From 90cc454927055cd337a91942b285e6b57264e8c5 Mon Sep 17 00:00:00 2001
From: Frank Reno <freno@sumologic.com>
Date: Wed, 25 Apr 2018 16:16:32 -0600
Subject: [PATCH] audit logging format has changed, update for new format.  Add
 missing property to control read_from_head behavior.

---
 conf.d/file/source.kubernetes.conf | 9 ++++-----
 daemonset/nonrbac/fluentd.yaml     | 2 +-
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/conf.d/file/source.kubernetes.conf b/conf.d/file/source.kubernetes.conf
index 04fb2c4..f6a9f97 100644
--- a/conf.d/file/source.kubernetes.conf
+++ b/conf.d/file/source.kubernetes.conf
@@ -94,15 +94,14 @@
 # 2017-02-09T00:15:57.993528822Z AUDIT: id="6a8sdffd918-0b6a-4aee-a3a1-f1sdf61596" response="200"
 <source>
   @type tail
-  format multiline
-  multiline_flush_interval 5s
-  format_firstline /^\S+\s+AUDIT:/
-  format1 /^(?<time>\S+) AUDIT:(?: (?:id="(?<id>(?:[^"\\]|\\.)*)"|ip="(?<ip>(?:[^"\\]|\\.)*)"|method="(?<method>(?:[^"\\]|\\.)*)"|user="(?<user>(?:[^"\\]|\\.)*)"|groups="(?<groups>(?:[^"\\]|\\.)*)"|as="(?<as>(?:[^"\\]|\\.)*)"|asgroups="(?<asgroups>(?:[^"\\]|\\.)*)"|namespace="(?<namespace>(?:[^"\\]|\\.)*)"|uri="(?<uri>(?:[^"\\]|\\.)*)"|response="(?<response>(?:[^"\\]|\\.)*)"|\w+="(?:[^"\\]|\\.)*"))*/
-  time_format %FT%T.%L%Z
+  format json
+  time_key timestamp
+  time_format %Y-%m-%dT%H:%M:%SZ
   path "#{ENV['AUDIT_LOG_PATH']}"
   exclude_path "#{ENV['EXCLUDE_PATH']}"
   pos_file /mnt/pos/ggcp-kube-audit.log.pos
   tag kube-audit
+  read_from_head "#{ENV['READ_FROM_HEAD']}"
 </source>
 
 <filter kube-audit.**>
diff --git a/daemonset/nonrbac/fluentd.yaml b/daemonset/nonrbac/fluentd.yaml
index 1fea26d..4eb39f4 100644
--- a/daemonset/nonrbac/fluentd.yaml
+++ b/daemonset/nonrbac/fluentd.yaml
@@ -43,7 +43,7 @@ spec:
               name: sumologic
               key: collector-url
       tolerations:
-          #- operator: "Exists"
+          - operator: "Exists"
           - effect: "NoSchedule"
             key: "node-role.kubernetes.io/master"