Modify `promtail` config for `sudo` logs.

2020-10-12 14:01:42 +09:00 · 2020-10-12 14:01:42 +09:00 · 6b7b0a0844
parent 57d21b0a40
commit 6b7b0a0844
1 changed files with 2 additions and 2 deletions
--- a/cookbooks/promtail/templates/etc/promtail/base.yaml
+++ b/cookbooks/promtail/templates/etc/promtail/base.yaml
@ -32,7 +32,7 @@ scrape_configs:
        selector: '{job="sudo"} |~ "/bin/sh"'
        stages:
        - drop:
-            expression: (CRON|sshd|session)
+            expression: (CRON|sshd|session|securetty)
        - regex:
            expression: '^(?P<timestamp>\w+ +[0-9]+ [0-9]+:[0-9]+:[0-9]+) [^ ]+ sudo: +(?P<user>[^ ]+) : TTY=(?P<tty>[^ ]+) ; PWD=(?P<pwd>[^ ]+) ; USER=(?P<foo>[^ ]+) ; COMMAND=(?P<cmd>.+)$'
@ -59,7 +59,7 @@ scrape_configs:
        selector: '{job="sudo"} !~ "/bin/sh"'
        stages:
        - drop:
-            expression: (CRON|sshd|session)
+            expression: (CRON|sshd|session|securetty)
        - regex:
            expression: '^(?P<timestamp>\w+ +[0-9]+ [0-9]+:[0-9]+:[0-9]+) [^ ]+ sudo: +(?P<user>[^ ]+) : TTY=(?P<tty>[^ ]+) ; PWD=(?P<pwd>[^ ]+) ; USER=(?P<foo>[^ ]+) ; COMMAND=(?P<cmd>.+)$'