Skip to main content

Security ContentExabeam Security Content in the Common Information Model

Multi-Log Event Building

In some scenarios, the data required to build a single event is spread across multiple logs. Exabeam supports multi-log event building, also known as event stitching, to extract the relevant information from different parsed logs and create a single event.

You can view event builder definitions in Log Stream by opening the Parser Details for a specific parser and viewing the event_builder.conf file on the Configuration Files tab. For more information about event builder parameters, see Anatomy of an Event Builder

Two types of multi-log event builders are currently available and they support only default Exabeam parsers:

  • Binary Merger – Used to combine information from exactly two log messages into a single event. This type of event builder can be identified by a tracker parameter with the value ContivityMultiEventTracker. This type of event builder extracts information, based on a specified ID, from two parsed messages. When both messages have been received, a single event is built.

  • Sequence Merger – Used to combine information from a variable number of parsed messages into a single event. This type of event builder can be identified by a tracker parameter with the value VariableMessageMultiEventTracker. This type of event builder extracts information from multiple parsed messaged, based on a specified ID, until it receives a message with the same ID that contains a sequence-stopper. Then collection stops and the extracted information is stitched together and a single event is built.