As I cannot use loki.source.syslog (because it lose logs, see here), I have to fallback to loki.source.file on centralized log files (/var/log/remote/hosts/srv01/syslog, auth.log, etc.):
local.file_match "local_syslog_files" {
path_targets = [{"__path__" = "/var/log/remote/hosts/**/*log"}]
sync_period = "5s"
}
loki.source.file "local_syslog_file" {
targets = local.file_match.local_syslog_files.targets
forward_to = [loki.process.local_syslog_process.receiver]
tail_from_end = true
}
loki.process "local_syslog_process" {
forward_to = [loki.write.grafana_loki.receiver]
stage.regex {
expression = "^(?P<time>[A-Z][a-z]+ \\d+ \\d+:\\d+:\\d+) (?P<host>[-\\w]+) (?P<application>[^([:)]+)(\\[(?P<process_id>\\d+)\\])?: (?P<content>.*)$"
}
stage.labels {
values = {
host = "",
application = "",
}
}
It works, I get host (ex.: srv01) and application (sudo, CRON, etc.).
But all lines in Loki appears with the grey tag:
So, I wonder how I could extract Syslog severity level as the label level?
It looks like it’s not saved in log files, so I guess it’s definitely lost… 