- Exabeam Data Lake Architecture Overview
- Exabeam Product Deployment in On-premises or Virtual Environments
- Administrator Operations
- User Management
- Exabeam Data Lake Role-based Access Control
- Exabeam Data Lake Object-based Access Control
- Exabeam Data Lake Secured Resources Overview
- Third-Party Identity Provider Configuration
- Audit Log Management in Data Lake
- Common Access Card (CAC) Authentication
- Set Up LDAP Server
- Set Up LDAP Authentication
- Azure AD Context Enrichment
- Adding a User to Exabeam Data Lake
- User Password Policies
- User Engagement Analytics Policy
- Exabeam Threat Intelligence Service
- Threat Intelligence Service Prerequisites
- Connect to Threat Intelligence Service through a Proxy
- View Threat Intelligence Feeds
- Threat Intelligence Context Tables
- View Threat Intelligence Context Tables
- Assign a Threat Intelligence Feed to a New Context Table
- Create a New Context Table from a Threat Intelligence Feed
- Using Threat Intelligence Service with Data Lake
- Check ExaCloud Connector Service Health Status
- Index Management
- Parser Management
- Forwarding to Other Destinations
- Syslog Forwarding Management in Exabeam Data Lake
- Syslog Forwarding Destinations
- Configure Log Forwarding Rate
- How to Forward Syslog to Exabeam Advanced Analytics from Exabeam Data Lake
- How to Forward Syslog from Exabeam Data Lake to Non-Exabeam External Destinations
- Exabeam Data Lake Selective Forwarding using Conditions
- How to Configure Exabeam Data Lake Log Destinations for Correlation Rule Outcomes
- Forward Exabeam Data Lake Incident to Exabeam Incident Responder
- Syslog Forwarding Management in Exabeam Data Lake
- Cluster Operations
- Cross-cluster Search in Exabeam Data Lake
- Prerequisites for Exabeam Data Lake Cross-cluster Search
- Remote Cluster Management for Exabeam Data Lake Cross-cluster Search
- Register a Remote Cluster in Exabeam Data Lake for Cross-cluster Search
- Exabeam Data Lake Cross-cluster Health Monitoring and Handling
- How to Enable/Disable/Delete Exabeam Data Lake Remote Clusters for Cross-cluster Search
- Exabeam Data Lake Remote Cluster Data Access Permissions for Cross-cluster Search
- System Health Page
- A. Technical Support Information
- B. List of Exabeam Services
- C. Network Ports
- D. Supported Browsers
Parser Management
Parsers are individually managed for performance and can be paused by Exabeam Data Lake . Automated Data Lake action is based on the performance thresholds from a holistic standpoint to maintain system operability.
How to Set Parser Policy
You can select the parsing policy that determines whether Exabeam Data Lake . prioritizes parsing of all ingested raw logs, events per second throughput, or a balance of both.
For custom parsers, you can adjust the threshold for pausing parsers based on resource priority:
Navigate to Settings > Parsers Management > Parsers Management.
In the Parser Policy panel, the currently active parser policy is shown at the bottom of the text.
Click EDIT to expand the configuration options. Select the performance preference that best suites your operation and less likely to trigger the parser to be paused. The categories are defined by the parser's impact to performance.
The thresholds are:
Optimized for parsing -- The parser has consumed more than 80% of Data Lake log processor performance.
Balanced -- The parser has consumed more than 50% of Data Lake log processor performance.
System Focused -- The parser has consumed more than 30% of Data Lake log processor performance.
Click APPLY to implement your preference. The parsing policy takes effect immediately. There is no need to restart services.
How to View Parser Performance
You may want to see how performance for a paused parser has changed after setting the parser policy or verify that parser performance is acceptable overall. The data is available within 7 days of a pause. You can view performance per parser at the Parser Management menu by clicking View in the PARSER STATISTICS column. The usage, average parsing time, average system parsing time, performance change, and time of the reading are cumulatively displayed.
 |
To see parser performance data for a specific parser, navigate to Settings > Parser Management > Parsers Management > click View for the parser in the Parser Statistics column.
How to Re-enable Paused Parsers
Parsers may be paused by based on the performance threshold set by the Parser Policy. Parsers can be manually resumed but be aware they can be re-paused if the performance threshold is breached again.
To resume a paused parser:
Navigate to Settings > Parsers Management > Parsers Management.
Review the list of Paused Parsers. If you have resolved the cause of the slow parser, you may re-enable the paused parser by clicking START or the PARSE NAME checkbox for a batch start.
