Wouldn't it be a good idea to introduce a syslog-ng destination for promtail that uses http (promtail push api to Loki) ? #4454
Replies: 4 comments 8 replies
-
@itheodoridis Thank you for bringing this up and the initial configuration! I plan to replicate your setup locally (using https://www.syslog-ng.com/community/b/blog/posts/sending-logs-from-syslog-ng-to-grafana-loki to refresh my memories about Loki / Grafana :-) ) and then create a configuration block out of it (using /usr/share/syslog-ng/include/scl/elasticsearch/elastic-http.conf as an example). As a first step I'll use the current template, then I'll check how one use format-json instead of the MESSAGE macro. |
Beta Was this translation helpful? Give feedback.
-
Update. I have now a loki-http() configuration block with batching, largely based on elasticsearch-http(). It seems to work. There is a single catch: I have no idea about the Loki side :-) So, next up: installing Grafana to have a GUI instead of just
|
Beta Was this translation helpful? Give feedback.
-
Just a heads up: I did not forget about this. I have Grafana up and running in docker. I started to read the Loki documentation, but had to stop, as my temperature is going up sharply right now. Yes, I still find a loki-http() destination a good idea. However, it seems that this is not so generic, as simply sending RFC 5424 logs to promtail. One needs both a syslog-ng configuration and a matching promtail configuration. The current promtail.yaml and my config are good starting points. Two things need to be documented in a few sentences (most likely in /usr/share/syslog-ng/include/scl/loki-http/plugin.conf):
|
Beta Was this translation helpful? Give feedback.
-
Just wanted to add that I intend to work on this once #3966 is merged. In that PR I have preparations for partitioning the message stream based on the value of specific name value pairs and with that we could start using message templates in the body-header() and body-footer() options, thereby implementing an improved batching that would let us populate the header in an improved form. |
Beta Was this translation helpful? Give feedback.
-
Hello all.
I would like to initiate a discussion about whether it would be a good idea to introduce a syslog-ng destination for promtail that uses http. I had the intention of investigating the possibility to gather Cisco network devices logs and get them over to Loki. Peter Czanik had written a blog post about storing such logs in files using json format:
https://www.syslog-ng.com/community/b/blog/posts/parsing-cisco-logs-in-syslog-ng
I used part of that configuration and after a lot of search and help all around I got to send those logs over to Loki using http by targeting the Promtail push API that can forward logs to Loki in the desired Loki format. This doesn't touch the filesystem obviously.
This what the syslog-ng config looks for this.
After a suggestion from Peter, I tried with changing
"${UNIXTIME}000000"
to"${USEC}"
. Still works.This is what the Promtail config looks for this.
I think it may be beneficial for the community to construct a syslog-ng destination for promtail that can replicate this in a cleaner way or maybe even optimize it.
I am in no way a log expert or even medium level log connoisseur.. So I am pretty sure a lot of people can do a better job with this than I did. Maybe though this can help people use syslog-ng in more ways then it is possible now.
I plan to transfer this setup over to docker containers soon (in the next couple of days). I don't expect any trouble.
Beta Was this translation helpful? Give feedback.
All reactions