Grafana Alloy Syslog Labeling Issues

justintaylor9 · October 16, 2024, 12:48pm

I am having some issues converting a working Grafana Agent (static mode) config to a working Grafana Alloy config.

The following is the working Grafana Agent (static mode) config:

configs:
  - name: base
    scrape_configs:
      - job_name: syslog
        syslog:
          listen_address: localhost:1514
          labels:
            job: syslog
            service: "{{ customer.service }}"
            environment: "{{ deployment.environment }}"
        relabel_configs:
          - source_labels: [__syslog_message_hostname]
            target_label: host
          - source_labels: [__syslog_message_severity]
            target_label: level
          - source_labels: [__syslog_message_app_name]
            target_label: application
          - source_labels: [__syslog_message_facility]
            target_label: facility
          - source_labels: [__syslog_connection_hostname]
            replacement: "{{ansible_hostname}}"
            target_label: connection_hostname

This successfully scrapes the logs from the remote port configures by rsyslog and labels them in Loki.

The following Alloy config (I’ve tried several different version) is not working the same:

loki.source.syslog “remote_syslog” {
listener {
address = “0.0.0.0:1514”
labels = {
component = “loki.source.syslog”,
protocol = “tcp”,
job = “va”,
service = “{{ customer.service }}”,
environment = “{{ deployment.environment }}”,
}
}

listener {
address = “0.0.0.0:1514”
protocol = “udp”
labels = {
component = “loki.source.syslog”,
protocol = “udp”,
job = “va”,
service = “{{ customer.service }}”,
environment = “{{ deployment.environment }}”,
}
}

forward_to = [loki.write.logs_base.receiver]
}

loki.relabel “remote_syslog” {
forward_to = [loki.write.logs_base.receiver]
rule {
source_labels = [“__syslog_message_hostname”]
target_label = “host”
}

    rule {
            source_labels = ["__syslog_message_severity"]
            target_label  = "level"
    }

    rule {
            source_labels = ["__syslog_message_app_name"]
            target_label  = "application"
    }

    rule {
            source_labels = ["__syslog_message_facility"]
            target_label  = "facility"
    }

    rule {
            source_labels = ["__syslog_connection_hostname"]
            replacement   = "{{ ansible_hostname }}"
            target_label  = "connection_hostname"
    }

}

It simply labels the static labels provided in the “listener” block but ignored any other labels.

Any help is appreciated!

tonyswumac · October 16, 2024, 9:33pm

Try forwarding from your syslog block to loki.relabel.remote_syslog.receiver instead.

justintaylor9 · October 17, 2024, 2:19pm

Hi Tony:

Thanks again for your help. That did help things a little bit … now I’m getting the connection_hostname labeled properly, but it does not seem to discovery and relabel the other syslog labels.

For example, in the static mode config:

            source_labels = ["__syslog_message_app_name"]
            target_label  = "application"

This gets populated with the syslog component from the host system, but when using Alloy this is ignored and no label is found in Loki.

Thanks for your help.

tonyswumac · October 17, 2024, 5:17pm

Maybe try this, essentially setting relabel rules in the rsyslog listener instead, and see if it works:

loki.source.syslog "remote_syslog" {
  forward_to    = [loki.write.logs_base.receiver]
  relabel_rules = loki.relabel.remote_syslog.rules

  listener {
    address = "0.0.0.0:1514"
    labels = {
      component = "loki.source.syslog",
      protocol = "tcp",
      job = "va",
      service = "{{ customer.service }}",
      environment = "{{ deployment.environment }}",
    }
  }

  listener {
    address = "0.0.0.0:1514"
    protocol = "udp"
    labels = {
      component = "loki.source.syslog",
      protocol = "udp",
      job = "va",
      service = "{{ customer.service }}",
      environment = "{{ deployment.environment }}",
    }
  }
}

loki.relabel "remote_syslog" {
  forward_to = [loki.write.logs_base.receiver]

  rule {...}
}

If that still doesn’t work, do some tcpdump just to make sure the rsyslog labels are sent correctly.

justintaylor9 · October 21, 2024, 1:48pm

Hello again,

I did run a tcpdump and the labels are correct. When I use static mode it relabels them perfectly, but when I use Alloy, it only adds the static labels, and seemingly ignores the relabeling block. Here is the updates config with my rsyslog config included:

Logs are coming in on UDP port 514 →
Rsyslog then sends them to port 1514->

ruleset(name=“remote”){
action(type=“omfwd”
Target=“localhost”
Port=“1514”
Protocol=“tcp”
Template=“RSYSLOG_SyslogProtocol23Format”
TCP_Framing=“octet-counted”
KeepAlive=“on”
action.resumeRetryCount=“-1”
queue.type=“linkedlist”
queue.size=“50000”
)
}

module(load=“imudp”)
input(type=“imudp” port=“514” ruleset=“remote”)

module(load=“imtcp”)
input(type=“imtcp” port=“514” ruleset=“remote”)

Grafana Alloy then listens for them on port 1514 →
loki.source.syslog “remote_syslog” {
forward_to = [loki.relabel.remote_syslog.receiver]

listener {
address = “0.0.0.0:1514”
labels = {
component = “loki.source.syslog”,
protocol = “tcp”,
job = “va”,
service = “Utilities”,
environment = “prod”,
}
}

listener {
address = “0.0.0.0:1514”
protocol = “udp”
label_structured_data = true
labels = {
component = “loki.source.syslog”,
protocol = “udp”,
job = “va”,
service = “Utilities”,
environment = “prod”,
}
}
}

loki.relabel “remote_syslog” {
forward_to = [loki.write.logs_base.receiver]
rule {
source_labels = [“__syslog_message_hostname”]
target_label = “host”
}

    rule {
            source_labels = ["__syslog_message_severity"]
            target_label  = "level"
    }

    rule {
            source_labels = ["__syslog_message_app_name"]
            target_label  = "application"
    }

    rule {
            source_labels = ["__syslog_message_facility"]
            target_label  = "facility"
    }

    rule {
            source_labels = ["__syslog_connection_hostname"]
            replacement   = "az1-ict-iam-prod-syslog-01.server.ufl.edu"
            target_label  = "connection_hostname"
    }

}

Please advise.

tonyswumac · October 21, 2024, 8:23pm

Try this, using lok.process instead of loki.relabel:

log “remote_syslog” {
  forward_to = [loki.process.remote_syslog.receiver]

  listener {
    address = “0.0.0.0:1514”
    labels = {
      component = “loki.source.syslog”,
      protocol = “tcp”,
      job = “va”,
      service = “Utilities”,
      environment = “prod”,
    }
  }

  listener {
    address = “0.0.0.0:1514”
    protocol = “udp”
    label_structured_data = true
    labels = {
      component = “loki.source.syslog”,
      protocol = “udp”,
      job = “va”,
      service = “Utilities”,
      environment = “prod”,
    }
  }
}

loki.process "remote_syslog" {
  forward_to = [loki.write.destination.receiver]

  
  stage.static_labels {
    values = {
      connection_hostname = "az1-ict-iam-prod-syslog-01.server.ufl.edu",
    }
  }

  stage.labels {
    values = {
      level = "__syslog_message_severity",
      application = "__syslog_message_app_name",
      facility = "__syslog_message_facility",
    }
  }
)

justintaylor9 · October 22, 2024, 4:50pm

Unfortunately it still does not dynamically label the syslog messages in the same way that static mode does… This is a bit problematic. Any other ideas up your sleeve ?

justintaylor9 · October 28, 2024, 5:15pm

Good afternoon,

I tried this again with syslog-ng instead of rsyslog, it made no difference, I guess I’ll open a github issue.

Topic		Replies	Views
Generate Label out of syslog hostname Grafana Alloy loki	1	214	July 26, 2024
Getting labels from syslog msg field Grafana Loki agent	5	329	June 12, 2024
How to add labels with loki.source.syslog Grafana Alloy loki	19	1272	November 1, 2024
Add labels to logs Grafana Alloy	5	1744	July 8, 2024
Map File for stage.match in loki.process Grafana Alloy loki	1	64	July 16, 2024

Grafana Alloy Syslog Labeling Issues

Related topics