Hi All
Im working using alloy/loki as a log collector and analysis tool for a few embedded systems I have. They are linux based and can send udp syslog, but dont have many configuration options.
I have got the logs sending and can seem them flowing in nicly into Loki now, the issue I have is that in the syslog message the hostname they declare is the same for all of them, so i cant really tell which logs are from which box.
I can see the source IP in the syslog header when I do a tcpdump, but I cant figure out how to setup alloy to extract that IP into a label or field that I can use.
Here is my current alloy config
loki.source.syslog “syslog_listener_udp” {
listener {
address = “0.0.0.0:514”
protocol = “udp”
syslog_format = “rfc5424”
use_rfc5424_message = true
labels = { sourceip = “__syslog_connection_ip_address”, protocol = “udp”}
}forward_to = [loki.process.debug.receiver]
}loki.process “debug” {
// Drop unwanted logs
stage.drop {
expression = “rexec|UsePrivilegeSeparation”
}// Add the static source label
stage.static_labels {
values = {
source = “syslog”,
}
}forward_to = [loki.write.local_loki.receiver]
}loki.write “local_loki” {
endpoint {
url = “http://loki:3100/loki/api/v1/push”
}
}
Here is a sample raw syslog from tcpdump
11:09:47.864071 IP 172.17.89.188.33554 > 172.16.20.10.syslog: SYSLOG authpriv.warning, length: 167
… .B…E…j@.>…Y…
…<84>1 2025-03-26T11:09:46.719-07:00 server COR - - - WARN security - cfdcposrequest - PASSED - HTTP REQUEST - Register ID# 0 - REMOTE IP# 192.168.31.101 - \012
So in this the IP I want to extract, as that will be unique accross all my sources is 172.17.89.188