Help Using Promtail template to change regex detection group to required value

Hello ,

I am writing Promtail syslog receiver of (Pfsense)Openvpn logs and normalize them into lables

the log line example as follows below including my Promtail config, i managed to get most of my desired data into labels, but i would like to set label as vpn_auth_status , if its equal to as follows

vpn_auth_status = could not authenticate. >> change to failed

vpn_auth_status = authenticated >> change success

according to doc as i understand it it should be done with template, but i didn;t figure out the correct way of condition , if someone could kind enough to help me

Thanks

2023-05-29T15:58:13.479616+03:00 fw-bs.gen.local openvpn 37382 - - user 'dknaan' could not authenticate.

or

2023-05-29T17:40:24.518181+03:00 fw-bs.gen.local openvpn 42810 - - user 'idalkian' authenticated
server:
  http_listen_port: 9081
  grpc_listen_port: 0

clients:
  - url: http://127.0.0.1:3100/loki/api/v1/push

scrape_configs:
  - job_name: syslog
    syslog:
      listen_address: 0.0.0.0:1519
      labels:
        job: syslog
    relabel_configs:
      - source_labels: [__syslog_message_hostname]
        target_label: host
      - source_labels: [__syslog_message_hostname]
        target_label: hostname
      - source_labels: [__syslog_message_severity]
        target_label: level
      - source_labels: [__syslog_message_app_name]
        target_label: application
      - source_labels: [__syslog_message_facility]
        target_label: facility
      - source_labels: [__syslog_connection_hostname]
        target_label: connection_hostname
      - source_labels: [auth_status]
        target_label: vpn_auth_status
        regex: 'could not authenticate\.'
        replacement: 'false'  

    pipeline_stages:
      - match:
          selector: '{job="syslog"}'
          stages:
            - regex:
                expression: '^(?P<time>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{6}\+\d{2}:\d{2})\s(?P<source_fw>.+?)\s(?P<auth_source>.+?)\s(\d+?)\s-\s-\suser\s.(?P<user_name>.+?).\s(?P<auth_status>.*)'

            - labels:
                time_stamp: time
                source_labels: source_fw
                auth_source: auth_source
                user_name: user_name
                auth_status: auth_status

You could try something like this:

- template:
    source: auth_status
    template: '{{ if eq .Value "authenticated." }}success{{else}}faliled{{end}}'

If that doesn’t work, you can kinda of achieve if/else with two match block like so:

- match:
    selector: '{auth_status="authenticated."}'
    stages:
      <...>
- match:
    selector: '{container_name!="authenticated."}'
    stages:
      <...>
1 Like

Thanks a lot , first option works like charm
Thanks again