andrewkroh/vault.hcl

## gistfile1.txt
journalbeat.inputs:
  id: vault.service
  include_matches:
    - systemd.unit=vault.service
  processors:
    - add_fields:
        target: event
        fields:
          module: vault
          dataset: vault.log
    - convert:
        when.regexp.message: '^\s*{'
        fields:
          - from: message
            to: event.original
        mode: rename
    - decode_json_fields:
        fields:
          - event.original
        target: vault.log
    - convert:
        ignore_missing: true
        mode: rename
        fields:
          - {from: 'vault.log.@message', to: message}
          - {from: 'vault.log.@module', to: log.logger}
          - {from: 'vault.log.@level', to: log.level}
    - timestamp:
        ignore_missing: true
        field: 'vault.log.@timestamp'
        layouts:
          - "2006-01-02T15:04:05.999Z"
        test:
          - "2020-05-07T21:44:47.82217971Z"
    - drop_fields:
        fields: [vault.log.@timestamp]

## vault.hcl
log_format = "json"
	journalbeat.inputs:
	id: vault.service
	include_matches:
	- systemd.unit=vault.service
	processors:
	- add_fields:
	target: event
	fields:
	module: vault
	dataset: vault.log
	- convert:
	when.regexp.message: '^\s*{'
	fields:
	- from: message
	to: event.original
	mode: rename
	- decode_json_fields:
	fields:
	- event.original
	target: vault.log
	- convert:
	ignore_missing: true
	mode: rename
	fields:
	- {from: 'vault.log.@message', to: message}
	- {from: 'vault.log.@module', to: log.logger}
	- {from: 'vault.log.@level', to: log.level}
	- timestamp:
	ignore_missing: true
	field: 'vault.log.@timestamp'
	layouts:
	- "2006-01-02T15:04:05.999Z"
	test:
	- "2020-05-07T21:44:47.82217971Z"
	- drop_fields:
	fields: [vault.log.@timestamp]