Security ContentExabeam Security Content in the Legacy Structure

Different event builders can match the output of the same parser to create different event types. This is done to create different event types based on what is seen in the log.

There is also no issue with having a single event builder match the output of several parsers. This is done for example when there are several formats of an event that require several parsers (for example, a Windows event is collected with Snare and Beats from different systems). In fact, this will reduce the number of event builders and make them easier to manage.

However, unlike in the parsing stage where a parser cannot match with an event if the event has already been matched with another parser, multiple event builders can apply to a single message. This results in the creation of multiple events for a single log. Therefore, it is important to make sure that no more than one event builder will match a parsed message. This is usually done by creating a condition on the name of the desired parser as well as some of the data in the message, if necessary. There may be special cases in which more than one event should be created for a single log.