50 lines
949 B
TOML
50 lines
949 B
TOML
data_dir = "/var/lib/vector/"
|
|
|
|
[sources.auth]
|
|
type = "file"
|
|
include = [ "/var/log/auth.log" ]
|
|
ignore_older_secs = 600
|
|
read_from = "beginning"
|
|
|
|
[transforms.auth_transform]
|
|
type = "remap"
|
|
inputs = ["auth"]
|
|
source = '''
|
|
. |= parse_linux_authorization!(.message)
|
|
del(.host)
|
|
|
|
.appname = downcase!(.appname)
|
|
'''
|
|
|
|
[sinks.auth_output]
|
|
type = "file"
|
|
inputs = [ "auth_transform" ]
|
|
compression = "none"
|
|
path = "/tmp/auth-%Y-%m-%d.log"
|
|
|
|
[sinks.auth_output.encoding]
|
|
codec = "json"
|
|
|
|
[sinks.auth_output.buffer]
|
|
max_size = 268435488
|
|
type = "disk"
|
|
|
|
[sinks.auth_loki]
|
|
type = "loki"
|
|
inputs = [ "auth_transform" ]
|
|
endpoint = "http://loki.service.consul:3100"
|
|
compression = "snappy"
|
|
|
|
[sinks.auth_loki.labels]
|
|
level = "notice"
|
|
hostname = "{{ hostname }}"
|
|
job = "{{ appname }}"
|
|
filename = "/var/log/auth.log"
|
|
|
|
[sinks.auth_loki.encoding]
|
|
codec = "json"
|
|
|
|
[sinks.auth_loki.buffer]
|
|
max_size = 268435488
|
|
type = "disk"
|