1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
server:
http_listen_port: 9080
positions:
filename: /tmp/positions.yaml
clients:
- url: http://loki:3100/loki/api/v1/push
scrape_configs:
- job_name: syslog
syslog:
listen_address: 0.0.0.0:601
idle_timeout: 60s
label_structured_data: yes
labels:
job: "syslog"
relabel_configs:
- source_labels: [__syslog_message_hostname]
target_label: hostname
- source_labels: [__syslog_message_severity]
target_label: severity
- source_labels: [__syslog_message_app_name]
target_label: app_name
- source_labels: [__syslog_message_facility]
target_label: facility
- source_labels: [__syslog_connection_hostname]
target_label: connection_hostname
pipeline_stages:
- match:
selector: '{app_name="haproxy",severity="informational"} |= "_backend"'
stages:
- regex:
expression: '(?P<remote_addr>[0-9.]+):(?P<remote_port>[0-9]+) \[(?P<timestamp>.+)] (?P<nickname>[a-z0-9]+)_(?P<frontend>[a-z~]+) (?P<backend>[a-z0-9]+)_backend\/(?P<server>[<>A-Za-z0-9]+) [-0-9\/]+ (?P<status>[-0-9]+) (?P<bytes>[0-9]+) .* "(?P<method>[A-Z]+) (?P<endpoint>.*) (?P<protocol>HTTP\/[0-3.]+)"'
- labels:
remote_addr:
nickname:
frontend:
backend:
server:
status:
bytes:
method:
endpoint:
protocol:
- match:
selector: '{app_name="haproxy",severity="informational"} != "_backend"'
stages:
- regex:
expression: '(?P<remote_addr>[0-9.]+):(?P<remote_port>[0-9]+) \[(?P<timestamp>.+)] (?P<nickname>[a-z0-9]+)_(?P<frontend>[a-z~]+)'
- labels:
remote_addr:
nickname:
frontend:
- match:
selector: '{app_name="nginx",severity="informational"} |~ "\"(GET|HEAD|PUT|POST|PATCH|DELETE|CONNECT|OPTIONS|TRACE)"'
stages:
- regex:
expression: '(?P<remote_addr>[^-]+) - (?P<remote_user>[^[]+) \[(?P<timestamp>.+)] "(?P<method>[A-Z]+) (?P<endpoint>.*) (?P<protocol>HTTP\/[0-3.]+)" (?P<status>[0-9]+) (?P<bytes>[0-9]+) "(?P<referrer>[^"]+)" "(?P<user_agent>[^"]+)" "(?P<forwarded_addr>[^"]+)"'
- labels:
remote_addr:
method:
endpoint:
protocol:
status:
bytes:
referrer:
user_agent:
forwarded_addr:
- match:
selector: '{app_name="nginx",severity="informational"} !~ "\"(GET|HEAD|PUT|POST|PATCH|DELETE|CONNECT|OPTIONS|TRACE)"'
stages:
- regex:
expression: '(?P<remote_addr>[^-]+) - (?P<remote_user>[^[]+) \[(?P<timestamp>.+)] "(?P<endpoint>.*)" (?P<status>[0-9]+) (?P<bytes>[0-9]+) "(?P<referrer>[^"]+)" "(?P<user_agent>[^"]+)" "(?P<forwarded_addr>[^"]+)"'
- labels:
remote_addr:
method:
endpoint:
protocol:
status:
bytes:
referrer:
user_agent:
forwarded_addr:
- match:
selector: '{app_name="postfix"} |= ": connect"'
stages:
- regex:
expression: '(?P<timestamp>[A-Za-z0-9: ]+) (?P<nickname>[a-z0-9]+) postfix/(?P<server>[a-z]+)\[(?P<pid>[0-9]+)]: connect from (?P<remote_host>[^[]+)\[(?P<remote_addr>.*)]'
- labels:
nickname:
server:
remote_host:
remote_addr:
- match:
selector: '{app_name="postfix"} |= ": disconnect"'
stages:
- regex:
expression: '(?P<timestamp>[A-Za-z0-9: ]+) (?P<nickname>[a-z0-9]+) postfix/(?P<server>[a-z]+)\[(?P<pid>[0-9]+)]: disconnect from (?P<remote_host>[^[]+)\[(?P<remote_addr>.+)] (?P<commands>.*)'
- labels:
nickname:
server:
remote_host:
remote_addr:
commands: