- Welcome to Exabeam Security Content
- What is Security Content?
- Common Information Model
- What is the Common Information Model?
- Common Information Model Context Elements
- Common Information Model Interface
- Common Information Model Event-naming Format
- Common Information Model Impact on Downstream Processes
- Using the Common Information Model to Create Custom Content
- Transitioning to the Common Information Model
- Understanding the Log
- Exabeam Parsers
- Exabeam Event Building
- Exabeam Enrichment
- Exabeam Persistence and Templates
- Exabeam Models
- Exabeam Rules
PrevNext
Associating a Log with a Parser
In the unified ingestion pipeline, logs are associated with the correct parser based on a unique string or strings that are present in the log. These strings are specified in the Condition parameter of the parser. If multiple conditions are specified, all of the conditions must exist in the log for the parser to take effect. For more information about the elements of a parser, see Anatomy of a Parser.
Logs entering the unified ingestion pipeline are evaluated against parsers consecutively until they match all of the conditions of a specific parser. When a log is matched to a parser, no further evaluation takes place. The parser with the matched conditions is used to parse the event.