server: disable: true positions: filename: /var/opt/promtail/promtail_base_position.yaml clients: - url: http://<%= @LOKIENDPOINT %>/loki/api/v1/push scrape_configs: - job_name: apt static_configs: - targets: - localhost labels: job: apt hostname: <%= @HOSTNAME %> level: notice __path__: /var/log/apt/history.log - job_name: sudo static_configs: - targets: - localhost labels: job: sudo hostname: <%= @HOSTNAME %> level: notice __path__: /var/log/auth.log pipeline_stages: - match: selector: '{job="sudo"}' stages: - drop: expression: (CRON|sshd|session) - regex: expression: '^(?P\w+ +[0-9]+ [0-9]+:[0-9]+:[0-9]+) [^ ]+ sudo: +(?P[^ ]+) : TTY=(?P[^ ]+) ; PWD=(?P[^ ]+) ; USER=(?P[^ ]+) ; COMMAND=(?P.+)$' - timestamp: source: timestamp format: Jan 2 15:04:05 location: Asia/Tokyo - template: source: message template: 'USER={{ .user }} PWD={{ .pwd }} CMD={{ .cmd }}' - output: source: message - job_name: sshd static_configs: - targets: - localhost labels: job: sshd hostname: <%= @HOSTNAME %> level: info __path__: /var/log/auth.log pipeline_stages: - match: selector: '{job="sshd"}' stages: - drop: expression: (CRON|sudo) - regex: expression: '^(?P\w+ +[0-9]+ [0-9]+:[0-9]+:[0-9]+) [^:]+: (?P.+)$' - timestamp: source: timestamp format: Jan 2 15:04:05 location: Asia/Tokyo - output: source: message - job_name: supervisord static_configs: - targets: - localhost labels: job: supervisord hostname: <%= @HOSTNAME %> level: notice __path__: /var/log/supervisor/supervisord.log pipeline_stages: - match: selector: '{job="supervisord"}' stages: - regex: expression: '^(?P[0-9]+\-[0-9]+\-[0-9]+ [0-9]+:[0-9]+:[0-9]+),[0-9]+ (?P[^ ]+) (?P.+)$' - timestamp: source: timestamp format: 2006-01-02 15:04:05 location: Asia/Tokyo - template: source: level template: '{{ ToLower .level }}' - template: source: level template: '{{ regexReplaceAllLiteral "warn" .Value "warning" }}' - template: source: level template: '{{ regexReplaceAllLiteral "crit" .Value "critical" }}' - labels: level: - output: source: message - job_name: fail2ban static_configs: - targets: - localhost labels: job: fail2ban hostname: <%= @HOSTNAME %> level: notice __path__: /var/log/fail2ban.log pipeline_stages: - match: selector: '{job="fail2ban"}' stages: - regex: expression: '^(?P[0-9]+\-[0-9]+\-[0-9]+ [0-9]+:[0-9]+:[0-9]+),[0-9]+ [^:]+: (?P[^ ]+)[^\[]+(?P.+)$' - timestamp: source: timestamp format: 2006-01-02 15:04:05 location: Asia/Tokyo - template: source: level template: '{{ ToLower .level }}' - labels: level: - output: source: message - job_name: promtail static_configs: - targets: - localhost labels: job: promtail hostname: <%= @HOSTNAME %> __path__: /var/log/promtail.log pipeline_stages: - match: selector: '{job="promtail"}' stages: - regex: expression: '^[^ ]+ +[0-9]+ [0-9]+:[0-9]+:[0-9]+ [^ ]+ promtail[^ ]+ .*ts=(?P[^ ]+) (?P.+)$' - timestamp: source: timestamp format: 2006-01-02T15:04:05.999999999Z location: Etc/GMT - regex: expression: '^[^ ]+ +[0-9]+ [0-9]+:[0-9]+:[0-9]+ [^ ]+ promtail[^ ]+ .*level=(?P[^\\" ]+).*$' - template: source: level template: '{{ regexReplaceAllLiteral "warn" .Value "warning" }}' - labels: level: - output: source: message - job_name: login journal: json: false max_age: 12h path: /var/log/journal labels: job: login level: notice hostname: <%= @HOSTNAME %> relabel_configs: - action: keep regex: 'systemd-logind.service' source_labels: - __journal__systemd_unit - job_name: init journal: json: false max_age: 12h path: /var/log/journal labels: job: init level: notice hostname: <%= @HOSTNAME %> relabel_configs: - action: keep regex: 'init\.scope' source_labels: - __journal__systemd_unit - job_name: systemd journal: json: false max_age: 12h path: /var/log/journal labels: job: systemd level: info hostname: <%= @HOSTNAME %> pipeline_stages: - match: selector: '{job="systemd"}' stages: - drop: expression: (CMD|UFW|session|TTY) relabel_configs: - source_labels: ['__journal__systemd_unit'] target_label: 'unit' - action: drop regex: '.*(cron|supervisor|ssh|promtail|local|grafana|motd|dnsmasq|snapd|logind|init|session|loki|monit).*' source_labels: - __journal__systemd_unit