2

I am collecting logs using rsyslog from about 5000 servers. My collector is writing all logs to a single file on an NFS volume using RFC5424 format. I am mounting this NFS volume on my promtail nodes, and using static_config to scrape the file. I can view the logs in Loki.

My problem: I don't see any labels in my log entries. I am unable to do LogQL queries based on hostname or any type of query based on facility.

This is the relevant portion of my promtail conf:

scrape_configs:
- job_name: system
  static_configs:
  - targets:
      - localhost
    labels:
      job: varlogs
      __path__: /data/rsyslog.log

Is there any way to apply labels to a static_config?

billq
  • 326
  • 1
  • 4

1 Answers1

1

Yes you can do that with static_config, you will need to use Promtail's pipeline stages to parse the logs and extract the required information to create the labels.

Here could be your modified version:

scrape_configs:
- job_name: system
  pipeline_stages:
    # Assuming the logs are in RFC5424 format, use the regex to extract the hostname and facility
    - regex:
        expression: '.*?<(\d+)>(\d+)\s\d+-\d+-\d+T\d+:\d+:\d+.\d+\S+\s+(\S+)\s+.*'
        output:
          source_labels: [facility, hostname]
    # Map the extracted facility number to a facility name
    - labels:
        facility:
          replacement: "${1}"
    - labels:
        hostname:
          replacement: "${2}"
  static_configs:
  - targets:
      - localhost
    labels:
      job: varlogs
      __path__: /data/rsyslog.log

You will need to adapt the regex to match the specific format of your logs.

Saxtheowl
  • 1,112
  • 5
  • 8