Consolidate the `drop` stanzas.

This commit is contained in:
Kazuhiro MUSASHI 2020-12-06 12:25:05 +09:00
parent 8497937786
commit 935b2e1732
1 changed files with 6 additions and 30 deletions

View File

@ -29,37 +29,12 @@ scrape_configs:
pipeline_stages: pipeline_stages:
- match: - match:
selector: '{job="sudo"} |~ "/bin/sh"' selector: '{job="sudo"} |~ "(CRON|sshd|session|securetty|systemd-logind|/bin/sh)"'
stages: action: drop
- drop:
expression: (CRON|sshd|session|securetty|systemd-logind)
- regex:
expression: '^(?P<timestamp>\w+ +[0-9]+ [0-9]+:[0-9]+:[0-9]+) [^ ]+ sudo: +(?P<user>[^ ]+) : TTY=(?P<tty>[^ ]+) ; PWD=(?P<pwd>[^ ]+) ; USER=(?P<foo>[^ ]+) ; COMMAND=(?P<cmd>.+)$'
- timestamp:
source: timestamp
format: Jan 2 15:04:05
location: Asia/Tokyo
- template:
source: message
template: 'USER={{ .user }} PWD={{ .pwd }} CMD={{ .cmd }}'
- template:
source: level
template: 'info'
- labels:
level:
- output:
source: message
- match: - match:
selector: '{job="sudo"} !~ "/bin/sh"' selector: '{job="sudo"} !~ "/bin/sh"'
stages: stages:
- drop:
expression: (CRON|sshd|session|securetty|systemd-logind)
- regex: - regex:
expression: '^(?P<timestamp>\w+ +[0-9]+ [0-9]+:[0-9]+:[0-9]+) [^ ]+ sudo: +(?P<user>[^ ]+) : TTY=(?P<tty>[^ ]+) ; PWD=(?P<pwd>[^ ]+) ; USER=(?P<foo>[^ ]+) ; COMMAND=(?P<cmd>.+)$' expression: '^(?P<timestamp>\w+ +[0-9]+ [0-9]+:[0-9]+:[0-9]+) [^ ]+ sudo: +(?P<user>[^ ]+) : TTY=(?P<tty>[^ ]+) ; PWD=(?P<pwd>[^ ]+) ; USER=(?P<foo>[^ ]+) ; COMMAND=(?P<cmd>.+)$'
@ -93,13 +68,14 @@ scrape_configs:
__path__: /var/log/auth.log __path__: /var/log/auth.log
pipeline_stages: pipeline_stages:
- match:
selector: '{job="sshd"} |~ "(CRON|sudo|session)"'
action: drop
- match: - match:
selector: '{job="sshd"}' selector: '{job="sshd"}'
stages: stages:
- drop:
expression: (CRON|sudo|session)
- regex: - regex:
expression: '^(?P<timestamp>\w+ +[0-9]+ [0-9]+:[0-9]+:[0-9]+) [^:]+: (?P<message>.+)$' expression: '^(?P<timestamp>\w+ +[0-9]+ [0-9]+:[0-9]+:[0-9]+) [^:]+: (?P<message>.+)$'