diff --git a/LICENSE b/LICENSE index d3e2403..99fd385 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ BSD 2-Clause License -Copyright (c) 2020, Jörgen +Copyright (c) 2020, Jörgen Maas All rights reserved. Redistribution and use in source and binary forms, with or without diff --git a/bin/get-journald-logs.sh b/bin/get-journald-logs.sh new file mode 100755 index 0000000..b30e7f1 --- /dev/null +++ b/bin/get-journald-logs.sh @@ -0,0 +1,38 @@ +#!/bin/bash +# +# Simple script to fetch journald logs while keeping state. +# Requires the 'jq' package to be installed. +# + +#LOG_DATE=$(date +"%Y-%m-%d") +#LOG_NAME="journald-${LOG_DATE}.log" +#LOG_DIR="/var/log/splunk-journald" +#LOG_FILE="${LOG_DIR}/${LOG_NAME}" + +STATE_NAME="journald.state" +STATE_DIR="state" +STATE_FILE="${STATE_DIR}/${STATE_NAME}" + +#if ! [ -d ${LOG_DIR} ]; then +# mkdir -p ${LOG_DIR} +#fi + +#if ! [ -d ${STATE_DIR} ]; then +# mkdir -p ${STATE_DIR} +#fi + +if [ -f ${STATE_FILE} ]; then + # get state and logs + CURSOR=$(cat ${STATE_FILE}) + /usr/bin/journalctl --after-cursor="${CURSOR}" --no-tail --no-pager -o json # >> ${LOG_FILE} +else + # no state; get all logs as of today + /usr/bin/journalctl --no-tail --since today --no-pager -o json # >> ${LOG_FILE} +fi + +# update state +STATE=$(tail -n1 ${LOG_FILE} | jq -r '.__CURSOR') +echo ${STATE} > ${STATE_FILE} + +# EOF + diff --git a/default/inputs.conf b/default/inputs.conf new file mode 100644 index 0000000..a4ed19a --- /dev/null +++ b/default/inputs.conf @@ -0,0 +1,11 @@ +# +# +# + +[script://./bin/get-journald-logs.sh] +interval = 30 +sourcetype = linux:journald +disabled = False +index = linux + +# EOF diff --git a/default/props.conf b/default/props.conf new file mode 100644 index 0000000..660a4ea --- /dev/null +++ b/default/props.conf @@ -0,0 +1,9 @@ +[linux:journald] +KV_MODE = json +#MAX_TIMESTAMP_LOOKAHEAD = 10 +NO_BINARY_CHECK = 1 +SHOULD_LINEMERGE = false +TIME_FORMAT = %s +TIME_PREFIX = \"__REALTIME_TIMESTAMP\" : \" +pulldown_type = 1 +TZ=UTC diff --git a/state/README b/state/README new file mode 100644 index 0000000..51e1f2b --- /dev/null +++ b/state/README @@ -0,0 +1 @@ +This directory holds the state file.