From d053a644fb15d78526e833c386bacf9b69c8908e Mon Sep 17 00:00:00 2001 From: Administrator Date: Tue, 25 Nov 2025 05:30:04 +0000 Subject: [PATCH] Update 4 files - /roles/base_setup/tasks/main.yml - /roles/promtail/templates/promtail-service.yml.j2 - /roles/promtail/templates/promtail-config.yml.j2 - /roles/promtail/tasks/main.yml --- roles/base_setup/tasks/main.yml | 2 - roles/promtail/tasks/main.yml | 9 ++++ .../promtail/templates/promtail-config.yml.j2 | 52 +++++++++++++------ .../templates/promtail-service.yml.j2 | 12 +++++ 4 files changed, 56 insertions(+), 19 deletions(-) diff --git a/roles/base_setup/tasks/main.yml b/roles/base_setup/tasks/main.yml index c3214a5..69c6975 100644 --- a/roles/base_setup/tasks/main.yml +++ b/roles/base_setup/tasks/main.yml @@ -288,14 +288,12 @@ --collector.cpu \ --collector.meminfo \ --collector.diskstats \ - --collector.netdev \ --collector.filesystem \ --collector.loadavg \ --collector.time \ --collector.textfile.directory=/var/lib/node_exporter/textfile_collector \ --web.listen-address=0.0.0.0:9100 \ --web.telemetry-path=/metrics - --no-collector.netdev.address-info Restart=always RestartSec=5 diff --git a/roles/promtail/tasks/main.yml b/roles/promtail/tasks/main.yml index eb38ce7..2db6a0d 100644 --- a/roles/promtail/tasks/main.yml +++ b/roles/promtail/tasks/main.yml @@ -19,6 +19,15 @@ recurse: yes become: yes +- name: Create positions file with correct permissions + file: + path: "{{ promtail_data_dir }}/positions.yaml" + state: touch + owner: promtail + group: promtail + mode: '0644' + become: yes + - name: Add promtail user to adm group for system log access user: name: promtail diff --git a/roles/promtail/templates/promtail-config.yml.j2 b/roles/promtail/templates/promtail-config.yml.j2 index 0435ee3..cd7c648 100644 --- a/roles/promtail/templates/promtail-config.yml.j2 +++ b/roles/promtail/templates/promtail-config.yml.j2 @@ -6,7 +6,8 @@ positions: filename: {{ promtail_data_dir }}/positions.yaml clients: - - url: http://{{ loki_server_host }}:{{ loki_server_port }}/loki/api/v1/push + - url: http://{{ loki_server_host }}:{{ monitoring_ports.loki }}/loki/api/v1/push + tenant_id: "{{ inventory_hostname }}" scrape_configs: - job_name: system @@ -14,23 +15,10 @@ scrape_configs: - targets: - localhost labels: - job: system-logs + job: varlogs host: "{{ inventory_hostname }}" __path__: /var/log/*.log - - - job_name: docker - static_configs: - - targets: - - localhost - labels: - job: container-logs - host: "{{ inventory_hostname }}" - __path__: /var/lib/docker/containers/*/*.log - relabel_configs: - - source_labels: ['__path__'] - target_label: container_name - regex: '/var/lib/docker/containers/([^/]*)/.*log' - replacement: '$1' + __path_exclude__: /var/log/*.gz - job_name: syslog static_configs: @@ -39,4 +27,34 @@ scrape_configs: labels: job: syslog host: "{{ inventory_hostname }}" - __path__: /var/log/syslog \ No newline at end of file + __path__: /var/log/syslog + + - job_name: auth + static_configs: + - targets: + - localhost + labels: + job: auth + host: "{{ inventory_hostname }}" + __path__: /var/log/auth.log + + - job_name: docker + static_configs: + - targets: + - localhost + labels: + job: docker + host: "{{ inventory_hostname }}" + __path__: /var/lib/docker/containers/*/*.log + pipeline_stages: + - docker: {} + + - job_name: journal + journal: + max_age: 12h + labels: + job: journal + host: "{{ inventory_hostname }}" + relabel_configs: + - source_labels: ['__journal__systemd_unit'] + target_label: 'unit' \ No newline at end of file diff --git a/roles/promtail/templates/promtail-service.yml.j2 b/roles/promtail/templates/promtail-service.yml.j2 index e77c9d7..e1bc411 100644 --- a/roles/promtail/templates/promtail-service.yml.j2 +++ b/roles/promtail/templates/promtail-service.yml.j2 @@ -15,5 +15,17 @@ KillMode=process Restart=on-failure RestartSec=5s +# Security settings +NoNewPrivileges=yes +ProtectSystem=strict +ProtectHome=yes +PrivateTmp=yes +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +ReadWritePaths={{ promtail_data_dir }} + [Install] WantedBy=multi-user.target \ No newline at end of file