Create a Custom Parser
The parser management feature guides you through the process to create custom parsers for Exabeam products that aren't available by default. Consider creating your own parsers to modify an existing parser to your needs, to ingest logs from an unsupported vendor or your own custom application, or if a vendor changes their log format.
You can create a parser from scratch, or use a default parser as a starting point.
Creating a custom parser, and corresponding custom event builders, requires following several basic steps, with variations at each step:
Pause your work at any time. Parser Manager saves your progress after each step, and after you change anything. If you leave while creating a parser, the incomplete parser appears in the list of parsers with a Draft status. To pick up where you left off, edit the parser.
Before you begin, you should:
Be familiar with how parsers and event builders work, and how all these components work with the Data Parsing Engine and or the Analytics Engine.
Gather sample logs containing the same format and syntax as the raw data your system typically ingests.
If you obtain the logs from another system, some log lines may be nested under structures not sent to to your system; for example, a syslog may be nested in a CSV file. Ensure that you remove these structures.
If you obtain the logs in a custom or non-standard way, like using a proprietary script or from an uncommon log system, remove any redundant escape characters; for example,
"","""",\r,\n,\t,\\\\, or\{.
To start creating a custom parser:
Log on to the Exabeam SOC Platform.
Select the Log Stream tile.
The Log Stream homepage appears. You should be on the Parsers Overview tab.
Click +New Parser.
The New Parser page appears. You will be on the Add Log Sample stage of creating a new parser.