Skip to content

Write the acquisition file (optional for test)

In order for your log to be processed by the good parser, it must match the filter that you will configure in your parser file. There are two options:

  • Your logs are written by a syslog server, so you just have to install the syslog parser
  • Your logs are read from a log file. Please add this kind of configuration in your acquis.yaml file:

ⓘ the type will be matched by the parsers's filter in stage s01-parse.

  type: <PROGRAM_NAME>

Here an example:

Nginx acquisition
filename: /var/log/nginx/access.log
  type: nginx
Nginx parser filter
filter: evt.Parsed.program == 'nginx'