grafana loki docker-compose file and vector settings

docker-compose.yaml

version: "3"

networks:
  loki:

services:
  loki:
    image: grafana/loki:2.4.0
    volumes:
      - ./loki:/etc/loki
    ports:
      - "3100:3100"
    command: -config.file=/etc/loki/local-config.yaml
    networks:
      - loki

  grafana:
    image: grafana/grafana:latest
    user: "1000"
    volumes:
      - ./grafana:/var/lib/grafana
    ports:
      - "3000:3000"
    networks:
      - loki

vector.toml

[sources.source_syslog]
type = "syslog"
address = "0.0.0.0:1514"
max_length = 102_400
mode = "udp"
path = "/tmp/syslog_udp"

[sinks.sink_loki]
type = "loki"
inputs = [ "source_syslog" ]
endpoint = "http://localhost:3100"
labels.datasource = "source_syslog"
out_of_order_action = "rewrite_timestamp"
encoding.codec = "json"

Thanks for sharing this..

How many logs you see, maybe I misconfigured, but all I can see is some admin logs like this.

CEF:0|Ubiquiti|UniFi OS|4.2.12|admins|1|msg=user accessed the UniFi OS via the console's IP. Source IP: 192.168.10.50

Do you have some kind of firewall logs with this setup?

EDIT:
Found it in CyberSecure > TrafficLogging

hey @mac-lucky,

I believe I was able to get more logs than that but no fw logs, iirc. I'm still running a bunch of old unifi stuff that has limited capabilities.

Curious to know if you were able to log suricata/proofpoint alerts and blocked traffic with the new system.

I got firewall logs and I think it is the only useful thing 😏 I think there should be a way to send files from the UDM /var/log folder with Vector. Maybe some will figure it out 😄