kierdavis · April 18, 2022 09:33
diff --git a/vector.toml b/vector.toml
 # Pull logs from journald
 [sources.journal]
 type = "journald"

 # Rename "_SYSTEMD_UNIT" field from journald logs to "systemd_unit"
 [transforms.journal_tidy]
 type = "remap"
 inputs = ["journal"]
 source = '''
 .systemd_unit = del(._SYSTEMD_UNIT)
 '''

 # Ingest audit logs
 [sources.audit]
 type = "file"
 include = [ "/var/log/audit/audit.log" ]
 read_from = "beginning"

 [transforms.audit_timestamp]
 type = "remap"
 inputs = ["audit"]
 source = '''
 f, err = parse_regex(.message, r'^type=[^ ]+ msg=audit\((?P<timestamp>\d+\.\d+):')
 if err == null {
    .timestamp = parse_timestamp(f.timestamp, "%s%.f") ?? now()
 } else {
    .timestamp = now()
 }
 '''

 # Batch and send parsed logs to HTTP sink
 [sinks.out]
 inputs = ["journal_tidy", "audit_timestamp"]
 encoding.codec = "ndjson"
 encoding.only_fields = ["message", "timestamp", "host", "systemd_unit", "file"]

 type = "http"
 uri = "<redacted>"
	# Pull logs from journald
	[sources.journal]
	type = "journald"

	# Rename "_SYSTEMD_UNIT" field from journald logs to "systemd_unit"
	[transforms.journal_tidy]
	type = "remap"
	inputs = ["journal"]
	source = '''
	.systemd_unit = del(._SYSTEMD_UNIT)
	'''

	# Ingest audit logs
	[sources.audit]
	type = "file"
	include = [ "/var/log/audit/audit.log" ]
	read_from = "beginning"

	[transforms.audit_timestamp]
	type = "remap"
	inputs = ["audit"]
	source = '''
	f, err = parse_regex(.message, r'^type=[^ ]+ msg=audit\((?P<timestamp>\d+\.\d+):')
	if err == null {
	.timestamp = parse_timestamp(f.timestamp, "%s%.f") ?? now()
	} else {
	.timestamp = now()
	}
	'''

	# Batch and send parsed logs to HTTP sink
	[sinks.out]
	inputs = ["journal_tidy", "audit_timestamp"]
	encoding.codec = "ndjson"
	encoding.only_fields = ["message", "timestamp", "host", "systemd_unit", "file"]

	type = "http"
	uri = "<redacted>"