server: disable: true positions: filename: /var/opt/promtail/promtail_base_position.yaml clients: - url: http://<%= @LOKIENDPOINT %>/loki/api/v1/push scrape_configs: - job_name: apt static_configs: - targets: - localhost labels: job: apt hostname: <%= @HOSTNAME %> level: notice __path__: /var/log/apt/history.log - job_name: sudo static_configs: - targets: - localhost labels: job: sudo hostname: <%= @HOSTNAME %> __path__: /var/log/auth.log pipeline_stages: - match: selector: '{job="sudo"} |~ "(CRON|sshd|session|securetty|systemd-logind|/bin/sh)"' action: drop - match: selector: '{job="sudo"} !~ "/bin/sh"' stages: - regex: expression: '^(?P\w+ +[0-9]+ [0-9]+:[0-9]+:[0-9]+) [^ ]+ sudo: +(?P[^ ]+) : TTY=(?P[^ ]+) ; PWD=(?P[^ ]+) ; USER=(?P[^ ]+) ; COMMAND=(?P.+)$' - timestamp: source: timestamp format: Jan 2 15:04:05 location: Asia/Tokyo - template: source: message template: 'USER={{ .user }} PWD={{ .pwd }} CMD={{ .cmd }}' - template: source: level template: 'notice' - labels: level: - output: source: message - job_name: sshd static_configs: - targets: - localhost labels: job: sshd hostname: <%= @HOSTNAME %> level: info __path__: /var/log/auth.log pipeline_stages: - match: selector: '{job="sshd"} |~ "(CRON|sudo|session)"' action: drop - match: selector: '{job="sshd"}' stages: - regex: expression: '^(?P\w+ +[0-9]+ [0-9]+:[0-9]+:[0-9]+) [^:]+: (?P.+)$' - timestamp: source: timestamp format: Jan 2 15:04:05 location: Asia/Tokyo - output: source: message - job_name: supervisord static_configs: - targets: - localhost labels: job: supervisord hostname: <%= @HOSTNAME %> level: notice __path__: /var/log/supervisor/supervisord.log pipeline_stages: - match: selector: '{job="supervisord"}' stages: - regex: expression: '^(?P[0-9]+\-[0-9]+\-[0-9]+ [0-9]+:[0-9]+:[0-9]+),[0-9]+ (?P[^ ]+) (?P.+)$' - timestamp: source: timestamp format: 2006-01-02 15:04:05 location: Asia/Tokyo - template: source: level template: '{{ ToLower .level }}' - template: source: level template: '{{ regexReplaceAllLiteral "warn" .Value "warning" }}' - template: source: level template: '{{ regexReplaceAllLiteral "crit" .Value "critical" }}' - labels: level: - output: source: message - job_name: fail2ban static_configs: - targets: - localhost labels: job: fail2ban hostname: <%= @HOSTNAME %> level: info __path__: /var/log/fail2ban.log pipeline_stages: - match: selector: '{job="fail2ban"} !~ "already banned"' stages: - regex: expression: '^(?P[0-9]+\-[0-9]+\-[0-9]+ [0-9]+:[0-9]+:[0-9]+),[0-9]+ [^:]+: (?P[^ ]+)[^\[]+(?P.+)$' - timestamp: source: timestamp format: 2006-01-02 15:04:05 location: Asia/Tokyo - template: source: level template: '{{ ToLower .level }}' - labels: level: - output: source: message - match: selector: '{job="fail2ban"} |~ "already banned"' stages: - regex: expression: '^(?P[0-9]+\-[0-9]+\-[0-9]+ [0-9]+:[0-9]+:[0-9]+),[0-9]+ [^:]+: (?P[^ ]+)[^\[]+(?P.+)$' - timestamp: source: timestamp format: 2006-01-02 15:04:05 location: Asia/Tokyo - output: source: message - job_name: promtail static_configs: - targets: - localhost labels: job: promtail hostname: <%= @HOSTNAME %> __path__: /var/log/promtail.log pipeline_stages: - match: selector: '{job="promtail"}' stages: - drop: expression: 'entry out of order' - regex: expression: '^[^ ]+ +[0-9]+ [0-9]+:[0-9]+:[0-9]+ [^ ]+ promtail[^ ]+ .*ts=(?P[^ ]+) (?P.+)$' - timestamp: source: timestamp format: 2006-01-02T15:04:05.999999999Z location: Etc/GMT - regex: expression: '^[^ ]+ +[0-9]+ [0-9]+:[0-9]+:[0-9]+ [^ ]+ promtail[^ ]+ .*level=(?P[^\\" ]+).*$' - template: source: level template: '{{ regexReplaceAllLiteral "warn" .Value "warning" }}' - labels: level: - output: source: message - job_name: login journal: json: false max_age: 12h path: /var/log/journal labels: job: login level: notice hostname: <%= @HOSTNAME %> relabel_configs: - action: keep regex: 'systemd-logind.service' source_labels: - __journal__systemd_unit - job_name: init journal: json: false max_age: 12h path: /var/log/journal labels: job: init hostname: <%= @HOSTNAME %> pipeline_stages: - match: selector: '{job="init"} |~ "(apt|Message of the Day|motd-news|Temporary Directories|man-db|fwupd|Firmware update daemon|systemd-tmpfiles-clean.service|Rotate log files|logrotate.service|[Pp]ackage[Kk]it|/run/dbus/system_bus_socket|[Ss]nap|lxd|Reloading|Mount unit|ext4 Metadata|e2scrub_all.service|docker|tmp-sanity|libcontainer container)"' stages: - template: source: level template: 'info' - labels: level: - match: selector: '{job="init"} !~ "(apt|Message of the Day|motd-news|Temporary Directories|man-db|fwupd|Firmware update daemon|systemd-tmpfiles-clean.service|Rotate log files|logrotate.service|[Pp]ackage[Kk]it|/run/dbus/system_bus_socket|[Ss]nap|lxd|Reloading|Mount unit|ext4 Metadata|e2scrub_all.service|docker|tmp-sanity|libcontainer container)"' stages: - template: source: level template: 'notice' - labels: level: relabel_configs: - action: keep regex: 'init\.scope' source_labels: - __journal__systemd_unit - job_name: systemd journal: json: false max_age: 12h path: /var/log/journal labels: job: systemd level: info hostname: <%= @HOSTNAME %> pipeline_stages: - match: selector: '{job="systemd"} !~ "(temperature|nf_conntrack)"' stages: - drop: expression: (CMD|UFW|session|TTY) - match: selector: '{job="systemd"} |~ "nf_conntrack"' stages: - template: source: level template: 'error' - labels: level: - match: selector: '{job="systemd"} |~ "temperature"' stages: - regex: expression: '^(?P.+)$' - template: source: level template: '{{ .message }}' - template: source: level template: '{{ regexReplaceAllLiteral ".*normal.*" .Value "notice" }}' - template: source: level template: '{{ regexReplaceAllLiteral ".*temperature.*" .Value "error" }}' - labels: level: - output: source: message relabel_configs: - source_labels: ['__journal__systemd_unit'] target_label: 'unit' - action: drop regex: '.*(cron|supervisor|ssh|promtail|local|grafana|motd|dnsmasq|snapd|logind|init|session|loki|monit|consul).*' source_labels: - __journal__systemd_unit - job_name: consul static_configs: - targets: - localhost labels: job: consul hostname: <%= @HOSTNAME %> level: info __path__: /var/log/consul/consul-*.log pipeline_stages: - match: selector: '{job="consul"}' stages: - regex: expression: '^(?P\d+-\d+-[^T]+T\d+:\d+:\d+\.\d+\+\d+) \[(?P[^\]]+)\] *(?P.+)$' - timestamp: source: timestamp format: 2006-01-02T15:04:05.000-0700 - template: source: level template: '{{ ToLower .level }}' - template: source: level template: '{{ regexReplaceAllLiteral "warn" .Value "warning" }}' - template: source: level template: '{{ regexReplaceAllLiteral "crit" .Value "critical" }}' - labels: level: - output: source: message - job_name: unattended-upgrades static_configs: - targets: - localhost labels: job: unattended-upgrades hostname: <%= @HOSTNAME %> level: notice __path__: /var/log/unattended-upgrades/unattended-upgrades.log pipeline_stages: - match: selector: '{job="unattended-upgrades"}' stages: - regex: expression: '^(?P\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}),\d{3} (?P[^ ]+) (?P.+)$' - timestamp: source: timestamp format: 2006-01-02 15:04:05 location: Asia/Tokyo - output: source: message