I’ve a similar configuration (filterlog entries sent by syslog), but experiencing problems parsing the second group of attributes (which varies depending on ip version). It gets the first set of attributes just fine, and i set some labels that i do see. However, I’m unable to see any attributes pulled from the match blocks that follow the first set of labels set in processing. I suspect the issue is the selector, but i haven’t found a good way to debug that. Does anyone have any suggesstions? Here’s the relevant section of my config:
// grab rsyslog data
loki.source.syslog "local" {
forward_to = [loki.process.raw_syslog.receiver]
listener {
address = "0.0.0.0:514"
protocol = "udp"
}
relabel_rules = loki.relabel.syslog.rules
}
// build the relabel rules used by the source.syslog component
loki.relabel "syslog" {
forward_to = [loki.write.local.receiver]
rule {
source_labels = ["__syslog_message_severity"]
target_label = "level"
}
rule {
source_labels = ["__syslog_message_facility"]
target_label = "facility"
}
rule {
source_labels = ["__syslog_message_hostname"]
target_label = "hostname"
}
rule {
source_labels = ["__syslog_message_app_name"]
target_label = "application"
}
}
loki.process "raw_syslog" {
forward_to = [loki.write.local.receiver]
stage.match {
selector = "{application=\"filterlog\"}"
pipeline_name = "filterlog_enrichment"
// filterlog entries are comma delimited and difficult to decode by humans, repackage for easy reading
// Ref: https://github.com/opnsense/ports/blob/master/opnsense/filterlog/files/description.txt
// this first collection of attributes are common to all entries and are placed first
// grab them and send the rest into a temporary remainder attribute
stage.regex {
expression = join (
[
"^(?<rulenr>\\w*)",
"(?<subrulenr>\\w*)",
"(?<anchorname>\\w*)",
"(?<label>\\w*)",
"(?<interface>\\w*)",
"(?<reason>\\w*)",
"(?<action>\\w*)",
"(?<dir>\\w*)",
"(?<ipversion>\\w*)",
"(?<remainder>.*)$",
],
",",
)
}
// add in labels from the previous steps to be used for stages below
stage.labels {
values = {
action = "",
dir = "",
interface = "",
ipversion = "",
reason = "",
}
}
// parse out IPv4 data
stage.match {
selector = "{ipversion=\"4\"}"
pipeline_name = "IPv4 Processing"
stage.regex {
source = "remainder"
expression = join (
[
"^(?<tos>\\w*)",
"(?<ecn>\\w*)",
"(?<ttl>\\w*)",
"(?<id>\\w*)",
"(?<offset>\\w*)",
"(?<flags>\\w*)",
"(?<protonum>\\w*)",
"(?<protoname>\\w*)",
"(?<length>\\w*)",
"(?<src>\\w*)",
"(?<dst>\\w*)",
"(?<remainder>.*)$",
],
",",
)
}
}
// parse out IPv6 data
stage.match {
selector = "{ipversion=\"6\"}"
pipeline_name = "IPv6 Processing"
stage.regex {
source = "remainder"
expression = join (
[
"^(?<class>\\w*)",
"(?<flow>\\w*)",
"(?<hoplimit>\\w*)",
"(?<protoname>\\w*)",
"(?<protonum>\\w*)",
"(?<length>\\w*)",
"(?<src>\\w*)",
"(?<dst>\\w*)",
"(?<remainder>.*)$",
],
",",
)
}
}
stage.labels {
values = {
protoname = "",
protonum = "",
}
}
}
}
// send processed data
loki.write "local" {
endpoint {
url = "http://loki:3100/loki/api/v1/push"
}
}