- Use rsyslog to export log
172.16.1.2
is Server Collector
172.16.1.3
is Client LOG
- Validates rsyslog available?
apt-cache policy rsyslog
sudo apt install rsyslog
cd /usr/local/bin
curl -s https://api.github.com/repos/grafana/loki/releases/latest | grep browser_download_url | cut -d '"' -f 4 | grep loki-linux-amd64.zip | wget -i -
sudo apt install unzip
sudo unzip loki-linux-amd64.zip
mv loki-linux-amd64 loki
sudo chmod a+x loki
sudo nano config-loki.yml
auth_enabled: false
server:
http_listen_port: 3100
ingester:
lifecycler:
address: 127.0.0.1
ring:
kvstore:
store: inmemory
replication_factor: 1
final_sleep: 0s
chunk_idle_period: 5m
chunk_retain_period: 30s
max_transfer_retries: 0
schema_config:
configs:
- from: 2022-07-24
store: boltdb
object_store: filesystem
schema: v11
index:
prefix: index_
period: 24h
storage_config:
boltdb:
directory: /tmp/loki/index
filesystem:
directory: /tmp/loki/chunks
limits_config:
enforce_metric_name: false
reject_old_samples: true
reject_old_samples_max_age: 168h
chunk_store_config:
max_look_back_period: 0s
table_manager:
retention_deletes_enabled: false
retention_period: 0s
sudo nano /etc/systemd/system/loki.service
[Unit]
Description=Loki service
After=network.target
[Service]
Type=simple
User=root
ExecStart=/usr/local/bin/loki -config.file /usr/local/bin/config-loki.yml
[Install]
WantedBy=multi-user.target
systemctl enable loki
sudo service loki start
sudo service loki status
PROMTAIL_VERSION=$(curl -s "https://api.github.com/repos/grafana/loki/releases/latest" | grep -Po '"tag_name": "v\K[0-9.]+')
sudo mkdir /opt/promtail
sudo wget -qO /opt/promtail/promtail.gz "https://github.com/grafana/loki/releases/download/v${PROMTAIL_VERSION}/promtail-linux-amd64.zip"
sudo gunzip /opt/promtail/promtail.gz
sudo chmod a+x /opt/promtail/promtail
sudo ln -s /opt/promtail/promtail /usr/local/bin/promtail
sudo wget -qO /opt/promtail/promtail-local-config.yaml "https://raw.githubusercontent.com/grafana/loki/v${PROMTAIL_VERSION}/clients/cmd/promtail/promtail-local-config.yaml"
promtail -version
sudo nano /etc/systemd/system/promtail.service
[Unit]
Description=Promtail client for sending logs to Loki
After=network.target
[Service]
ExecStart=/opt/promtail/promtail -config.file=/opt/promtail/promtail-local-config.yaml
Restart=always
TimeoutStopSec=3
[Install]
WantedBy=multi-user.target
sudo service promtail start
sudo service promtail status
sudo systemctl enable promtail
nano /etc/rsyslog.conf
# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")
# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")
# Spesific Network Can Connect
$AllowedSender TCP, 0.0.0.0
sudo systemctl restart rsyslog
sudo systemctl status rsyslog
nano /etc/rsyslog.d/50-promtail.conf
module(load="omprog")
module(load="mmutf8fix")
action(type="mmutf8fix" replacementChar="?")
action(type="omfwd" protocol="tcp" target="172.16.1.3" port="1514" Template="RSYSLOG_SyslogProtocol23Format" TCP_Framing="octet-counted" KeepAlive="on")
sudo systemctl restart rsyslog
sudo systemctl status rsyslog
nano /opt/promtail/promtail-local-config.yaml
---
server:
http_listen_port: 9080
grpc_listen_port: 0
positions:
filename: /tmp/positions.yaml
clients:
- url: http://127.0.0.1:3100/loki/api/v1/push
scrape_configs:
- job_name: journal
journal:
max_age: 12h
labels:
job: systemd-journal
relabel_configs:
- source_labels: ['__journal__systemd_unit']
target_label: 'unit'
- job_name: syslogRsys
syslog:
listen_address: 0.0.0.0:1514
label_structured_data: yes
labels:
job: "syslogRsys"
relabel_configs:
- source_labels: ["__syslog_connection_ip_address"]
target_label: "ip_address"
- source_labels: ["__syslog_message_severity"]
target_label: "severity"
- source_labels: ["__syslog_message_facility"]
target_label: "facility"
- source_labels: ["__syslog_message_hostname"]
target_label: "host"
sudo systemctl enable promtail
sudo service promtail restart
sudo service promtail status
sudo systemctl enable rsyslog
sudo systemctl restart rsyslog
sudo systemctl status rsyslog