- Log Stream Overview
- Parser Manager
- Parsers Overview
- View Parser Details
- Create a Custom Parser
- Import Sample Logs
- Define a Subset of the Sample Logs
- Add Conditions
- Add Basic Parser Information
- Extract Event Fields
- Extract Mapped JSON Fields
- Select JSON Fields from a List of Key/Value Pairs
- Select Tokenized JSON Fields from the Values in the Sample Log
- Manually Enter JSON Path Expressions
- Reorder Mapped JSON Fields
- Review the Matching JSON Fields and Values
- Add Logic to JSON Field Extraction
- Expressions for Extraction Conditions
- Array Log Sample
- Extract Fields Using Regular Expressions
- Extract Mapped JSON Fields
- Add Event Builder Rules
- Review and Save Parser
- Manage Existing Custom Parsers
- Tokenize Non-Standard Log Files
- Customize a Default Parser
- Duplicate a Parser
- Enable or Disable Parsers
- Live Tail
Add Event Builder Rules
In this step, create rules that tell Exabeam which activity type to assign to logs parsed by this parser. Choose both the conditions that trigger the rule, and the activity type that gets assigned.
You can also add multiple parsers whose parsed logs you want to be assigned to activity types based on the same event builder rules.
To assign event builder rules:
Select a Landscape and a Platform from the drop-down menus.
Landscape—a category of the platform, for example, Database.
Platform—the environment or application in which the event took place, for example, Windows.
Note
To add a custom landscape or platform, click + New Landscape or + New Platform at the bottom of the respective lists. Specify the custom Landscape name and Platform name. Then click Save.
Click +Add event builder rule.
The Add Event Builder Rule dialog box opens.
In the Rule Name field, enter a unique name for the new rule.
In the When section of the dialog box, to the following to add any additional parsers that you want to apply the new event builder rule to:
Click Add Parser. A new Parser row is added.
Click + Parser to display the drop down arrow.
Either start typing a parser name or click the drop down arrow and select a parser name from the available list.
If you want to select an additional parser, click Add Parser again and repeat the process.
Also in the When section of the dialog box, do the following to add conditions, or groups of conditions, to define when the event rule should be applied.
To specify how to apply the conditions you are about to define, click All in All of the following are true. Select the appropriate options to specify that any, all, not any, or not all of the conditions must be true in order for the rule to be applied.
Click Add condition or Add Group.
Select a Field and an operator and enter a Value.
Repeat these steps to add additional conditions.
Note
To apply a condition to only upper or lower case data, click fx to the left of a condition and select the appropriate operator.
To add a subgroup of conditions, click Add Group. A new All of the following is true row is added. Click Add Condition for the new group and repeat the steps to add conditions. You can also specify how the conditions in the subgroup should be applied by clicking All and selecting a different option.
When your event builder rule is complete, click Save. The new rule is saved and the dialog box closes.
To add an additional rule to the parser, click + Add event builder rule again and repeat steps 3-5 until you have added all of your desired rules.
Click Next.
The Review & Save page appears.