Hello ,
I am writing Promtail syslog receiver of (Pfsense)Openvpn logs and normalize them into lables
the log line example as follows below including my Promtail config, i managed to get most of my desired data into labels, but i would like to set label as vpn_auth_status , if its equal to as follows
vpn_auth_status = could not authenticate. >> change to failed
vpn_auth_status = authenticated >> change success
according to doc as i understand it it should be done with template, but i didn;t figure out the correct way of condition , if someone could kind enough to help me
Thanks
2023-05-29T15:58:13.479616+03:00 fw-bs.gen.local openvpn 37382 - - user 'dknaan' could not authenticate.
or
2023-05-29T17:40:24.518181+03:00 fw-bs.gen.local openvpn 42810 - - user 'idalkian' authenticated
server:
http_listen_port: 9081
grpc_listen_port: 0
clients:
- url: http://127.0.0.1:3100/loki/api/v1/push
scrape_configs:
- job_name: syslog
syslog:
listen_address: 0.0.0.0:1519
labels:
job: syslog
relabel_configs:
- source_labels: [__syslog_message_hostname]
target_label: host
- source_labels: [__syslog_message_hostname]
target_label: hostname
- source_labels: [__syslog_message_severity]
target_label: level
- source_labels: [__syslog_message_app_name]
target_label: application
- source_labels: [__syslog_message_facility]
target_label: facility
- source_labels: [__syslog_connection_hostname]
target_label: connection_hostname
- source_labels: [auth_status]
target_label: vpn_auth_status
regex: 'could not authenticate\.'
replacement: 'false'
pipeline_stages:
- match:
selector: '{job="syslog"}'
stages:
- regex:
expression: '^(?P<time>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{6}\+\d{2}:\d{2})\s(?P<source_fw>.+?)\s(?P<auth_source>.+?)\s(\d+?)\s-\s-\suser\s.(?P<user_name>.+?).\s(?P<auth_status>.*)'
- labels:
time_stamp: time
source_labels: source_fw
auth_source: auth_source
user_name: user_name
auth_status: auth_status