-
Notifications
You must be signed in to change notification settings - Fork 4.9k
/
config.yml
60 lines (57 loc) · 1.62 KB
/
config.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
{{ if eq .input "httpjson" }}
type: httpjson
config_version: "2"
interval: {{ .interval }}
auth.oauth2.provider: google
auth.oauth2.google.jwt_file: {{ .jwt_file }}
auth.oauth2.google.delegated_account: {{ .delegated_account }}
auth.oauth2.scopes:
- https://www.googleapis.com/auth/admin.reports.audit.readonly
request.url: https://www.googleapis.com/admin/reports/v1/activity/users/{{ .user_key }}/applications/drive
{{ if .http_client_timeout }}
request.timeout: {{ .http_client_timeout }}
{{ end }}
{{ if .proxy_url }}
request.proxy_url: {{ .proxy_url }}
{{ end }}
request.transforms:
- set:
target: url.params.startTime
value: "[[.cursor.last_execution_datetime]]"
default: '[[formatDate (now (parseDuration "-{{.initial_interval}}"))]]'
response.split:
target: body.items
split:
target: body.events
keep_parent: true
response.pagination:
- set:
target: url.params.pageToken
value: "[[.last_response.body.nextPageToken]]"
fail_on_template_error: true
cursor:
last_execution_datetime:
value: "[[formatDate now]]"
{{ else if eq .input "file" }}
type: log
paths:
{{ range $i, $path := .paths }}
- {{$path}}
{{ end }}
exclude_files: [".gz$"]
{{ end }}
tags: {{.tags | tojson}}
publisher_pipeline.disable_host: {{ inList .tags "forwarded" }}
processors:
- add_fields:
target: ''
fields:
ecs.version: 1.12.0
- script:
lang: javascript
id: gworkspace-common
file: ${path.home}/module/google_workspace/config/common.js
- script:
lang: javascript
id: gworkspace-admin
file: ${path.home}/module/google_workspace/drive/config/pipeline.js