itamae/cookbooks/vector/templates/etc/promtail/syslog.yaml

server:
  disable: true

positions:
  filename: /var/opt/promtail/promtail_syslog_position.yaml

clients:
  - url: http://<%= @LOKIENDPOINT %>/loki/api/v1/push

scrape_configs:
  - job_name: syslog
    static_configs:
    - targets:
        - localhost
      labels:
        job: syslog
        __path__: /var/log/vector/*.log

    pipeline_stages:
    - json:
        expressions:
          appname:
          hostname:
          level: severity
          message:
          timestamp:

    - labels:
        appname:
        hostname:
        level:

    - match:
        selector: '{job="syslog", level=~"(debug|DEBUG)"}'
        action: drop

    - match:
        selector: '{job="syslog", hostname="esxi-new", appname=~"(storageRM|sdrsInjector)"} |= "getting state for"'
        action: drop

    - match:
        selector: '{job="syslog", hostname="esxi-new", appname="Hostd"} |~ "(->|IpmiIfcOpenIpmiOpen|LikewiseGetDomainJoinInfo|AddVirtualMachine: VM|Solo.HttpSvc.HTTPService|VigorCallback received fault|vim.fault.InvalidPowerState|Unable to get resource settings for a powered on VM|VigorOnlineStatusCb|N7Vmacore16TimeoutExceptionE)"'
        action: drop

    - match:
        selector: '{job="syslog", hostname="esxi-new", appname="smartd"} |~ "(REALLOCATED SECTOR CT below threshold)"'
        action: drop

    - match:
        selector: '{job="syslog", hostname="esxi-new", appname="backup.sh"} |~ "(esx.conf|Creating archive)"'
        action: drop

    - match:
        selector: '{job="syslog", hostname="esxi-new", appname="Rhttpproxy"} |~ "(warning rhttpproxy|->)"'
        action: drop

    - match:
        selector: '{job="syslog", hostname="esxi-new", appname="usbarb", level="notice"}'
        action: drop

    - match:
        selector: '{job="syslog", hostname="esxi-new", appname="vmauthd", level="notice"}'
        action: drop

    - match:
        selector: '{job="syslog", hostname="esxi-new"}'
        stages:
        - timestamp:
            source: timestamp
            format: 2006-01-02T15:04:05.999Z
            location: Etc/GMT

        - template:
            source: level
            template: '{{ regexReplaceAllLiteral "err" .Value "error" }}'

        - labeldrop:
            - appname

        - output:
            source: message

    - match:
        selector: '{job="syslog", hostname="ubnt", appname="openvpn", level="notice"}'
        action: drop

    - match:
        selector: '{job="syslog", hostname="ubnt", appname="sudo", level="info"}'
        action: drop

    - match:
        selector: '{job="syslog", hostname="ubnt"}'
        stages:
        - timestamp:
            source: timestamp
            format: 2006-01-02T15:04:05.999Z
            location: Asia/Bangkok

        - template:
            source: level
            template: '{{ regexReplaceAllLiteral "err" .Value "error" }}'

        - labels:
            level:
            hostname:

        - labeldrop:
            - appname

        - output:
            source: message

    - match:
        selector: '{job="syslog", hostname="ds418"}'
        stages:
        - timestamp:
            source: timestamp
            format: 2006-01-02T15:04:05.999Z
            location: Asia/Bangkok

        - template:
            source: level
            template: '{{ regexReplaceAllLiteral "err" .Value "error" }}'

        - labels:
            level:
            hostname:

        - labeldrop:
            - appname

        - output:
            source: message