diff --git a/README.md b/README.md index 9dd87be..2c9912f 100644 --- a/README.md +++ b/README.md @@ -1 +1 @@ -# splunk-ta-journald \ No newline at end of file +# Splunk-TA-journald diff --git a/bin/get-journald-logs.sh b/bin/get-journald-logs.sh index b30e7f1..47634f5 100755 --- a/bin/get-journald-logs.sh +++ b/bin/get-journald-logs.sh @@ -4,35 +4,33 @@ # Requires the 'jq' package to be installed. # -#LOG_DATE=$(date +"%Y-%m-%d") -#LOG_NAME="journald-${LOG_DATE}.log" -#LOG_DIR="/var/log/splunk-journald" -#LOG_FILE="${LOG_DIR}/${LOG_NAME}" +CUR_DIR=$(dirname $0) +STATE_DIR="${CUR_DIR}/../state" +STATE_FILE="${STATE_DIR}/journald.state" +STATE_LOGFILE="${STATE_DIR}/journald.log" -STATE_NAME="journald.state" -STATE_DIR="state" -STATE_FILE="${STATE_DIR}/${STATE_NAME}" -#if ! [ -d ${LOG_DIR} ]; then -# mkdir -p ${LOG_DIR} -#fi +update_state () { + if [ -s ${STATE_LOGFILE} ]; then + # only update state if we have a new one + STATE=$(tail -n1 ${STATE_LOGFILE} | jq -j '.__CURSOR') + echo -n ${STATE} > ${STATE_FILE} + fi +} -#if ! [ -d ${STATE_DIR} ]; then -# mkdir -p ${STATE_DIR} -#fi -if [ -f ${STATE_FILE} ]; then +if [ -s ${STATE_FILE} ]; then # get state and logs CURSOR=$(cat ${STATE_FILE}) - /usr/bin/journalctl --after-cursor="${CURSOR}" --no-tail --no-pager -o json # >> ${LOG_FILE} -else - # no state; get all logs as of today - /usr/bin/journalctl --no-tail --since today --no-pager -o json # >> ${LOG_FILE} + /usr/bin/journalctl --after-cursor="${CURSOR}" --no-tail --no-pager -o json | /usr/bin/tee ${STATE_LOGFILE} + update_state fi -# update state -STATE=$(tail -n1 ${LOG_FILE} | jq -r '.__CURSOR') -echo ${STATE} > ${STATE_FILE} -# EOF +if ! [ -f ${STATE_FILE} ]; then + # no state (first run?); get logs of today + /usr/bin/journalctl --no-tail --since today --no-pager -o json | /usr/bin/tee ${STATE_LOGFILE} + update_state +fi +# EOF diff --git a/default/inputs.conf b/default/inputs.conf index a4ed19a..632618e 100644 --- a/default/inputs.conf +++ b/default/inputs.conf @@ -1,5 +1,5 @@ # -# +# Scripted input for on-boarding journald logs into Splunk # [script://./bin/get-journald-logs.sh] diff --git a/default/props.conf b/default/props.conf index 660a4ea..39f18b1 100644 --- a/default/props.conf +++ b/default/props.conf @@ -1,9 +1,14 @@ +# +# Setup linux:journald sourcetype as JSON input +# + [linux:journald] KV_MODE = json -#MAX_TIMESTAMP_LOOKAHEAD = 10 NO_BINARY_CHECK = 1 SHOULD_LINEMERGE = false TIME_FORMAT = %s TIME_PREFIX = \"__REALTIME_TIMESTAMP\" : \" pulldown_type = 1 TZ=UTC + +# EOF diff --git a/state/README b/state/README index 51e1f2b..26272ad 100644 --- a/state/README +++ b/state/README @@ -1 +1,2 @@ -This directory holds the state file. +This directory holds the journald state as well as the last log file. +If you ever need to reset this input just delete the journald.* files.