A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
Resources:
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
I have a similar setup (all hosts sending logs through syslog protocol to a central collector), but the collector is graylog. A few years back it used to use Grok expressions, but now it has its own filter syntax. My notes on extractors/grok patterns are still there (unfold details). Can't help you much more than that, sorry!
It does help thank you ;)
I've found that you can use custom grok patterns to parse logs just as grayling extractors do. I'm still trying to figure it out, but so far I could start parsing logs using a [[processor.parser]] block. I'll document my findings when I get it working as I want it.
You said you’re using telegraf, I assume to collect them - where are you storing/querying them? Have you looked into using Loki/Promtail for this?
I store and query them using influxdb. I checked Loki but apparently it's main feature is that it store the message as a single field, this not parsing the log at all. I didn't know about Promtail. Is it better suited than influxdb for my usecase ?
I don’t think Loki itself parses logs on ingestion at all. I’m not sure if Promtail can ship logs to influx, I’ve only ever used it to ship to Loki. Promtail can be configured to add or parse or labels from the logs it sends, or you can just parse them at query time using builtin parsers like logfmt, json or regex. The hard part here will be figuring out the query to pull out the metrics you want to graph, which sounds like where you’re stuck already. So it’s hard to say which is actually better suited here.
I found how to parse and tokenize logs withing telegraf. One must use grok patterns to parse the logs. Here is the config sample I use:
# bind locally to ingest syslog messages
[[inputs.syslog]]
server = "udp://<ipaddress>:6514"
syslog_standard = "RFC3164"
[[processors.parser]]
parse_fields = ["message"]
merge = "override"
data_format = "grok"
grok_patterns = ["%{HTTPD}", "%{GEMINI}"] # this must reference the name from grok_custom_patterns
# format; PATTERN_NAME GROK_PATTERN…
grok_custom_patterns = '''
HTTPD ^%{HOSTNAME:httphost} %{COMBINED_LOG_FORMAT} (?:%{IPORHOST:proxyip}|-) (?:%{NUMBER:proxyprot}|-)$
GEMINI ^(?:\"(?:gemini\:\/\/%{HOSTNAME:gmihost}(:%{NUMBER:gmiport})?%{NOTSPACE:request}|%{DATA:raw_request})\" %{NUMBER:response} %{NUMBER:bytes}|%{DATA})$
'''
# send parsed logs to influxdb
[[outputs.influxdb]]
urls = ["http://localhost:8086"]
database = "telegraf"
Telegraf supports logstash core patterns, as well as its own custom patterns (like %{COMBINED_LOG_FORMAT}).
You can then query your influxdb using the fields extracted from these patterns:
> USE telegraf
> SELECT xff,httphost,request FROM syslog WHERE appname = 'httpd' AND verb = 'GET' ORDER BY time DESC