In the previous article (Logging in IPTables with NFLog and ulogd2) rules were created to log certain IPTables rules with the use of NFLOG and ulogd2 to a file in JSON format.
With Promtail (https://grafana.com/docs/loki/latest/clients/promtail/), the above created log files can be sent to Loki so that they can finally be displayed in Grafana.
The installation of both Loki and Grafana are not covered in this article. The installation of Promtail is documented at https://grafana.com/docs/loki/latest/clients/promtail/installation/.
Once Promtail is installed, create the following configuration file at /etc/promtail-local-config.yaml:
server:
http_listen_port: 9080
grpc_listen_port: 0
positions:
filename: /var/tmp/promtail_positions.yaml
clients:
- url: http://loki_server:3100/loki/api/v1/push
scrape_configs:
- job_name: iptableslogsjson
static_configs:
- targets:
- localhost
labels:
instance: myhostname01
job: iptableslogsjson
__path__: /var/log/ulog/*json
pipeline_stages:
- json:
expressions:
timestamp: timestamp
prefix: '"oob.prefix"'
src: src_ip
dst: dest_ip
- labels:
timestamp:
prefix:
src:
dst:
With the above configuration, Promtail will create 4 extra labels per log line:
timestamp: Contains the logged timestampprefix: the NFLOG prefix stringsrc: the source IP addressdst: the destination IP address
Once the logs are arriving in Loki, and Loki has been configured as a datasource in Grafana, graphs can be created using LogQL.
Example:
sum(rate({job="iptableslogsjson"} [$__interval])) by (prefix)
