Promtail config for syslog and extract labels from nginx logs

promtail.yml

---

server:
  http_listen_port: 9080
  grpc_listen_port: 0

positions:
  filename: /tmp/positions.yaml

client:
  url: http://192.168.50.10:3100/api/prom/push

scrape_configs:
  - job_name: syslog
    syslog:
      listen_address: 0.0.0.0:1514
      idle_timeout: 60s
      label_structured_data: yes
      labels:
        job: syslog
        tier: develop
    relabel_configs:
      - source_labels: ['__syslog_message_hostname']
        target_label: 'hostname'
      - source_labels: ['__syslog_message_app_name']
        target_label: 'appname'
    pipeline_stages:
      - match:
          selector: '{appname="nginx"}'
          stages:
            - json:
                expressions:
                  message: message
                  timestamp: '"@timestamp"'
                  req:
                  res:
            - json:
                expressions:
                  request_method: method
                  request_host: host
                source: req
            - json:
                expressions:
                  status_code: statusCode
                source: res
            - labels:
                request_host: ''
                request_method: ''
                status_code: ''

Nginx logging config

    log_format json_format escape=json '{'
        '"@timestamp":"$time_iso8601",'
        '"pid":"$pid",'
        '"connection":"$connection",'
        '"req":{'
            '"host":"$host",'
            '"url":"$request_uri",'
            '"contentType":"$content_type",'
            '"method":"$request_method",'
            '"remoteAddress":"$remote_addr",'
            '"userAgent":"$http_user_agent",'
            '"referer":"$http_referer",'
            '"protocol":"$server_protocol"'
        '},'
        '"res":{'
            '"statusCode":"$status",'
            '"responseTime":"$upstream_response_time",'
            '"contentLength":"$body_bytes_sent"'
        '},'
        '"message":"$request_method $host $request_uri $status $body_bytes_sent $request_time"'
    '}';

Hello and thanks for this amazing example, I don't know if you reply to any comment here but I'd like to say I used your method, and unfortunately, it didn't work. I'm gonna leave my config file and log example here in case if you were interested in giving me any help.

server:
  http_listen_port: 9080 
  grpc_listen_port: 0

positions:
  filename: /tmp/positions.yaml

clients:
  - url: http://localhost:3100/loki/api/v1/push

scrape_configs:
- job_name: syslog
  
  syslog:
    listen_address: 0.0.0.0:514
    idle_timeout: 60s
    label_structured_data: no
    labels:
      job: "syslog"
  
  relabel_configs:
    - source_labels: ['__syslog_message_hostname']
      target_label: 'host'
    - source_labels: ['__syslog_connection_hostname']
      target_label: 'pod_hostname'
    - source_labels: ['__syslog_connection_ip_address']
      target_label: 'container_ip'
    - source_labels: ['__syslog_message_severity']
      target_label: 'severity'
    - source_labels: ['__syslog_message_facility']
      target_label: 'facility'
    - source_labels: ['__syslog_message_app_name']
      target_label: 'appname'
    - source_labels: ['__syslog_message_proc_id']
      target_label: 'procid'
    - source_labels: ['__syslog_message_msg_id']
      target_label: 'msgid'
 
  pipeline_stages:
    - match:
        selector: '{appname="deployer"}'
        stages:
          - json:
              expressions:
                user_id: user_id
                event: event
                instance_id: instance_id
                component: component
          - labels:
              user_id:
              event:
              instance_id:
              component:

log sample: