From 935b2e1732822724ab81ef9f8374c100281212d0 Mon Sep 17 00:00:00 2001 From: Kazuhiro MUSASHI Date: Sun, 6 Dec 2020 12:25:05 +0900 Subject: [PATCH] Consolidate the `drop` stanzas. --- .../promtail/templates/etc/promtail/base.yaml | 36 ++++--------------- 1 file changed, 6 insertions(+), 30 deletions(-) diff --git a/cookbooks/promtail/templates/etc/promtail/base.yaml b/cookbooks/promtail/templates/etc/promtail/base.yaml index c098384..eba6bfc 100644 --- a/cookbooks/promtail/templates/etc/promtail/base.yaml +++ b/cookbooks/promtail/templates/etc/promtail/base.yaml @@ -29,37 +29,12 @@ scrape_configs: pipeline_stages: - match: - selector: '{job="sudo"} |~ "/bin/sh"' - stages: - - drop: - expression: (CRON|sshd|session|securetty|systemd-logind) - - regex: - expression: '^(?P\w+ +[0-9]+ [0-9]+:[0-9]+:[0-9]+) [^ ]+ sudo: +(?P[^ ]+) : TTY=(?P[^ ]+) ; PWD=(?P[^ ]+) ; USER=(?P[^ ]+) ; COMMAND=(?P.+)$' - - - timestamp: - source: timestamp - format: Jan 2 15:04:05 - location: Asia/Tokyo - - - template: - source: message - template: 'USER={{ .user }} PWD={{ .pwd }} CMD={{ .cmd }}' - - - template: - source: level - template: 'info' - - - labels: - level: - - - output: - source: message + selector: '{job="sudo"} |~ "(CRON|sshd|session|securetty|systemd-logind|/bin/sh)"' + action: drop - match: selector: '{job="sudo"} !~ "/bin/sh"' stages: - - drop: - expression: (CRON|sshd|session|securetty|systemd-logind) - regex: expression: '^(?P\w+ +[0-9]+ [0-9]+:[0-9]+:[0-9]+) [^ ]+ sudo: +(?P[^ ]+) : TTY=(?P[^ ]+) ; PWD=(?P[^ ]+) ; USER=(?P[^ ]+) ; COMMAND=(?P.+)$' @@ -93,13 +68,14 @@ scrape_configs: __path__: /var/log/auth.log pipeline_stages: + - match: + selector: '{job="sshd"} |~ "(CRON|sudo|session)"' + action: drop + - match: selector: '{job="sshd"}' stages: - - drop: - expression: (CRON|sudo|session) - - regex: expression: '^(?P\w+ +[0-9]+ [0-9]+:[0-9]+:[0-9]+) [^:]+: (?P.+)$'