Added Fluentd parsing for multiline auditd records.
Fixes PROD-34980
Change-Id: I457f05999527b99c8304282d366c870f0c5e0bbe
diff --git a/auditd/meta/fluentd.yml b/auditd/meta/fluentd.yml
new file mode 100644
index 0000000..a25e4d5
--- /dev/null
+++ b/auditd/meta/fluentd.yml
@@ -0,0 +1,46 @@
+{%- if pillar.get('fluentd', {}).get('agent') %}
+agent:
+ config:
+ label:
+ auditd:
+ filter:
+ mark_first_line:
+ type: record_transformer
+ tag: audit.**
+ enable_ruby: true
+ record:
+ - name: Payload
+ value: ${ if record.has_key?("Pid"); record["Pid"] + " " + record["Payload"]; else record["Payload"]; end }
+ concatenate_record_tail:
+ type: concat
+ tag: audit.**
+ key: Payload
+ multiline_start_regexp: '/^\d+\s+/'
+ require:
+ - mark_first_line
+ parse_record:
+ type: parser
+ tag: audit.**
+ key_name: Payload
+ reserve_data: true
+ reserve_time: true
+ emit_invalid_record_to_error: true
+ parser:
+ type: regexp
+ format: '/^(?:\d+\s+)(?<Payload>.*)/m'
+ require:
+ - concatenate_record_tail
+ match:
+ push_to_default:
+ tag: audit.**
+ type: relabel
+ label: default_output
+ systemd:
+ match:
+ match_auditd:
+ require:
+ - rewrite_tag
+ tag: 'audit.systemd'
+ type: relabel
+ label: auditd
+{%- endif %}
diff --git a/metadata/service/support.yml b/metadata/service/support.yml
index 099b032..9e57d69 100644
--- a/metadata/service/support.yml
+++ b/metadata/service/support.yml
@@ -15,4 +15,5 @@
enabled: true
prometheus:
enabled: true
-
+ fluentd:
+ enabled: true
diff --git a/tests/run_tests.sh b/tests/run_tests.sh
index 29fb975..008c777 100755
--- a/tests/run_tests.sh
+++ b/tests/run_tests.sh
@@ -40,6 +40,7 @@
virtualenv $VENV_DIR
source ${VENV_DIR}/bin/activate
pip install salt${PIP_SALT_VERSION}
+ pip install 'msgpack<1' 'setuptools<45'
}
setup_mock_bin() {