updates

playbooks/monitoring/config.alloy.j2

@@ -6,8 +6,12 @@ loki.source.journal "system" {
   }
 }
 
+local.file_match "fail2ban" {
+  path_targets = [{"__path__" = "/var/log/fail2ban.log", job = "fail2ban", host = "beepi"}]
+}
+
 local.file_match "varlog" {
-  path_targets = [{"__path__" = "/var/log/*.log", job = "varlog", host = "beepi"}]
+  path_targets = [{"__path__" = "/var/log/*.log", job = "varlog", "__path_exclude__" = "/var/log/fail2ban.log", host = "beepi"}]
 }
 
 loki.source.file "varlog" {
@@ -15,6 +19,41 @@ loki.source.file "varlog" {
   forward_to = [loki.write.default.receiver]
 }
 
+loki.source.file "fail2ban_source" {
+  targets    = local.file_match.fail2ban.targets
+  forward_to = [loki.process.geoip.receiver]
+}
+
+loki.process "geoip" {
+    forward_to = [loki.write.default.receiver]
+    stage.regex {
+        expression = `^.*:\s(?<level>\w*)\s*\[(?<service>\w*)\]\s(?<type>\w*)\s(?<ip>(?:(?:2(?:[0-4][0-9]|5[0-5])|[0-1]?[0-9]?[0-9])\.){3}(?:(?:2([0-4][0-9]|5[0-5])|[0-1]?[0-9]?[0-9]))).*$`
+        labels_from_groups = true
+    }
+
+    stage.geoip {
+        db = "/opt/database/GeoLite2-City.mmdb"
+        source = "ip"
+        db_type = "city"
+    }
+
+    stage.labels {
+        values = {
+            geoip_city_name          = "",
+            geoip_country_name       = "",
+            geoip_country_code       = "",
+            geoip_continent_name     = "",
+            geoip_continent_code     = "",
+            geoip_location_latitude  = "",
+            geoip_location_longitude = "",
+            geoip_postal_code        = "",
+            geoip_timezone           = "",
+            geoip_subdivision_name   = "",
+            geoip_subdivision_code   = "",
+        }
+    }
+}
+
 loki.write "default" {
   endpoint {
     url = "http://loki:3100/loki/api/v1/push"