IPTables Logs in Loki and Grafana (with Promtail)

Johnny Morano — Fri, 01 Apr 2022 08:00:00 +0000

In the previous article (Logging in IPTables with NFLog and ulogd2) rules were created to log certain IPTables rules with the use of NFLOG and ulogd2 to a file in JSON format.

With Promtail (https://grafana.com/docs/loki/latest/clients/promtail/), the above created log files can be sent to Loki so that they can finally be displayed in Grafana.

The installation of both Loki and Grafana are not covered in this article. The installation of Promtail is documented at https://grafana.com/docs/loki/latest/clients/promtail/installation/.

Once Promtail is installed, create the following configuration file at /etc/promtail-local-config.yaml:

server:                                                                                                                                                                                                            
  http_listen_port: 9080                                                                                                                                                                                           
  grpc_listen_port: 0                                                                                                                                                                                              
                                                                                                                                                                                                                   
positions:                                                                                                                                                                                                         
  filename: /var/tmp/promtail_positions.yaml                                                                                                                                                                       
                                                                                                                                                                                                                   
clients:                                                                                                                                                                                                           
  - url: http://loki_server:3100/loki/api/v1/push       
                                                                                                                                                               
scrape_configs:
    - job_name: iptableslogsjson
      static_configs:
      - targets:
          - localhost
        labels:
          instance: myhostname01
          job: iptableslogsjson
          __path__: /var/log/ulog/*json
      pipeline_stages:
      - json:
          expressions:
            timestamp: timestamp
            prefix: '"oob.prefix"'
            src: src_ip
            dst: dest_ip
      - labels:
          timestamp:
          prefix:
          src:
          dst:

With the above configuration, Promtail will create 4 extra labels per log line:

timestamp: Contains the logged timestamp
prefix: the NFLOG prefix string
src: the source IP address
dst: the destination IP address

Once the logs are arriving in Loki, and Loki has been configured as a datasource in Grafana, graphs can be created using LogQL.

Example:

sum(rate({job="iptableslogsjson"} [$__interval])) by (prefix)

Promtail – Johnny Morano's Tech Articles

IPTables Logs in Loki and Grafana (with Promtail)