From 1d2e55bd756b1b075c34cb1b13fe7d83a7e725d5 Mon Sep 17 00:00:00 2001
From: Jeremy Wall <jeremy@marzhillstudios.com>
Date: Wed, 7 Aug 2024 16:42:33 -0400
Subject: [PATCH] feat: all the system logs are in victoria logs now

---
 nix/base-system/darwin-configuration.nix | 55 +++++++++++++++++++++++-
 nix/base-system/flake.nix                |  2 +-
 2 files changed, 54 insertions(+), 3 deletions(-)

diff --git a/nix/base-system/darwin-configuration.nix b/nix/base-system/darwin-configuration.nix
index e593926..27aacde 100644
--- a/nix/base-system/darwin-configuration.nix
+++ b/nix/base-system/darwin-configuration.nix
@@ -245,6 +245,11 @@ in
                     "/var/log/com.apple.xpc.launchd/launchd.log"
                 ];
             };
+            syslog_source = {
+                type = "exec";
+                command = ["/usr/bin/log" "stream" "--style" "ndjson"];
+                mode = "streaming";
+            };
         };
         transforms = {
             durnitisp_no_tty = {
@@ -256,9 +261,56 @@ in
                   .message = strip_ansi_escape_codes(.message) ?? .message
                 '';
             };
+            syslog = {
+                type = "remap";
+                inputs = [
+                    "syslog_source"
+                ];
+                source = ''
+                  .message = parse_json(.message) ?? .message
+                  del(.command)
+                  .syslog
+                  .eventType = .message.eventType
+                  .processImagePath = .message.processImagePath
+                '';
+            };
         };
         sinks = {
-            victoria = {
+            victoria_vector = {
+                type = "elasticsearch";
+                mode = "bulk";
+                endpoints = [
+                    "http://${config.services.victoria-logs.listenAddr}/insert/elasticsearch"
+                ];
+                inputs = [
+                    "vector"
+                ];
+                api_version = "v8";
+                healthcheck.enabled = false;
+                query = {
+                    _msg_field = "message";
+                    _time_field = "timestamp";
+                    _stream_fields = "host,source_type";
+                };
+            };
+            victoria_syslog = {
+                type = "elasticsearch";
+                mode = "bulk";
+                endpoints = [
+                    "http://${config.services.victoria-logs.listenAddr}/insert/elasticsearch"
+                ];
+                inputs = [
+                    "syslog"
+                ];
+                api_version = "v8";
+                healthcheck.enabled = false;
+                query = {
+                    _msg_field = "message";
+                    _time_field = "timestamp";
+                    _stream_fields = "host,processImagePath,eventType";
+                };
+            };
+            victoria_files = {
                 type = "elasticsearch";
                 mode = "bulk";
                 endpoints = [
@@ -268,7 +320,6 @@ in
                     "prometheus"
                     #"heracles"
                     "durnitisp_no_tty"
-                    "vector"
                     "victoria-logs"
                     "system"
                 ];
diff --git a/nix/base-system/flake.nix b/nix/base-system/flake.nix
index d242012..a0ff3e3 100644
--- a/nix/base-system/flake.nix
+++ b/nix/base-system/flake.nix
@@ -331,7 +331,7 @@ EOF";
             sc-im
             #ocaml
             #opam
-            vector
+            unstablePkgs.vector
             victoriametrics
             # TODO add sonic-pi here if it supports the arch
             unstablePkgs.dbeaver-bin