Deploy `vector` config for `/var/log/auth.log`.

This commit is contained in:
Kazuhiro MUSASHI 2023-03-04 15:17:27 +09:00
parent a201eea560
commit 75755b99f2
3 changed files with 90 additions and 0 deletions

View File

@ -0,0 +1,17 @@
[Unit]
Description=Vector
Documentation=https://vector.dev
After=network-online.target
Requires=network-online.target
[Service]
ExecStart=/usr/bin/vector --config /etc/vector/auth.toml
ExecReload=/bin/kill -HUP $MAINPID
Restart=always
StandardOutput=journal
StandardError=journal
SyslogIdentifier=vector
[Install]
WantedBy=multi-user.target

View File

@ -0,0 +1,49 @@
data_dir = "/var/lib/vector/"
[sources.auth]
type = "file"
include = [ "/var/log/auth.log" ]
ignore_older_secs = 600
read_from = "beginning"
[transforms.auth_transform]
type = "remap"
inputs = ["auth"]
source = '''
. |= parse_linux_authorization!(.message)
del(.host)
.appname = downcase!(.appname)
'''
[sinks.auth_output]
type = "file"
inputs = [ "auth_transform" ]
compression = "none"
path = "/tmp/auth-%Y-%m-%d.log"
[sinks.auth_output.encoding]
codec = "json"
[sinks.auth_output.buffer]
max_size = 268435488
type = "disk"
[sinks.auth_loki]
type = "loki"
inputs = [ "auth_transform" ]
endpoint = "http://loki.service.consul:3100"
compression = "snappy"
[sinks.auth_loki.labels]
level = "notice"
hostname = "{{ hostname }}"
job = "{{ appname }}"
filename = "/var/log/auth.log"
[sinks.auth_loki.encoding]
codec = "json"
[sinks.auth_loki.buffer]
max_size = 268435488
type = "disk"

View File

@ -12,6 +12,8 @@ remote_file '/etc/vector/apt.toml' do
owner 'root' owner 'root'
group 'root' group 'root'
mode '0644' mode '0644'
notifies :restart, 'service[vector-apt]'
end end
remote_file '/etc/systemd/system/vector-apt.service' do remote_file '/etc/systemd/system/vector-apt.service' do
@ -26,6 +28,28 @@ service 'vector-apt' do
action [:enable, :start] action [:enable, :start]
end end
# Deploy config for mointoring `/var/log/auth.log`:
remote_file '/etc/vector/auth.toml' do
owner 'root'
group 'root'
mode '0644'
notifies :restart, 'service[vector-auth]'
end
remote_file '/etc/systemd/system/vector-auth.service' do
owner 'root'
group 'root'
mode '0644'
notifies :restart, 'service[vector-auth]'
end
service 'vector-auth' do
action [:enable, :start]
end
# Stop vector default service: # Stop vector default service:
service 'vector' do service 'vector' do
action :disable action :disable