configpolicy/roles/fluent-bit/files/fluent-bit.service

[Unit]
Description=Fluent Bit
Documentation=https://docs.fluentbit.io/manual/
After=network.target
StartLimitIntervalSec=5
StartLimitBurst=5

[Service]
Type=exec
ExecStart=/usr/bin/fluent-bit -c /etc/fluent-bit/fluent-bit.yml -Y
ExecReload=/bin/kill -HUP $MAINPID
Environment=HOSTNAME=%H
StateDirectory=fluent-bit
Restart=always
RestartSec=1
BindPaths=%S/fluent-bit
CapabilityBoundingSet=CAP_DAC_READ_SEARCH
LockPersonality=yes
MemoryDenyWriteExecute=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict
ReadOnlyPaths=/var/log
ReadWritePaths=%S/fluent-bit
RestrictNamespaces=yes
RestrictRealtime=yes
SystemCallArchitectures=native
TemporaryFileSystem=%S:ro

[Install]
WantedBy=multi-user.target