mdfranz/vector.toml

## vector.toml
# See the Vector Remap Language reference for more info: https://vrl.dev
[sources.k3s]
type = "journald"
include_units = ["k3s"]
[sources.kernel]
type = "file"
include = ["/var/log/messages"]
[transforms.iptables_parse]
inputs = ["kernel"]
type = "remap"
source = """
.syslog = parse_syslog!(.message)
if .syslog.appname == "kernel" {
.packet = parse_key_value!(.syslog.message)
del(.message)
del(.OUT)
}
"""

[sinks.cloudwatch]
type = "aws_cloudwatch_logs"
inputs = [ "k3s","iptables_parse" ]
create_missing_group = false
create_missing_stream = true
group_name = "k3s-honeynet"
compression = "none"
region = "us-east-2"
stream_name = "{{host}}"

[sinks.cloudwatch.encoding]
codec = "json"
	# See the Vector Remap Language reference for more info: https://vrl.dev
	[sources.k3s]
	type = "journald"
	include_units = ["k3s"]
	[sources.kernel]
	type = "file"
	include = ["/var/log/messages"]
	[transforms.iptables_parse]
	inputs = ["kernel"]
	type = "remap"
	source = """
	.syslog = parse_syslog!(.message)
	if .syslog.appname == "kernel" {
	.packet = parse_key_value!(.syslog.message)
	del(.message)
	del(.OUT)
	}
	"""

	[sinks.cloudwatch]
	type = "aws_cloudwatch_logs"
	inputs = [ "k3s","iptables_parse" ]
	create_missing_group = false
	create_missing_stream = true
	group_name = "k3s-honeynet"
	compression = "none"
	region = "us-east-2"
	stream_name = "{{host}}"

	[sinks.cloudwatch.encoding]
	codec = "json"