github-actions[bot]
commented
6 days ago This issue has not had any activity in the past 30 days, so the needs-attention label has been added to it.
If the opened issue is a bug, check to see if a newer release fixed your issue. If it is no longer relevant, please feel free to close this issue.
The needs-attention label signals to maintainers that something has fallen through the cracks. No action is needed by you; your issue will be kept open and you do not have to respond to this comment. The label will be removed the next time this job runs if there is new activity.
Thank you for your contributions!
Request
Support the auto detection of RFC5424 PRIVAL header and parse to detect the correct severity of a syslog message.
From RFC5424: `6.2.1. PRI
The PRI part MUST have three, four, or five characters and will be bound with angle brackets as the first and last characters. The PRI part starts with a leading "<" ('less-than' character, %d60), followed by a number, which is followed by a ">" ('greater-than' character, %d62). The number contained within these angle brackets is known as the Priority value (PRIVAL) and represents both the Facility and Severity. The Priority value consists of one, two, or three decimal integers (ABNF DIGITS) using values of %d48 (for "0") through %d57 (for "9").`
https://grafana.com/docs/alloy/latest/reference/components/loki/loki.source.syslog/ states the syslogs messages must be complaint with RFC5424.
Use case
The use case is for configuring alloy as a syslog collector residing on a network. All devices capable of sending RFC5424 compliant syslog messages will send all logs to the alloy collectors where, by default, the syslog messages are parsed and labels appended. Example: a Opnsense device is configured to send RFC5424 syslog to alloy. The header of a log contains <134> which represents a syslog entry with a severity of 'informational'. this can be mapped to 'level=info'.