First draft of the Splunk-TA-journald.

A very simple solution to onboard journald logs into Splunk.

LICENSE

@@ -1,6 +1,6 @@
 BSD 2-Clause License
 
-Copyright (c) 2020, Jörgen
+Copyright (c) 2020, Jörgen Maas
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without

bin/get-journald-logs.sh

@@ -0,0 +1,38 @@
+#!/bin/bash
+#
+# Simple script to fetch journald logs while keeping state.
+# Requires the 'jq' package to be installed.
+#
+
+#LOG_DATE=$(date +"%Y-%m-%d")
+#LOG_NAME="journald-${LOG_DATE}.log"
+#LOG_DIR="/var/log/splunk-journald"
+#LOG_FILE="${LOG_DIR}/${LOG_NAME}"
+
+STATE_NAME="journald.state"
+STATE_DIR="state"
+STATE_FILE="${STATE_DIR}/${STATE_NAME}"
+
+#if ! [ -d ${LOG_DIR} ]; then
+#	mkdir -p ${LOG_DIR}
+#fi
+
+#if ! [ -d ${STATE_DIR} ]; then
+#	mkdir -p ${STATE_DIR}
+#fi
+
+if [ -f ${STATE_FILE} ]; then
+	# get state and logs
+	CURSOR=$(cat ${STATE_FILE})
+     	/usr/bin/journalctl --after-cursor="${CURSOR}" --no-tail --no-pager -o json # >> ${LOG_FILE}
+else
+	# no state; get all logs as of today
+	/usr/bin/journalctl --no-tail --since today --no-pager -o json # >> ${LOG_FILE}
+fi
+
+# update state
+STATE=$(tail -n1 ${LOG_FILE} | jq -r '.__CURSOR')
+echo ${STATE} > ${STATE_FILE}
+
+# EOF
+

default/inputs.conf

@@ -0,0 +1,11 @@
+#
+#
+# 
+
+[script://./bin/get-journald-logs.sh]
+interval = 30
+sourcetype = linux:journald
+disabled = False 
+index = linux
+
+# EOF

default/props.conf

@@ -0,0 +1,9 @@
+[linux:journald]
+KV_MODE = json
+#MAX_TIMESTAMP_LOOKAHEAD = 10
+NO_BINARY_CHECK = 1
+SHOULD_LINEMERGE = false
+TIME_FORMAT = %s
+TIME_PREFIX = \"__REALTIME_TIMESTAMP\" : \"
+pulldown_type = 1
+TZ=UTC

state/README

@@ -0,0 +1 @@
+This directory holds the state file.