restart option from the following settings:
Restart the engine – The engine continues processing from where it left off.
Restart from the initial training period – The engine continues processing from the initial training period.
Restart from a date – The engine continues processing from a specified date.
Click Ingest feeds to start the engine.
Run the Analytics Engine to Reprocess Log Feeds
Reprocess analytics engine jobs when you have made changes that you want to see reflected in events and timelines.
In the Exabeam Analytics Engine panel, click Restart Processing and select a restart option from the following settings:
Restart the engine – The engine continues processing from where it left off.
Restart from the initial training period – The engine continues processing from the initial training period.
Restart from a date – The engine chooses the nearest snapshot available for the specified date and reprocesses from this date.
Click Process to start the engine. The system validates any changes and checks for errors. If errors are identified, they are listed and the engine does not start processing. If no errors are identified, the engine starts.
To view the status of these reprocessed analytics engine jobs, click the Reprocessing Jobs tab in the status table at the bottom of the Exabeam Engine page. As shown in the image below, this tab shows the status of each reprocessed job, such as completed, in-progress, pending, and canceled.
To cancel a reprocessing job for any reason, select the job in the Reprocessing Jobs table and then click Cancel Job.
Configure Job Status Notifications
You can configure email and Syslog notifications for certain job reprocessing status changes, including start, end, and failure. For information about configuring these notifications, see Notifications. You'll find the job status check boxes listed under Notifications by Product >Advanced Analytics.