Opnsense -> Alloy -> Loki

Grafana Alloy
,
1

Hi,

I’m trying to get the syslogs from Opnsense parsed and into Loki for use with Grafana. The connection works but i’m not seeing the extracted labels i’d like - i.e. date/time, host and the app (audit or sshd-session for example). What am i doing wrong please?

loki.source.syslog "network_devices" {
  listener {
    address  = "0.0.0.0:5514"
    protocol = "udp"
  }
  
  forward_to = [loki.process.network_logs.receiver]
}

loki.process "network_logs" {
  forward_to = [loki.write.default.receiver]

  stage.static_labels {
    values = {
      job = "opnsense",
    }
  }

  stage.regex {
    expression = `OPNsense\.localdomain (?P<app_name>[^\s]+)`
  }

  stage.labels {
    values = {
      app_name = "app_name",
      process = "app_name",
    }
  }

  stage.regex {
    expression = `(?P<hostname>OPNsense\.localdomain)`
  }

  stage.labels {
    values = {
      hostname = "hostname",
    }
  }
}

loki.write "default" {
  endpoint {
    url = "http://localhost:3100/loki/api/v1/push"
  }
}

Logs originally look like this for example:

<37>1 2025-08-13T08:28:58+00:00 OPNsense.localdomain audit 62012 - [meta sequenceId="155"] user root authenticated successfully for sshd [using OPNsense\Auth\Services\System + OPNsense\Auth\Local]
<38>1 2025-08-13T08:28:58+00:00 OPNsense.localdomain sshd-session 60931 - [meta sequenceId="156"] Accepted keyboard-interactive/pam for root from 10.200.2.26 port 45206 ssh2

The only labels i’m seeing are:
detected_level
job
service_name

both job and service name have a single value of opnsense

Thanks in advance

2

Hi,
Does anyone have any idea please? I’ve tried the below based on extracting the fields from the syslog headers also with no joy.


livedebugging {
  enabled = true
}

loki.source.syslog "network_devices" {
  listener {
    address       = "0.0.0.0:5514"
    protocol      = "udp"
    syslog_format = "rfc5424"
    use_rfc5424_message = true
    label_structured_data = true   
  }
  forward_to = [loki.process.network_logs.receiver]
}


loki.relabel "network_logs" {
  forward_to = [loki.write.default.receiver]

  rule {
    source_labels = ["__syslog_message_hostname"]
    target_label  = "hostname"
    action        = "replace"
  }

  rule {
    source_labels = ["__syslog_message_app_name"]
    target_label  = "app_name"
    action        = "replace"
  }

  rule {
    source_labels = ["__syslog_message_proc_id"]
    target_label  = "proc_id"
    action        = "replace"
  }

  rule {
    source_labels = ["__syslog_message_msg_id"]
    target_label  = "msg_id"
    action        = "replace"
  }

  rule {
    source_labels = ["__syslog_message_facility"]
    target_label  = "facility"
    action        = "replace"
  }

  rule {
    source_labels = ["__syslog_message_severity"]
    target_label  = "severity"
    action        = "replace"
  }

  rule {
    source_labels = ["__syslog_message_timestamp"]
    target_label  = "timestamp"
    action        = "replace"
  }

  rule {
    source_labels = ["__syslog_message_structured_data"]
    target_label  = "structured_data"
    action        = "replace"
  }
}

loki.write "default" {
  endpoint {
    url = "http://localhost:3100/loki/api/v1/push"
  }
}
3
  1. First, I would try sending logs directly from syslog input to loki output, and see what the result looks like. If you can share that would be good, too.
  2. You can also use stage.labels in process block and set all the labels instead of using relabel, and see if that get you anything.
  3. Your regex kinda doesn’t make sense, in that you probably don’t want to match the hostname literally. If you can share results from #1 I can try to come up with something.
4

Hello,

Thank you :slight_smile:

logs
logs3363×494 122 KB

This is the screenshot of the logs going straight into Loki/Grafana.

I’m using this config:

livedebugging {
  enabled = true
}

loki.source.syslog "network_devices" {
  listener {
    address       = "0.0.0.0:5514"
    protocol      = "udp"
    syslog_format = "rfc5424"
    use_rfc5424_message = true
    label_structured_data = true   
  }
  forward_to = [loki.write.default.receiver]
}

loki.write "default" {
  endpoint {
    url = "http://localhost:3100/loki/api/v1/push"
  }
}

And the logs look like this straight out of opnsense:

<37>1 2025-08-15T07:07:35+00:00 OPNsense.localdomain audit 79871 - [meta sequenceId="1"] user root authenticated successfully for WebGui [using OPNsense\Auth\Services\WebGui + OPNsense\Auth\Local]
<37>1 2025-08-15T07:07:35+00:00 OPNsense.localdomain audit 79871 - [meta sequenceId="2"] /index.php: Successful login for user 'root' from: 10.200.2.26

Any ideas please?

5

Thanks Tony for the suggestions. It got me on the right route. This is now outputting what i want and i can work from here.

livedebugging {
  enabled = true
}

loki.source.syslog "network_devices" {
  listener {
    address       = "0.0.0.0:5514"
    protocol      = "udp"
    syslog_format = "rfc5424"
    use_rfc5424_message = true
    label_structured_data = true   
  }
  forward_to = [loki.write.default.receiver]
  relabel_rules = loki.relabel.network_logs.rules
}


loki.relabel "network_logs" {
  forward_to = [loki.write.default.receiver]


  rule {
    source_labels = ["__syslog_message_severity"]
    target_label  = "severity"
  }

  rule { 
    source_labels = ["__syslog_message_hostname"]
    target_label  = "hostname"
  }
  rule {
    source_labels = ["__syslog_message_app_name"]
    target_label  = "appname"
  }
  rule {
    source_labels = ["__syslog_message_proc_id"]
    target_label  = "procid"
  }
  rule {
    source_labels = ["__syslog_message_msg_id"]
    target_label  = "msgid"
  }
}

loki.write "default" {
  endpoint {
    url = "http://localhost:3100/loki/api/v1/push"
  }
}