Merge pull request #1 from stakater-docker/update-audit-source

Update apiserver audit parser

Jenkinsfile

@@ -1,6 +1,7 @@
 #!/usr/bin/env groovy
 @Library('github.com/stakater/fabric8-pipeline-library@master') _
 
-pushDockerImageFromMakefile {
+pushDockerImage {
     dockerRegistryURL = "docker.io"
-}
+    imagePrefix = "1.2.2"
+}

conf/source/kube-apiserver-audit.conf

@@ -1,6 +1,3 @@
-# Example:
-# 2017-02-09T00:15:57.992775796Z AUDIT: id="90c73c7c-97d6-4b65-9461-f94606ff825f" ip="104.132.1.72" method="GET" user="kubecfg" as="<self>" asgroups="<lookup>" namespace="default" uri="/api/v1/namespaces/default/pods"
-# 2017-02-09T00:15:57.993528822Z AUDIT: id="90c73c7c-97d6-4b65-9461-f94606ff825f" response="200"
 <source>
   @type tail
   @id in_tail_kube_apiserver_audit
@@ -9,15 +6,9 @@
   pos_file /var/log/kube-apiserver-audit.log.pos
   tag kube-apiserver-audit
   <parse>
-    @type multiline
-    format_firstline /^\S+\s+AUDIT:/
-    # Fields must be explicitly captured by name to be parsed into the record.
-    # Fields may not always be present, and order may change, so this just looks
-    # for a list of key="\"quoted\" value" pairs separated by spaces.
-    # Unknown fields are ignored.
-    # Note: We can't separate query/response lines as format1/format2 because
-    #       they don't always come one after the other for a given query.
-    format1 /^(?<time>\S+) AUDIT:(?: (?:id="(?<id>(?:[^"\\]|\\.)*)"|ip="(?<ip>(?:[^"\\]|\\.)*)"|method="(?<method>(?:[^"\\]|\\.)*)"|user="(?<user>(?:[^"\\]|\\.)*)"|groups="(?<groups>(?:[^"\\]|\\.)*)"|as="(?<as>(?:[^"\\]|\\.)*)"|asgroups="(?<asgroups>(?:[^"\\]|\\.)*)"|namespace="(?<namespace>(?:[^"\\]|\\.)*)"|uri="(?<uri>(?:[^"\\]|\\.)*)"|response="(?<response>(?:[^"\\]|\\.)*)"|\w+="(?:[^"\\]|\\.)*"))*/
+    @type json
+    keep_time_key true
+    time_key timestamp
     time_format %Y-%m-%dT%T.%L%Z
   </parse>
 </source>