mdfranz/vector-humio-endpoint.toml

## vector-humio-endpoint.toml
[api]
enabled = true

[sources.syslog]
type = "file" # required
ignore_older = 86400 # optional, no default, seconds
include = ["/var/log/auth.log","/var/log/syslog","/var/log/kernel.log"]

[sources.auditd]
type = "file" # required
ignore_older = 86400 # optional, no default, seconds
include = ["/var/log/audit/audit.log"]
start_at_beginning = true # optional, default
oldest_first = true # optional, default

[sources.osquery]
type = "file" # required
ignore_older = 86400 # optional, no default, seconds
include = ["/var/log/osquery/osqueryd.results.log"]
start_at_beginning = true # optional, default
oldest_first = true # optional, default

[transforms.parse_log]
type = "remap"
inputs = ["syslog"]
drop_on_error = true
reroute_dropped = true
source = """
      . = parse_syslog!(.message)
      .event_hostname = get_hostname!()
      .event_type = "syslog"
"""

[transforms.parse_kv]
type = "remap"
inputs = ["auditd"]
drop_on_error = true
reroute_dropped = true
source = """
      . = parse_key_value!(.message)
      .event_type = "auditd"
      .event_hostname = get_hostname!()
"""

[transforms.parse_osquery]
type = "remap"
inputs = ["osquery"]
drop_on_error = true
reroute_dropped = true
source = """
      . = parse_json!(.message)
      .event_type = "osquery"
      .event_hostname = get_hostname!()
"""

[sinks.my_humio_cluster]
inputs = ["parse_kv","parse_log","parse_osquery"]
type = "humio_logs"
encoding.codec = "json"
host = "${HUMIO_URL}"
token = "${HUMIO_INGEST_TOKEN}"
	[api]
	enabled = true

	[sources.syslog]
	type = "file" # required
	ignore_older = 86400 # optional, no default, seconds
	include = ["/var/log/auth.log","/var/log/syslog","/var/log/kernel.log"]

	[sources.auditd]
	type = "file" # required
	ignore_older = 86400 # optional, no default, seconds
	include = ["/var/log/audit/audit.log"]
	start_at_beginning = true # optional, default
	oldest_first = true # optional, default

	[sources.osquery]
	type = "file" # required
	ignore_older = 86400 # optional, no default, seconds
	include = ["/var/log/osquery/osqueryd.results.log"]
	start_at_beginning = true # optional, default
	oldest_first = true # optional, default

	[transforms.parse_log]
	type = "remap"
	inputs = ["syslog"]
	drop_on_error = true
	reroute_dropped = true
	source = """
	. = parse_syslog!(.message)
	.event_hostname = get_hostname!()
	.event_type = "syslog"
	"""

	[transforms.parse_kv]
	type = "remap"
	inputs = ["auditd"]
	drop_on_error = true
	reroute_dropped = true
	source = """
	. = parse_key_value!(.message)
	.event_type = "auditd"
	.event_hostname = get_hostname!()
	"""

	[transforms.parse_osquery]
	type = "remap"
	inputs = ["osquery"]
	drop_on_error = true
	reroute_dropped = true
	source = """
	. = parse_json!(.message)
	.event_type = "osquery"
	.event_hostname = get_hostname!()
	"""

	[sinks.my_humio_cluster]
	inputs = ["parse_kv","parse_log","parse_osquery"]
	type = "humio_logs"
	encoding.codec = "json"
	host = "${HUMIO_URL}"
	token = "${HUMIO_INGEST_TOKEN}"