Skip to content

Allow VictoriaLogs data source to dynamically set the type label (and maybe add some parsed data) #3624

New issue
New issue
Open
#3626
Open
Allow VictoriaLogs data source to dynamically set the type label (and maybe add some parsed data)#3624
#3626
Labels
kind/enhancementNew feature or requestneeds/triage
@thebondo

Description

@thebondo
thebondo
opened on May 12, 2025

/kind enhancement

What would you like to be added?

Add a mechanism for setting event.Line.Labels.type dynmically based on the query response from VictoraLogs for each event.

Add a mechanism to include other results from the VictoriaLogs JSON in the event.Parsed map.

Why is this needed?

The s00-raw parser crowdsecurity/non-syslog that is included with the crowdsecurity/linux collection takes the event.Line.Labels.type value and puts it into event.Parsed.program. This value is then used for selected the parser for the next stage. Currently, the VictoriaLogs data source uses a static Labels map from the acuisition configuration to set a single static value for the type.

If you have a VictoriaLogs instance that collects logs from multiple types of sources, then you currently would need to configure multiple CrowdSecurity data sources, using a separate query and Labels.type value to ingest them into CrowdSecurity. This could be simplified by allowing the data source to dynamically set the Labels.type value for each event dynamically based on a value from the full JSON value returned by the VictoriaLogs query.

So instead of something like in /etc/crowdsec/acuis.yaml

source: victorialogs
mode: tail
url: http://127.0.0.1:9428
query: 'service:sshd'
labels:
  type: sshd
---
source: victorialogs
mode: tail
url: http://127.0.0.1:9428
query: 'service:nginx'
labels:
  type: nginx

requiring a separate configuration for every service, you could have something like

source: victorialogs
mode: tail
url: http://127.0.0.1:9428
query: '*'
label_key: service

and then have the data source code automatically set event.Line.Labels.type to the value of service from the JSON blob that was received for event.

It might also be helpful to make more of the parsed JSON received from VictoriaLogs available in CrowdSecurity by copying keys into event.Parsed.

Note: I have already created working code that maps JSON results from VictoriaLogs into event.Parsed with a configurable remapping of names and works together with a new s00-raw parser for getting the event to the appropriate parser at the next stage. But my approach might be a bit more general than is desired, and at least being able to set the type dynamically would be awesome.

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/enhancementNew feature or requestneeds/triage

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions