[SERVICE]
    Flush        5
    Daemon       Off
    Log_Level    info
    Parsers_File parsers.conf

# =============================================================================
# INPUT: Podman container logs
# =============================================================================
# Container logs come from conmon process with CONTAINER_NAME field
[INPUT]
    Name            systemd
    Tag             podman.*
    Systemd_Filter  _COMM=conmon
    Read_From_Tail  On
    Strip_Underscores On

# =============================================================================
# INPUT: SSH logs for security monitoring
# =============================================================================
[INPUT]
    Name            systemd
    Tag             ssh.*
    Systemd_Filter  _SYSTEMD_UNIT=sshd.service
    Read_From_Tail  On
    Strip_Underscores On

# =============================================================================
# INPUT: Kernel firewall logs for Zomboid connections
# =============================================================================
# Captures ZOMBOID_CONN firewall events with source IP for player correlation
[INPUT]
    Name            systemd
    Tag             firewall.zomboid
    Systemd_Filter  _TRANSPORT=kernel
    Read_From_Tail  On
    Strip_Underscores On

# =============================================================================
# INPUT: Caddy access logs (JSON format)
# =============================================================================
{% for log_name in caddy_log_names %}
[INPUT]
    Name            tail
    Tag             caddy.{{ log_name }}
    Path            {{ caddy_log_path }}/{{ log_name }}.log
    Parser          caddy_json
    Read_From_Head  False
    Refresh_Interval 5
    DB              /var/lib/fluent-bit/caddy_{{ log_name }}.db

{% endfor %}
# =============================================================================
# FILTERS: Add metadata for Graylog categorization
# =============================================================================
[FILTER]
    Name          record_modifier
    Match         podman.*
    Record        host {{ ansible_hostname }}
    Record        source podman
    Record        log_type container

[FILTER]
    Name          record_modifier
    Match         ssh.*
    Record        host {{ ansible_hostname }}
    Record        source sshd
    Record        log_type security

# Copy msg to MESSAGE for caddy logs (GELF requires MESSAGE)
[FILTER]
    Name          modify
    Match         caddy.*
    Copy          msg MESSAGE

[FILTER]
    Name          record_modifier
    Match         caddy.*
    Record        host {{ ansible_hostname }}
    Record        source caddy
    Record        log_type access

# Filter kernel logs to only keep ZOMBOID_CONN messages
[FILTER]
    Name          grep
    Match         firewall.zomboid
    Regex         MESSAGE ZOMBOID_CONN

[FILTER]
    Name          record_modifier
    Match         firewall.zomboid
    Record        host {{ ansible_hostname }}
    Record        source firewall
    Record        log_type zomboid_connection

# =============================================================================
# OUTPUT: All logs to Graylog GELF UDP
# =============================================================================
# Graylog needs a GELF UDP input configured on port 12203
[OUTPUT]
    Name          gelf
    Match         *
    Host          127.0.0.1
    Port          12203
    Mode          udp
    Gelf_Short_Message_Key MESSAGE
    Gelf_Host_Key host