Associating a Log with a Parser

Welcome to Exabeam Security Content
- Security Content in the Legacy Structure
What is Security Content?
- The Security Content Pipeline
- The Content Library
Understanding the Log
- Do You Need a Parser?
  - Parsing for Data Lake
  - Parsing for Advanced Analytics
- Log Process Example
Exabeam Parsers
Exabeam Event Building
Exabeam Enrichment
Exabeam Persistence and Templates
Exabeam Models
Exabeam Rules

The parsing engine associates a log with the correct parser by using a unique string or strings that are present in the log. These strings are specified in the Condition parameter of the parser. If multiple conditions are specified, all of the conditions must exist in the log for the parser to take effect.

Parser conditions are evaluated according to their order in the parser list. A log entering the ingestion engine is checked against the conditions of the first parser in the list. If the conditions don't match, then the log moves on to the next parser in the list, and so on. When a log matches a parser, no further parser conditions are evaluated. The parser with the matched condition is used to parse the event.

Note

If two parsers have similar conditions, list the parser with the broader condition below the parser with more specific condition. Otherwise, the parser with the broader condition will also parse the more specific logs.

Security ContentExabeam Security Content in the Legacy Structure

Table of ContentsTable of Contents

Associating a Log with a Parser

Note