Merge branch 'promtail-sudo-modify' of kazu634/itamae into master

2020-09-21 00:27:23 +09:00 · 2020-09-21 00:27:23 +09:00 · 3b6bc203c1
parent b1ea22a262 39a4b22867
commit 3b6bc203c1
1 changed files with 35 additions and 2 deletions
--- a/cookbooks/promtail/templates/etc/promtail/base.yaml
+++ b/cookbooks/promtail/templates/etc/promtail/base.yaml
@ -25,12 +25,11 @@ scrape_configs:
      labels:
        job: sudo
        hostname: <%= @HOSTNAME %>
-        level: notice
        __path__: /var/log/auth.log

    pipeline_stages:
    - match:
-        selector: '{job="sudo"}'
+        selector: '{job="sudo"} |~ "/bin/sh"'
        stages:
        - drop:
            expression: (CRON|sshd|session)
@ -46,6 +45,40 @@ scrape_configs:
            source: message
            template: 'USER={{ .user }} PWD={{ .pwd }} CMD={{ .cmd }}'

+        - template:
+            source: level
+            template: 'info'
+
+        - labels:
+            level:
+
+        - output:
+            source: message
+
+    - match:
+        selector: '{job="sudo"} !~ "/bin/sh"'
+        stages:
+        - drop:
+            expression: (CRON|sshd|session)
+        - regex:
+            expression: '^(?P<timestamp>\w+ +[0-9]+ [0-9]+:[0-9]+:[0-9]+) [^ ]+ sudo: +(?P<user>[^ ]+) : TTY=(?P<tty>[^ ]+) ; PWD=(?P<pwd>[^ ]+) ; USER=(?P<foo>[^ ]+) ; COMMAND=(?P<cmd>.+)$'
+
+        - timestamp:
+            source: timestamp
+            format: Jan 2 15:04:05
+            location: Asia/Tokyo
+
+        - template:
+            source: message
+            template: 'USER={{ .user }} PWD={{ .pwd }} CMD={{ .cmd }}'
+
+        - template:
+            source: level
+            template: 'notice'
+
+        - labels:
+            level:
+
        - output:
            source: message