# Turnstone Harvester — sources.example.yaml
# Copy to sources.yaml and adjust paths for your system.
# The harvester reads this file and POSTs each log file to Turnstone.
#
# Each source needs:
#   id:    Short identifier (used as source_id in Turnstone)
#   path:  Absolute path to the log file on the host

sources:
  # System journal (export with: journalctl -o json-pretty > /var/log/journal-export.jsonl)
  # - id: system-journal
  #   path: /var/log/journal-export.jsonl

  # Syslog
  - id: syslog
    path: /var/log/syslog

  # Docker daemon log
  # - id: docker
  #   path: /var/log/docker.log

  # Podman events (rootful)
  # - id: podman
  #   path: /var/log/podman-events.log

  # Caddy access log
  # - id: caddy
  #   path: /var/log/caddy/access.log

  # Arr stack — adjust container paths to match your setup
  # - id: sonarr
  #   path: /opt/sonarr/config/logs/sonarr.0.txt
  # - id: radarr
  #   path: /opt/radarr/config/logs/radarr.0.txt
  # - id: prowlarr
  #   path: /opt/prowlarr/config/logs/prowlarr.0.txt

  # qBittorrent
  # - id: qbittorrent
  #   path: /opt/qbittorrent/config/data/logs/qbittorrent.log

  # Jellyfin
  # - id: jellyfin
  #   path: /opt/jellyfin/log/jellyfin.log

  # Wazuh SIEM — alerts.json on the Wazuh manager
  # Turnstone auto-detects this format; source_id is qualified per agent automatically.
  # For push-based ingestion from Wazuh custom integrations, use:
  #   POST /api/ingest/wazuh/alert  (single alert JSON body)
  # - id: wazuh
  #   path: /var/ossec/logs/alerts/alerts.json