@type tail path /var/log/auth.log pos_file /var/log/td-agent/auth.pos format syslog tag auth @type record_transformer message ${hostname}: ${record["message"]} @type grep key message pattern (CRON|Did not receive identification string from|sudo|pam_unix|seat|Removed session|Received disconnect|New session|Accepted publickey|Disconnected) @type relabel @label @forward