// Alloy configuration
// Collects: (1) Docker container logs, (2) Syslog from network devices (MikroTik etc.)
// Pushes everything to local Loki instance.

// ── Loki destination ──────────────────────────────────────────────────────────
loki.write "local_loki" {
  endpoint {
    url = "http://loki:3100/loki/api/v1/push"
  }
}

// ── Docker container log collection ──────────────────────────────────────────
// Discovers all running containers and tails their logs automatically.
// New containers are picked up without restarting Alloy.

discovery.docker "containers" {
  host = "unix:///var/run/docker.sock"
}

discovery.relabel "docker_labels" {
  targets = discovery.docker.containers.targets

  // Use container name as the job label (strips the leading slash Docker adds)
  rule {
    source_labels = ["__meta_docker_container_name"]
    regex         = "/(.*)"
    target_label  = "container"
  }

  // Carry through the Docker Compose service name if present
  rule {
    source_labels = ["__meta_docker_container_label_com_docker_compose_service"]
    target_label  = "service"
  }

  // Carry through the Docker Compose project name if present
  rule {
    source_labels = ["__meta_docker_container_label_com_docker_compose_project"]
    target_label  = "compose_project"
  }

  rule {
    target_label = "source"
    replacement  = "docker"
  }
}

loki.source.docker "docker_logs" {
  host          = "unix:///var/run/docker.sock"
  targets       = discovery.relabel.docker_labels.output
  forward_to    = [loki.write.local_loki.receiver]
  relabeling {
    source_labels = ["__meta_docker_container_name"]
    regex         = "/(.*)"
    target_label  = "container"
  }
}

// ── Syslog receiver (MikroTik RB5009 and other network devices) ──────────────
// Listens on UDP 514 and TCP 514.
// On your RB5009, set the remote logging action to point at this host's IP.

loki.source.syslog "network_syslog" {
  listener {
    address  = "0.0.0.0:514"
    protocol = "udp"
    labels = {
      source = "syslog",
      job    = "network_devices",
    }
  }
  listener {
    address  = "0.0.0.0:514"
    protocol = "tcp"
    labels = {
      source = "syslog",
      job    = "network_devices",
    }
  }

  forward_to = [loki.process.syslog_relabel.receiver]
}

// Enrich syslog entries with a hostname label extracted from the syslog message
loki.process "syslog_relabel" {
  forward_to = [loki.write.local_loki.receiver]

  stage.syslog {}   // Parses RFC3164/RFC5424 syslog and extracts hostname, app, facility, severity

  stage.labels {
    values = {
      hostname = "hostname",   // Extracted by stage.syslog
      app      = "app_name",   // e.g. "dhcp", "firewall", "interface" on RouterOS
      severity = "severity",
      facility = "facility",
    }
  }
}