Skip to content

Instantly share code, notes, and snippets.

@kierdavis
Created April 18, 2022 09:33
Show Gist options
  • Save kierdavis/f61e527b4d1c0e5e956b22b759065f14 to your computer and use it in GitHub Desktop.
Save kierdavis/f61e527b4d1c0e5e956b22b759065f14 to your computer and use it in GitHub Desktop.
# Pull logs from journald
[sources.journal]
type = "journald"
# Rename "_SYSTEMD_UNIT" field from journald logs to "systemd_unit"
[transforms.journal_tidy]
type = "remap"
inputs = ["journal"]
source = '''
.systemd_unit = del(._SYSTEMD_UNIT)
'''
# Ingest audit logs
[sources.audit]
type = "file"
include = [ "/var/log/audit/audit.log" ]
read_from = "beginning"
[transforms.audit_timestamp]
type = "remap"
inputs = ["audit"]
source = '''
f, err = parse_regex(.message, r'^type=[^ ]+ msg=audit\((?P<timestamp>\d+\.\d+):')
if err == null {
.timestamp = parse_timestamp(f.timestamp, "%s%.f") ?? now()
} else {
.timestamp = now()
}
'''
# Batch and send parsed logs to HTTP sink
[sinks.out]
inputs = ["journal_tidy", "audit_timestamp"]
encoding.codec = "ndjson"
encoding.only_fields = ["message", "timestamp", "host", "systemd_unit", "file"]
type = "http"
uri = "<redacted>"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment