audit logging format has changed, update for new format. Add missing …

…property to control read_from_head behavior.
SumoLogic · Apr 25, 2018 · 90cc454 · 90cc454
1 parent 5bdf637
commit 90cc454
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 6 deletions.
diff --git a/conf.d/file/source.kubernetes.conf b/conf.d/file/source.kubernetes.conf
@@ -94,15 +94,14 @@
 # 2017-02-09T00:15:57.993528822Z AUDIT: id="6a8sdffd918-0b6a-4aee-a3a1-f1sdf61596" response="200"
 <source>
   @type tail
-  format multiline
-  multiline_flush_interval 5s
-  format_firstline /^\S+\s+AUDIT:/
-  format1 /^(?<time>\S+) AUDIT:(?: (?:id="(?<id>(?:[^"\\]|\\.)*)"|ip="(?<ip>(?:[^"\\]|\\.)*)"|method="(?<method>(?:[^"\\]|\\.)*)"|user="(?<user>(?:[^"\\]|\\.)*)"|groups="(?<groups>(?:[^"\\]|\\.)*)"|as="(?<as>(?:[^"\\]|\\.)*)"|asgroups="(?<asgroups>(?:[^"\\]|\\.)*)"|namespace="(?<namespace>(?:[^"\\]|\\.)*)"|uri="(?<uri>(?:[^"\\]|\\.)*)"|response="(?<response>(?:[^"\\]|\\.)*)"|\w+="(?:[^"\\]|\\.)*"))*/
-  time_format %FT%T.%L%Z
+  format json
+  time_key timestamp
+  time_format %Y-%m-%dT%H:%M:%SZ
   path "#{ENV['AUDIT_LOG_PATH']}"
   exclude_path "#{ENV['EXCLUDE_PATH']}"
   pos_file /mnt/pos/ggcp-kube-audit.log.pos
   tag kube-audit
+  read_from_head "#{ENV['READ_FROM_HEAD']}"
 </source>
 
 <filter kube-audit.**>

diff --git a/daemonset/nonrbac/fluentd.yaml b/daemonset/nonrbac/fluentd.yaml
@@ -43,7 +43,7 @@ spec:
               name: sumologic
               key: collector-url
       tolerations:
-          #- operator: "Exists"
+          - operator: "Exists"
           - effect: "NoSchedule"
             key: "node-role.kubernetes.io/master"