Doug Burks edited this page Feb 18, 2017 · 6 revisions
Clone this wiki locally

How do I write custom ELSA parsers?

Where do I put my custom ELSA parsers?

Create a new subdirectory in /etc/elsa/patterns.d/, add your parsers to the new subdirectory, and then use pdbtool to merge the entire /etc/elsa/patterns.d/ directory into /opt/elsa/node/conf/patterndb.xml. For example:

# Create a new subdirectory in /etc/elsa/patterns.d/
sudo mkdir /etc/elsa/patterns.d/local/

# Add new parser
sudo nano /etc/elsa/patterns.d/local/my_new_log_parser

# Test new parser
pdbtool test /etc/elsa/patterns.d/local/my_new_log_parser

# Backup existing patterndb.xml
sudo cp /opt/elsa/node/conf/patterndb.xml /opt/elsa/node/conf/patterndb.xml.bak

# Merge all patterns into new patterndb.xml
sudo pdbtool merge -p /opt/elsa/node/conf/patterndb.xml --recursive -D /etc/elsa/patterns.d/

# Restart syslog-ng
sudo service syslog-ng restart
Palo Alto default log format parser!topic/enterprise-log-search-and-archive/SJwOY7N2A60