From 6b7b0a084407812a00814649d2ac83b74943578a Mon Sep 17 00:00:00 2001
From: Kazuhiro MUSASHI <simoom634@yahoo.co.jp>
Date: Mon, 12 Oct 2020 14:01:42 +0900
Subject: [PATCH] Modify `promtail` config for `sudo` logs.

---
 cookbooks/promtail/templates/etc/promtail/base.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cookbooks/promtail/templates/etc/promtail/base.yaml b/cookbooks/promtail/templates/etc/promtail/base.yaml
index feebf11..79f6a17 100644
--- a/cookbooks/promtail/templates/etc/promtail/base.yaml
+++ b/cookbooks/promtail/templates/etc/promtail/base.yaml
@@ -32,7 +32,7 @@ scrape_configs:
         selector: '{job="sudo"} |~ "/bin/sh"'
         stages:
         - drop:
-            expression: (CRON|sshd|session)
+            expression: (CRON|sshd|session|securetty)
         - regex:
             expression: '^(?P<timestamp>\w+ +[0-9]+ [0-9]+:[0-9]+:[0-9]+) [^ ]+ sudo: +(?P<user>[^ ]+) : TTY=(?P<tty>[^ ]+) ; PWD=(?P<pwd>[^ ]+) ; USER=(?P<foo>[^ ]+) ; COMMAND=(?P<cmd>.+)$'
 
@@ -59,7 +59,7 @@ scrape_configs:
         selector: '{job="sudo"} !~ "/bin/sh"'
         stages:
         - drop:
-            expression: (CRON|sshd|session)
+            expression: (CRON|sshd|session|securetty)
         - regex:
             expression: '^(?P<timestamp>\w+ +[0-9]+ [0-9]+:[0-9]+:[0-9]+) [^ ]+ sudo: +(?P<user>[^ ]+) : TTY=(?P<tty>[^ ]+) ; PWD=(?P<pwd>[^ ]+) ; USER=(?P<foo>[^ ]+) ; COMMAND=(?P<cmd>.+)$'