- Log Stream Overview
- Parser Manager
- Parsers Overview
- View Parser Details
- Create a Custom Parser
- Import Sample Logs
- Define a Subset of the Sample Logs
- Add Conditions
- Add Basic Parser Information
- Extract Event Fields
- Extract Mapped JSON Fields
- Select JSON Fields from a List of Key/Value Pairs
- Select Tokenized JSON Fields from the Values in the Sample Log
- Manually Enter JSON Path Expressions
- Reorder Mapped JSON Fields
- Review the Matching JSON Fields and Values
- Add Logic to JSON Field Extraction
- Expressions for Extraction Conditions
- Array Log Sample
- Extract Fields Using Regular Expressions
- Extract Mapped JSON Fields
- Add Event Builder Rules
- Review and Save Parser
- Manage Existing Custom Parsers
- Tokenize Non-Standard Log Files
- Customize a Default Parser
- Duplicate a Parser
- Enable or Disable Parsers
- Live Tail
Multi-Log Event Building
In some scenarios, the data required to build a single event is spread across multiple logs. Exabeam supports multi-log event building, also known as event stitching, to extract the relevant information from different parsed logs and create a single event.
You can view event builder definitions in Log Stream by opening the Parser Details for a specific parser and viewing the event_builder.conf file on the Configuration Files tab. For more information about event builder parameters, see Anatomy of an Event Builder in the Security Content Guide.
Two types of multi-log event builders are currently available and they support only default Exabeam parsers:
Binary Merger – Used to combine information from exactly two log messages into a single event. This type of event builder can be identified by a tracker parameter with the value
ContivityMultiEventTracker. This type of event builder extracts information, based on a specified ID, from two parsed messages. When both messages have been received, a single event is built.Sequence Merger – Used to combine information from a variable number of parsed messages into a single event. This type of event builder can be identified by a tracker parameter with the value
VariableMessageMultiEventTracker. This type of event builder extracts information from multiple parsed messaged, based on a specified ID, until it receives a message with the same ID that contains asequence-stopper. Then collection stops and the extracted information is stitched together and a single event is built.