Loki Teleport Query Create User

Hi Guys!

Dear,

Could you help me to make a log parse? I am filtering, with grafana and loki, the Teleport user creation logs.

I leave the logs of the user test-user.

This is the query:

{namespace=“teleport-cluster”} |= test-user

Here the result

How is the better way to parse and generate fields?

The log is this:

Creating the User

2024-02-20T16:00:02Z INFO [AUDIT] user.create addr.remote:192.168.0.201:35665 cluster_name:teleport.esprueba.com code:T1002I connector:local ei:0 event:user.create expires:0001-01-01T00:00:00Z name:test-user roles:[kubernetes-admin] time:2024-02-20T16:00:02.39Z uid:5144a330-5edf-4db1-85bb-6ca3305659a2 user:teleport-admin user_kind:1 events/emitter.go:278

Setting the Password

2024-02-20T16:00:02Z INFO [AUDIT] reset_password_token.create cluster_name:teleport.esprueba.com code:T6000I ei:0 event:reset_password_token.create expires:2024-02-20T17:00:02.55738641Z name:test-user time:2024-02-20T16:00:02.557Z ttl:1h0m0s uid:ba8e336c-6d54-404b-8aa5-31c25d50b691 user:teleport-admin user_kind:1 events/emitter.go:278

Adding the MFA

2024-02-20T16:01:07Z INFO [AUDIT] mfa.add addr.remote:10.1.7.187:56008 cluster_name:teleport.esprueba.com code:T1006I ei:0 event:mfa.add mfa_device_name:otp-device mfa_device_type:TOTP mfa_device_uuid:a807abf5-ab4d-4b92-914d-719c4b6a49c4 time:2024-02-20T16:01:07.096Z uid:e232baf0-a587-4f93-b5ec-787952bdbac9 user:test-user user_kind:1 events/emitter.go:278

Can you help me? Or give me some link to read or view?

Thansk!

The pattern filter is probably the easiest in this case. See Log queries | Grafana Loki documentation.

Thanks @tonyswumac i made some changes! I am sending JSON, not more TEXT and is easier.

{namespace="teleport-cluster"} | json | event != `` | component = "auth" | event ="user.create"

Can you recommend me something to learn queries in JSON? Videos or Doc?

I would recommend reading through all documentation in the query section here: LogQL: Log query language | Grafana Loki documentation

There are some good examples in there, too.