ansible-roles/roles/samba/templates/vector.yml

---
  
sources:
  in_logs_samba:
    type: file
    include:
      - /var/log/samba/json/auth.log
      - /var/log/samba/json/dsdb.log
      - /var/log/samba/json/dsdb_password.log
      - /var/log/samba/json/dsdb_transaction.log

transforms:
  format_logs_samba:
    type: remap
    inputs: ["in_logs_samba"]
    source: |
      .message = string!(.message)
      if (is_json(.message)) {
        .samba = parse_json!(.message)
        .timestamp = parse_timestamp(del(.samba.timestamp), format: "%FT%H:%M:%S%.f%z") ?? now()
      }
Update to 2025-07-04 09:00 2025-07-04 09:00:19 +02:00			`---`

			`sources:`
			`in_logs_samba:`
			`type: file`
			`include:`
			`- /var/log/samba/json/auth.log`
			`- /var/log/samba/json/dsdb.log`
			`- /var/log/samba/json/dsdb_password.log`
			`- /var/log/samba/json/dsdb_transaction.log`

			`transforms:`
			`format_logs_samba:`
			`type: remap`
			`inputs: ["in_logs_samba"]`
			`source: \|`
			`.message = string!(.message)`
			`if (is_json(.message)) {`
			`.samba = parse_json!(.message)`
Update to 2025-07-28 13:00 2025-07-28 13:00:23 +02:00			`.timestamp = parse_timestamp(del(.samba.timestamp), format: "%FT%H:%M:%S%.f%z") ?? now()`
Update to 2025-07-04 09:00 2025-07-04 09:00:19 +02:00			`}`