Introduction
This guide explains how to configure Fluent Bit to forward only Audit Logs from Terraform Enterprise to an external destination, such as Amazon CloudWatch.
Prerequisites
Before you begin, you must enable log forwarding in your Terraform Enterprise instance. Refer to the official documentation on Terraform Enterprise log forwarding for instructions.
Procedure
To isolate and forward only the audit logs, you must modify your fluent-bit.conf file to include a filter that rewrites the tag for audit log entries.
-
Update your
fluent-bit.conffile with the following[FILTER]and[OUTPUT]configuration.[FILTER] Name rewrite_tag Match tfe_all Rule $message ^\[Audit\sLog\]$ tfe_audit true [OUTPUT] Name cloudwatch_logs Match tfe_audit log_stream_name fluent-bit-cloudwatch log_group_name hoalt-test region ap-southeast-1 log_format json/emf auto_create_group false - Restart the Fluent Bit service to apply the changes.
Note: The [FILTER] section uses a rewrite_tag filter to match log entries that start with [Audit Log] and retags them as tfe_audit. The [OUTPUT] section is configured to only match the tfe_audit tag, ensuring that only audit logs are sent to the destination. You must customize the [OUTPUT] section with your own configuration details for the desired external destination.