File: //etc/vector/vector.yaml
sources:
syslog_auth:
type: socket
mode: unix_datagram
path: /var/lib/vector/syslog_auth.sock
socket_file_mode: 0o666
decoding:
codec: syslog
syslog_kern:
type: socket
mode: unix_datagram
path: /var/lib/vector/syslog_kern.sock
socket_file_mode: 0o666
decoding:
codec: syslog
apache_log:
type: socket
path: /var/lib/vector/vector-apache.sock
socket_file_mode: 0o755
framing:
method: "newline_delimited"
mode: unix_datagram
decoding:
codec: bytes
int_metrics:
type: internal_metrics
apache_error_log:
type: socket
path: /var/lib/vector/apache-error-log.sock
socket_file_mode: 0o755
framing:
method: "newline_delimited"
mode: unix_datagram
decoding:
codec: bytes
transforms:
oom_kill_filter:
type: filter
inputs:
- syslog_kern
condition: 'contains(string!(.message), "oom-kill:")'
oom_parse:
type: remap
inputs:
- oom_kill_filter
drop_on_abort: true
source: |-
parsed, err = parse_regex(.message, r'oom-kill:.*,oom_memcg=(?P<oom_memcg>[^,]+),task_memcg=(?P<task_memcg>[^,]+),task=(?P<task>[^,]+),pid=(?P<pid>\d+),uid=(?P<uid>\d+)')
if err != null {
abort
}
. = merge(., parsed)
user_match, user_err = parse_regex(.oom_memcg, r'/(?P<user>[^/]+)$')
if user_err == null {
.user = user_match.user
} else {
.user = "unknown"
}
.process_name = .task
.machine = "${HOSTNAME}"
oom_metrics:
type: log_to_metric
inputs:
- oom_parse
metrics:
- type: counter
name: oom_kills_total
field: process_name
kind: incremental
tags:
user: "{{user}}"
process_name: "{{process_name}}"
machine: "{{machine}}"
oom_syslog_format:
type: remap
inputs:
- oom_parse
source: |-
# syslog_kern is already syslog-decoded, so message/severity/facility/
# appname/timestamp are populated by the codec. These are shared hosts
# (no VMs/containers), so .machine is the physical host -- which is the
# right hostname for a user process that OOMs here.
.hostname = .machine
apache_remap:
type: remap
inputs: ['apache_log']
source: |-
.machine = "${HOSTNAME}"
apache_error_log_remap:
type: remap
inputs: ['apache_error_log']
drop_on_abort: true
source: |-
.machine = "${HOSTNAME}"
if match!(.message, r'.*mod_fcgid\: stderr\:.*') {
if ! match!(.message, r'.*PHP (Fatal|Warning).*') {
abort
}
}
sinks:
int_metrics_export:
type: "prometheus_exporter"
address: 0.0.0.0:9598
auth:
token: aazf3rta4wbyqjx8TCK
strategy: bearer
inputs:
- int_metrics
- oom_metrics
vector_oom_logs:
type: vector
inputs:
- oom_syslog_format
address: vector-logs.dream.io:9003
tls:
enabled: true
verify_certificate: false
verify_hostname: false
healthcheck:
enabled: false
buffer:
when_full: drop_newest
max_events: 50000
vector_apache_logs:
type: vector
inputs:
- apache_remap
address: vector-logs.dream.io:9002
tls:
enabled: true
verify_certificate: false
verify_hostname: false
healthcheck:
enabled: false
buffer:
when_full: drop_newest
max_events: 500000
vector_auth_logs:
type: vector
inputs:
- syslog_auth
address: vector-logs.dream.io:9003
tls:
enabled: true
verify_certificate: false
verify_hostname: false
healthcheck:
enabled: false
buffer:
when_full: drop_newest
max_events: 50000
vector_apache_error_logs:
type: vector
inputs:
- apache_error_log_remap
address: vector-logs.dream.io:9006
tls:
enabled: true
verify_certificate: false
verify_hostname: false
healthcheck:
enabled: false
buffer:
when_full: drop_newest
max_events: 50000