From 4c489a05f50e0afb2036328d6e78fa2eba28e098 Mon Sep 17 00:00:00 2001 From: Slawomir Koszewski Date: Wed, 21 Jan 2026 06:58:46 +0100 Subject: [PATCH] Updated log processing documentation. --- policies/README.md | 34 +++++++++++++++++++++++++++++++--- 1 file changed, 31 insertions(+), 3 deletions(-) diff --git a/policies/README.md b/policies/README.md index 8b7245d..4364b55 100644 --- a/policies/README.md +++ b/policies/README.md @@ -43,14 +43,42 @@ Add the following configuration to your Alloy setup: ```hcl loki.source.file "vault_audit_log" { targets = [ - {"__path__" = "/var/log/vault/audit.log", "log_name" = "vault_audit", "level" = "info"}, + {"__path__" = "/var/log/vault/audit.log", "log_name" = "vault_audit", "level" = "info", "service" = "vault"}, ] - forward_to = [loki.write.default.receiver] tail_from_end = true + forward_to = [loki.process.vault_audit.receiver] +} + +loki.process "vault_audit" { + stage.json { + expressions = {error = "error"} + } + + stage.labels { + values = { __has_error = "error" } + } + + stage.match { + selector = "{__has_error!=\"\"}" + + stage.static_labels { + values = {level = "error"} + } + } + + stage.label_drop { + values = ["__has_error"] + } + + forward_to = [loki.write.default.receiver] } ``` -> **Note:** `tail_from_end = true` ensures that only new log entries are read, preventing the ingestion of old lines/entries. It is (probably) required because the audit log file does not contain timestamps and only entry guids. +> **Note:** `tail_from_end = true` ensures that only new log entries are read, preventing the ingestion of old lines/entries. +> It is (probably) required because the audit log file does not contain timestamps and only entry guids. +> Without this setting, Alloy may re-ingest old log entries upon restart. +> +> `loki.process` extracts message level from the `error` field in the JSON log entry. Check auditing configuration with: