Consolidate the `drop` stanzas.

2020-12-06 12:25:05 +09:00 · 2020-12-06 12:25:05 +09:00 · 935b2e1732
parent 8497937786
commit 935b2e1732
1 changed files with 6 additions and 30 deletions
--- a/cookbooks/promtail/templates/etc/promtail/base.yaml
+++ b/cookbooks/promtail/templates/etc/promtail/base.yaml
@ -29,37 +29,12 @@ scrape_configs:
    pipeline_stages:
    - match:
-        selector: '{job="sudo"} |~ "/bin/sh"'
+        selector: '{job="sudo"} |~ "(CRON|sshd|session|securetty|systemd-logind|/bin/sh)"'
-        stages:
+        action: drop
        - drop:
            expression: (CRON|sshd|session|securetty|systemd-logind)
        - regex:
            expression: '^(?P<timestamp>\w+ +[0-9]+ [0-9]+:[0-9]+:[0-9]+) [^ ]+ sudo: +(?P<user>[^ ]+) : TTY=(?P<tty>[^ ]+) ; PWD=(?P<pwd>[^ ]+) ; USER=(?P<foo>[^ ]+) ; COMMAND=(?P<cmd>.+)$'
        - timestamp:
            source: timestamp
            format: Jan 2 15:04:05
            location: Asia/Tokyo
        - template:
            source: message
            template: 'USER={{ .user }} PWD={{ .pwd }} CMD={{ .cmd }}'
        - template:
            source: level
            template: 'info'
        - labels:
            level:
        - output:
            source: message
    - match:
        selector: '{job="sudo"} !~ "/bin/sh"'
        stages:
        - drop:
            expression: (CRON|sshd|session|securetty|systemd-logind)
        - regex:
            expression: '^(?P<timestamp>\w+ +[0-9]+ [0-9]+:[0-9]+:[0-9]+) [^ ]+ sudo: +(?P<user>[^ ]+) : TTY=(?P<tty>[^ ]+) ; PWD=(?P<pwd>[^ ]+) ; USER=(?P<foo>[^ ]+) ; COMMAND=(?P<cmd>.+)$'
@ -93,13 +68,14 @@ scrape_configs:
        __path__: /var/log/auth.log
    pipeline_stages:
    - match:
        selector: '{job="sshd"} |~ "(CRON|sudo|session)"'
        action: drop
    - match:
        selector: '{job="sshd"}'
        stages:
        - drop:
            expression: (CRON|sudo|session)
        - regex:
            expression: '^(?P<timestamp>\w+ +[0-9]+ [0-9]+:[0-9]+:[0-9]+) [^:]+: (?P<message>.+)$'