Unified Logs Source
yaml
sources:
 compact_log:
   type: unifiedlog
   format: compact
   include:
     - process: sudo
     - process: logind
   parser: "apple/unifiedlog:unifiedlog-compact"
   sink: logscale

 json_log:
   type: unifiedlog
   format: json
   include:
     - process: securityd
       predicate: eventMessage CONTAINS 'Session ' && subsystem == 'com.apple.securityd'
   parser: "apple/unifiedlog:unifiedlog-json"
   sink: logscale

sinks:
 logscale:
   type: humio
   token: <ingest-token>
   url: <logscale-base-url> // example - https://cloud.community.humio.com

Table: Unified Source

ParameterTypeRequiredDefault ValueDescription
formatunifiedlogoutputformatoptional[a] compact Sets the output format. Can be either compact or json.
   Values
   compact
   json
includesourceunifiedlogincluderequired   Specifies the channels to filter for include when collecting data.
intervalintegeroptional[a] 1 Specifies how often the log is read. Specified in seconds.
parserstringoptional[a]   Specify a dedicated unifiedlog parser. E.g. apple/unifiedlog:unifiedlog-compact. If a parser is assigned to the ingest token being used this parser will be ignored.
predicatestringoptional[a]   Specifies a user defined predicate to query specific logs.
processstringoptional[a]   Specifies a process to filter for when collect logs.
sinkstringrequired   Name of the configured sink that should be sent the collected events.
subsystemstringoptional[a]   Specify a subsystem to log.
transformstransformoptional[a]   Specify transforms to use for this source (optional), if static_field is specified you must specify a key and a value which can be an environment variable for example myenvvar:$MY_ENV_VAR
typeunifiedlogrequired   The sources block configures the sources of data that the log collector will send to Falcon LogScale.

[a] Optional parameters use their default value unless explicitly set.