tuxfight3r/journald-splunk

## journald-splunk
# Rotate client logs
# log file already has this context set.
# -rw-r-----. root root system_u:object_r:var_log_t:s0   /var/log/journald_splunk.log
# -rw-r-----. root root system_u:object_r:var_log_t:s0   /var/log/journald_splunk.log-2018020315

/var/log/journald_splunk.log {
  hourly
  maxsize 3M
  rotate 3
  missingok
  delaycompress
  notifempty
  sharedscripts
  create 640 root root
  prerotate
    /bin/systemctl stop journald-splunk-log.service
  endscript
  postrotate
    /bin/systemctl start journald-splunk-log.service
  endscript
}

## journald-splunk-log.service
[Unit]
Description=Journald to Splunk Log Converter
After=network.target

[Service]
Type=simple
Restart=always
ExecStartPre=/usr/bin/journalctl --vacuum-time=30days
ExecStart=/bin/sh -c '/usr/bin/journalctl --since "1 hour ago" -f -o json > /var/log/journald_splunk.log 2>&1'
RestartSec=600s
StandardOutput=syslog
StandardError=syslog


[Install]
WantedBy=multi-user.target
	# Rotate client logs
	# log file already has this context set.
	# -rw-r-----. root root system_u:object_r:var_log_t:s0 /var/log/journald_splunk.log
	# -rw-r-----. root root system_u:object_r:var_log_t:s0 /var/log/journald_splunk.log-2018020315

	/var/log/journald_splunk.log {
	hourly
	maxsize 3M
	rotate 3
	missingok
	delaycompress
	notifempty
	sharedscripts
	create 640 root root
	prerotate
	/bin/systemctl stop journald-splunk-log.service
	endscript
	postrotate
	/bin/systemctl start journald-splunk-log.service
	endscript
	}
	[Unit]
	Description=Journald to Splunk Log Converter
	After=network.target

	[Service]
	Type=simple
	Restart=always
	ExecStartPre=/usr/bin/journalctl --vacuum-time=30days
	ExecStart=/bin/sh -c '/usr/bin/journalctl --since "1 hour ago" -f -o json > /var/log/journald_splunk.log 2>&1'
	RestartSec=600s
	StandardOutput=syslog
	StandardError=syslog


	[Install]
	WantedBy=multi-user.target