- Log Stream Overview
- Parser Manager
- Parsers Overview
- View Parser Details
- Create a Custom Parser
- Import Sample Logs
- Define a Subset of the Sample Logs
- Add Conditions
- Add Basic Parser Information
- Extract Event Fields
- Extract Mapped JSON Fields
- Select JSON Fields from a List of Key/Value Pairs
- Select Tokenized JSON Fields from the Values in the Sample Log
- Manually Enter JSON Path Expressions
- Reorder Mapped JSON Fields
- Review the Matching JSON Fields and Values
- Add Logic to JSON Field Extraction
- Expressions for Extraction Conditions
- Array Log Sample
- Extract Fields Using Regular Expressions
- Extract Mapped JSON Fields
- Add Event Builder Rules
- Review and Save Parser
- Manage Existing Custom Parsers
- Tokenize Non-Standard Log Files
- Customize a Default Parser
- Duplicate a Parser
- Enable or Disable Parsers
- Live Tail
Extract Event Fields
In this step, you will extract, from the parsed log, the event fields that you want to map to Exabeam common information model fields so that you can define appropriate event builders in the next step.
Fields Panel
A Fields panel on the left lists all of the Core, Detection, Informational, Other, and Custom fields available for the activity types you selected in the previous step.
Core fields are mandatory to create an event. You must extract all core fields for the parser to be valid. Core fields are also required for event creation and visibility in the UI, and to continue to the next step.
Although Detection and Informational fields are optional, extracting these fields can help with the processing and display of events.
Other and Custom fields are completely optional. You can add fields to these lists as follows:
To add a new field to the Other field list, click + New field at the bottom of the Other field list. In the Select a Field dialog box, search for and select a field to add it to the list. If the field you want to add is not in the available, click + New custom field to create a new custom field (see below).
To add a new field to the Custom field list, click + New custom field at the bottom of the Custom field list. Enter a field name, which will be prefixed with _c automatically, and an optional description. Select the data type and click Save to add the new custom field to the list.
Field Extraction Methods
There are two methods for extracting fields. You can select from JSON mapped fields or you can generate regular expressions. The Parser Manager detects the data type of the log file you entered at the start of the process and defaults to the appropriate extraction method. However, the following flexibility is available:
If you are using a native JSON log but you prefer to use regular expressions to extract fields, you can switch the extraction method for the entire parser.
Hybrid JSON logs in a specific format are recognized as being in a JSON log format for the purpose of field extraction. The supported hybrid log format is a JSON message that is prefixed with text metadata from the Cloud Collector source, as in the following example:
destinationServiceName=Azure <JSON message>For hybrid logs in this format, you can extract JSON field values using the JSON mapping technique and you can also extract values from the non-JSON prefix using regular expressions.
Note
If you are customizing a default Exabeam parser, you cannot switch extraction methods between selecting JSON mapped fields or generating regular expressions. However, if you save the default parser as a new custom parser, you can then choose the method you want to use to customize the parser.
Follow the links below for detailed instructions for each method: