950 B
950 B
Write the acquisition file (optional for test)
In order for your log to be processed by the good parser, it must match the filter that you will configure in your parser file. There is two option:
- Your logs are wrote from a syslog server, so you just have to install the syslog parser
- You're log are read from a log file. Please add this kind of configuration in your
acquis.yamlfile:
ⓘ the prog_name is the one that the parser in s01-parse filter will need to match.
---
filename: <PATH_TO_YOUR_LOG_FILE>
labels:
prog_name: <PROGRAM_NAME>
Here an example:
Nginx acquisition
---
filename: /var/log/nginx/access.log
labels:
prog_name: nginx
Nginx parser filter
---
filter: evt.Parsed.program == 'nginx'