Docker_Loki/config.alloy at main · LivTel/Docker_Loki · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
// debug is genuinely useful in trying to understand parsing, but can be problematically verbose.
// For example, every single line produces a message when it does not match the stage.replace processes.
// That means messages for virtually every single line ingested, since nearly no lines ever match those replace commands.
// Only use for genuine debug. it is too much for 'watching for errors'
logging {
	//level  = "debug"
	level  = "info"
	format = "logfmt"
}


// Read specific files, without wild card globbing.
//loki.source.file "vlm" {
//  targets    = [
//    {__path__ = "/var/log/syslog", "color" = "pink"},
//    {__path__ = "/var/log/syslog.2", "color" = "blue"},
//    {__path__ = "/var/log/syslog.3", "color" = "green"}
//  ]
//  forward_to = [loki.write.local.receiver]
//}


// Create a list of files using wild cards
//
// SUPER IMPORTANT ---- Remember to set the year in stage.template as well.
//
local.file_match "vlm" {
  path_targets = [
    {__path__ = "/loki/vlm/messages.??????"},
    //{__path__ = "/loki/vlm/2023/messages.??????"},
    //{__path__ = "/loki/vlm/2022/messages.2022"},
  ]
  sync_period = "10s"
}

loki.source.file "vlm" {
  targets    = local.file_match.vlm.targets
  forward_to = [loki.process.vlm.receiver]		// Run the process first, before sending to Loki
  //decompression {					// Uncomment decompression to read gzipped logs
  //  enabled = true
  //  initial_delay = "60s"
  //  format = "gz"
  //}
}


// Rules for parsing the log file before sending to the Loki writer
loki.process "vlm" {
  forward_to = [loki.write.local.receiver]		// Where to send data after runnign the process

  // process is a sequential pipeline, run in the order the stages are defined.
  // First couple of stages modify individual log messages. Mainly it is fixing individual idiosyncratic messages to make
  // 	them match the common format of all the other messages.
  // Next we run the regex that does the bulk of the parsing. This effectively tokenizes the log message.
  // Next we tell Alloy how to treat each token. E.g., defining date format so it can interpret the timestamp.
  // Finall the processed log line is passed to the forward_to receiver defined above.

  // Replace any [1234] with [xxx]
  // This is to get rid of sshd[1234] and bootp[1234], but keep Agn[pollsafe]
  stage.replace {
    expression = "\\[([0-9]+?)\\]:"
    replace = "xxx"
  }

  // annexswitch logs are different format to everything else. Fix them. Basically I just have to add an extra column for processname
  // At log==debug, this thows a message for every single line that does not match, which is virtually all of them!
  stage.replace {
    expression = "annexswitch.lt.com ( )"
    replace = "annexswitch: "
  }

  // This is the main parser that defines and tokenizes the format of our log lines
  stage.regex {
      // Note necessity to say \\S where we want \S in the REGEX
      expression = "^(?s)(?P<vlmmonth>\\S+?) +(?P<vlmday>\\S+?) (?P<vlmtime>\\S+?) (?P<node>\\S+?) (?P<process>\\S+?) (?P<content>.*)$"
      // Following ignores [] after process. Good for sshd[1234] but bad for Agn[pollsafe]
      //^(?s)(?P<month>\S+?) +(?P<day>\S+?) (?P<time>\S+?) (?P<node>\S+?) (?P<process>[^ :\[]+)\S+? (?P<content>.*)$
      // Following should ignore numbers in sshd[1234] but still include Agn[pollsafe] as a process label
      //^(?s)(?P<month>\S+?) +(?P<day>\S+?) (?P<time>\S+?) (?P<node>\S+?) (?P<process>((?!\[[0-9]+\])\S)+)\S+? (?P<content>.*)$
  }

  // Make the tokens we extracted in the regex into labels that will be used by Loki to index the file.
  // This makes node and process into labels. You could rename them here if you wanted labels other than 'node' and 'process'.
  stage.labels {
    values = {
      node = "",
      process = "",
    }
  }

  // Date format
  // First use template to make a new token called datetime by glueing together date and time tokens from the log line.
  // You could also modify the stage.regex to get the entire timestamp in one shot.
  // Hard coded 2025 because year is not in var-log-messages.
  // We need to do this to ingest old log files. Not tested, but I wonder if Alloy will default to 'this year' if the year is not specified.
  // If that is the case then we can drop the "2025" out of here and assume that all new logs ingested are current. TBD.
  // Then define the date format so Alloy can read it.
  stage.template {
    source = "datetime"
    template = "2025 {{.vlmmonth}} {{.vlmday}} {{.vlmtime}} UTC"
  }
  stage.timestamp {
    source = "datetime"
    format = "2006 Jan 2 15:04:05 MST"
  }

  // We do not want to ignore old logs. We want everything. But this is how you would do it.
  // See also reject_old_samples in the loki config yaml
  //stage.drop {
  //  older_than = '1y"
  //  drop_counter_reason = "too old"
  //}

}

loki.write "local" {
  endpoint {
    //url = "http://150.204.240.157:3100/api/v1/push"			// explicit IP number
    url = "http://loki:3100/loki/api/v1/push"				// using the loki interprocess network defined in Docker compose
  }
}

// Should be able to see this on http://127.0.0.0:12345. Not got it to work myself.
livedebugging {
  enabled = true
}