forked from elastic/integrations
-
Notifications
You must be signed in to change notification settings - Fork 0
/
default.yml
45 lines (42 loc) · 1019 Bytes
/
default.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
---
description: Pipeline for processing Hashicorp Vault operational logs.
processors:
- set:
field: ecs.version
value: '8.8.0'
- set:
field: event.kind
value: event
- rename:
field: message
target_field: event.original
ignore_failure: true
#
# JSON logs
#
- pipeline:
if: ctx?.event?.original != null && ctx.event.original.startsWith("{")
name: '{{ IngestPipeline "json" }}'
#
# Non-JSON logs
#
- set:
if: ctx?.event?.original != null && !ctx.event.original.startsWith("{")
field: message
copy_from: event.original
ignore_failure: true
#
# event.original - keep or drop
#
- remove:
field: event.original
if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
ignore_failure: true
ignore_missing: true
on_failure:
- set:
field: event.kind
value: pipeline_error
- append:
field: error.message
value: '{{{ _ingest.on_failure_message }}}'