Updated log processing documentation.

policies/README.md

@@ -43,14 +43,42 @@ Add the following configuration to your Alloy setup:
 ```hcl
 loki.source.file "vault_audit_log" {
     targets = [
-        {"__path__" = "/var/log/vault/audit.log", "log_name" = "vault_audit", "level" = "info"},
+        {"__path__" = "/var/log/vault/audit.log", "log_name" = "vault_audit", "level" = "info", "service" = "vault"},
     ]
-    forward_to = [loki.write.default.receiver]
     tail_from_end = true
+    forward_to = [loki.process.vault_audit.receiver]
+}
+
+loki.process "vault_audit" {
+    stage.json {
+        expressions = {error = "error"}
+    }
+
+    stage.labels {
+        values = { __has_error = "error" }
+    }
+
+    stage.match {
+        selector = "{__has_error!=\"\"}"
+
+        stage.static_labels {
+            values = {level = "error"}
+        }
+    }
+
+    stage.label_drop {
+        values = ["__has_error"]
+    }
+
+    forward_to = [loki.write.default.receiver]
 }
 ```
 
-> **Note:** `tail_from_end = true` ensures that only new log entries are read, preventing the ingestion of old lines/entries. It is (probably) required because the audit log file does not contain timestamps and only entry guids.
+> **Note:** `tail_from_end = true` ensures that only new log entries are read, preventing the ingestion of old lines/entries.
+> It is (probably) required because the audit log file does not contain timestamps and only entry guids.
+> Without this setting, Alloy may re-ingest old log entries upon restart.
+>
+> `loki.process` extracts message level from the `error` field in the JSON log entry.
 
 Check auditing configuration with: