diff --git a/cookbooks/vector/files/etc/systemd/system/vector-auth.service b/cookbooks/vector/files/etc/systemd/system/vector-auth.service
new file mode 100644
index 0000000..b38af42
--- /dev/null
+++ b/cookbooks/vector/files/etc/systemd/system/vector-auth.service
@@ -0,0 +1,17 @@
+[Unit]
+Description=Vector
+Documentation=https://vector.dev
+After=network-online.target
+Requires=network-online.target
+
+[Service]
+ExecStart=/usr/bin/vector --config /etc/vector/auth.toml
+ExecReload=/bin/kill -HUP $MAINPID
+Restart=always
+StandardOutput=journal
+StandardError=journal
+SyslogIdentifier=vector
+
+[Install]
+WantedBy=multi-user.target
+
diff --git a/cookbooks/vector/files/etc/vector/auth.toml b/cookbooks/vector/files/etc/vector/auth.toml
new file mode 100644
index 0000000..4085cfc
--- /dev/null
+++ b/cookbooks/vector/files/etc/vector/auth.toml
@@ -0,0 +1,49 @@
+data_dir = "/var/lib/vector/"
+
+[sources.auth]
+  type = "file"
+  include = [ "/var/log/auth.log" ]
+  ignore_older_secs = 600
+  read_from = "beginning"
+
+[transforms.auth_transform]
+  type = "remap"
+  inputs = ["auth"]
+  source = '''
+    . |= parse_linux_authorization!(.message)
+    del(.host)
+
+    .appname = downcase!(.appname)
+  '''
+
+[sinks.auth_output]
+type = "file"
+inputs = [ "auth_transform" ]
+compression = "none"
+path = "/tmp/auth-%Y-%m-%d.log"
+
+  [sinks.auth_output.encoding]
+  codec = "json"
+
+  [sinks.auth_output.buffer]
+  max_size = 268435488
+  type = "disk"
+
+[sinks.auth_loki]
+type = "loki"
+inputs = [ "auth_transform" ]
+endpoint = "http://loki.service.consul:3100"
+compression = "snappy"
+
+  [sinks.auth_loki.labels]
+  level = "notice"
+  hostname = "{{ hostname }}"
+  job = "{{ appname }}"
+  filename = "/var/log/auth.log"
+
+  [sinks.auth_loki.encoding]
+  codec = "json"
+
+  [sinks.auth_loki.buffer]
+  max_size = 268435488
+  type = "disk"
diff --git a/cookbooks/vector/setup.rb b/cookbooks/vector/setup.rb
index 54c4baa..d4d084b 100644
--- a/cookbooks/vector/setup.rb
+++ b/cookbooks/vector/setup.rb
@@ -12,6 +12,8 @@ remote_file '/etc/vector/apt.toml' do
   owner 'root'
   group 'root'
   mode  '0644'
+
+  notifies :restart, 'service[vector-apt]'
 end
 
 remote_file '/etc/systemd/system/vector-apt.service' do
@@ -26,6 +28,28 @@ service 'vector-apt' do
   action [:enable, :start]
 end
 
+# Deploy config for mointoring `/var/log/auth.log`:
+remote_file '/etc/vector/auth.toml' do
+  owner 'root'
+  group 'root'
+  mode  '0644'
+
+  notifies :restart, 'service[vector-auth]'
+end
+
+remote_file '/etc/systemd/system/vector-auth.service' do
+  owner 'root'
+  group 'root'
+  mode  '0644'
+
+  notifies :restart, 'service[vector-auth]'
+end
+
+service 'vector-auth' do
+  action [:enable, :start]
+end
+
+
 # Stop vector default service:
 service 'vector' do
   action :disable