itamae/cookbooks/fluentd/files/etc/td-agent/conf.d/forwarder_auth.conf

<source>
  @type tail
  path /var/log/auth.log
  pos_file /var/log/td-agent/auth.pos
  format syslog
  tag auth
</source>

<filter auth>
  @type record_transformer
  <record>
    message ${hostname}: ${record["message"]}
  </record>
</filter>

<filter auth>
  @type grep

  <exclude>
    key message
    pattern (CRON|Did not receive identification string from|sudo|pam_unix|seat|Removed session|Received disconnect|New session|Accepted publickey|Disconnected)
  </exclude>
</filter>

<match auth>
  @type relabel
  @label @forward
</match>