diff --git a/S3-API-Audit-log.md b/S3-API-Audit-log.md index fd2f498..6e50392 100644 --- a/S3-API-Audit-log.md +++ b/S3-API-Audit-log.md @@ -33,46 +33,46 @@ logstash.conf: ``` - filter { - if [tags][0] and [tags][0] =~ /s3.access/ { - ruby { - code => 'event.set("environment", ((event.get("tags").first).split(".")).first)' - add_field => { "[@metadata][input_type]" => "s3.access" } - remove_field => [ host, "@timestamp", "@version", port, tags ] - } - } - if ![environment] or [environment] == "" { - mutate { - replace => { "environment" => "unknown" } - } - } - } - input { - tcp { - codec => fluent - port => 24224 - } - } - output { - if [@metadata][input_type] == "s3.access" { - clickhouse { - headers => ["Authorization", "Basic ${CLICKHOUSE_BASIC_AUTH}"] - http_hosts => ["${CLICKHOUSE_URL}", "${CLICKHOUSE_URL}"] - table => "${CLICKHOUSE_TABLE}" - flush_size => 1000 - pool_max => 1000 - idle_flush_time => 5 - backoff_time => 3 - request_tolerance => 5 - automatic_retries => 1 - save_on_failure => true - save_dir => "${CLICKHOUSE_SAVE_DIR}" - date_time_input_format => "best_effort" - skip_unknown => "1" - id => "clickhouse" - } - } - } +filter { + if [tags][0] and [tags][0] =~ /s3.access/ { + ruby { + code => 'event.set("environment", ((event.get("tags").first).split(".")).first)' + add_field => { "[@metadata][input_type]" => "s3.access" } + remove_field => [ host, "@timestamp", "@version", port, tags ] + } + } + if ![environment] or [environment] == "" { + mutate { + replace => { "environment" => "unknown" } + } + } +} +input { + tcp { + codec => fluent + port => 24224 + } +} +output { + if [@metadata][input_type] == "s3.access" { + clickhouse { + headers => ["Authorization", "Basic ${CLICKHOUSE_BASIC_AUTH}"] + http_hosts => ["${CLICKHOUSE_URL}", "${CLICKHOUSE_URL}"] + table => "${CLICKHOUSE_TABLE}" + flush_size => 1000 + pool_max => 1000 + idle_flush_time => 5 + backoff_time => 3 + request_tolerance => 5 + automatic_retries => 1 + save_on_failure => true + save_dir => "${CLICKHOUSE_SAVE_DIR}" + date_time_input_format => "best_effort" + skip_unknown => "1" + id => "clickhouse" + } + } +} ```