Skip to main content

Security ContentExabeam Security Content in the Legacy Structure

How to Persist a Field

In order to persist a new field associated with an event on the UI, the new field entry must be added to the PersistedEventFields section of the custom_exabeam_config.conf file.

Note

Be sure to define this configuration in the custom configuration file (/opt/exabeam/config/custom/custom_exabeam_config.conf). Do not change the default configuration file.

For example, to persist a new field, vpn_source_location, that's associated with a parsed and enriched vpn-login event, add it to PersistedEventFields as shown in the sample below. Don't forget to enclose the entry within PersistedEventFields { } as shown below.

PersistedEventFields {
----------------------
----------------------
vpn-login = [_id,
  vendor,
  src_ip,
  src_host,
  "GetValue('country_code',src_ip)",
  "GetValue('isp',src_ip)",
  "GetValue('zone_info',dest)",
  src_translated_ip,
  dest_host,
  dest_ip,
  src_network_type,
  realm,
  os,
  vpn_source_location]
----------------------
----------------------
}