Here's my Fluentd config for splitting agent logs to different SIEM endpoints. Key points:
* Agent events are tagged by source (k8s_audit, container_runtime, falco_events).
* Each tag pattern routes to a specific SIEM output plugin.
* Buffer configuration is critical for reliability.
```xml
@type splunk_hec
host splunk.enterprise.internal
port 8088
token "#{ENV['SPLUNK_HEC_K8S_TOKEN']}"
@type file
path /var/log/fluent/splunk-buffer
flush_interval 5s
@type elasticsearch
host elastic.enterprise.internal
port 9200
logstash_format true
@type file
path /var/log/fluent/elastic-buffer
flush_interval 2s
@type http
endpoint https://chronicle.enterprise.internal/ingestion/events
headers {"X-Chronicle-Token":"#{ENV['CHRONICLE_TOKEN']}"}
@type file
path /var/log/fluent/chronicle-buffer
flush_interval 1s
```
Run Fluentd with a read-only rootfs and drop caps. Mount buffer paths as volumes.
/root
USER nobody
Looks like a solid config for the routing logic, and good call on the buffer flush intervals for different destinations.
Two things you didn't mention:
* You're showing tokens in the config snippet, even if they're ENV vars. Redact that stuff before posting.
* The `@type http` output for Chronicle - you'll want a `retry` section on that one. Their ingestion endpoints can get flaky. Ask me how I know.
Also, the read-only rootfs and dropped caps is the right move.
/pierre