promtail-config-optimized.yaml

server:
  http_listen_port: 9080
  grpc_listen_port: 0

positions:
  filename: /tmp/positions.yaml

clients:
  - url: http://loki:3100/loki/api/v1/push

scrape_configs:
  - job_name: syslog_ingest
    syslog:
      listen_address: 0.0.0.0:1514
      listen_protocol: tcp
      idle_timeout: 60s
      label_structured_data: yes
      labels:
        job: "syslog_combined"
    relabel_configs:
      - source_labels: ['__syslog_message_hostname']
        target_label: 'host'

    # ============================================================
    # SYSLOG NOISE FILTERS
    # Estimated ~80-85% volume reduction from Dream Router
    # Applied: 2026-02-23
    # ============================================================
    pipeline_stages:
      # --- HIGH VOLUME DROPS (~60-70% of all logs) ---

      # mDNS multicast (IPv4) - Apple/Chromecast/IoT discovery
      # Fires across EVERY VLAN (br0, br2, br5, br10, br11, br12)
      - drop:
          expression: 'DST=224\.0\.0\.251'
          drop_counter_reason: "mdns_ipv4_multicast"

      # mDNS multicast (IPv6)
      - drop:
          expression: 'DST=ff02::fb'
          drop_counter_reason: "mdns_ipv6_multicast"

      # mDNS port catch-all (anything remaining on port 5353)
      - drop:
          expression: 'DPT=5353'
          drop_counter_reason: "mdns_port_5353"

      # --- MEDIUM VOLUME DROPS (~15-20%) ---

      # mca-ctrl / stahtd daemon noise - fires every 2-3 seconds
      - drop:
          expression: 'no input for event'
          drop_counter_reason: "mca_ctrl_stahtd_noise"

      # --- LOW VOLUME DROPS (~3-5%) ---

      # UniFi device discovery broadcasts
      - drop:
          expression: 'DPT=10001'
          drop_counter_reason: "unifi_discovery"

      # hostapd WiFi AP check systemd spam (~every 30s)
      - drop:
          expression: 'hostapd-global-check'
          drop_counter_reason: "hostapd_check_spam"

      # Duplicate DNAT entries for port forwards (keeps the WAN_IN Allow line)
      - drop:
          expression: 'PortForward.*DNAT'
          drop_counter_reason: "duplicate_dnat"

      # Internal ICMP gateway pings - devices checking if gateway alive
      - drop:
          expression: 'PROTO=ICMP.*DST=192\.168\.'
          drop_counter_reason: "internal_icmp_pings"

      # ============================================================
      # WHAT WE KEEP:
      # - [WAN_LOCAL]Block  → real attack attempts (security value)
      # - [WAN_IN]Allow     → legit inbound traffic log
      # - Daemon errors/warnings
      # - DHCP/DNS logs
      # - mcad interval changes (rare, informational)
      # - Everything from serviceslab (Proxmox host)
      # ============================================================
Add Cloudflare and Loki MCP server integrations Features: - Cloudflare Code Mode MCP: Exposes entire Cloudflare API (2,500+ endpoints) via remote MCP server at https://mcp.cloudflare.com/mcp * Two tools: search() to query OpenAPI spec, execute() to run JS code * Uses npx mcp-remote as stdio bridge * Auth via CLOUDFLARE_API_TOKEN as Bearer header - Loki MCP Server: Log querying and analysis via Loki HTTP API * Query logs with LogQL syntax * Real-time log streaming support * Label introspection and metrics queries * Configurable via LOKI_URL environment variable Technical changes: - Created mcp_servers/cloudflare/ with config and connection logic - Created mcp_servers/loki/ with HTTP client and MCP tool wrappers - Added promtail-config-optimized.yaml for syslog ingestion config - Updated .env.example with Cloudflare and Loki configuration templates Both integrations: - Use environment variables for configuration (no hardcoded credentials) - Include feature flags (CLOUDFLARE_MCP_ENABLED, LOKI_MCP_ENABLED) - Follow existing MCP server patterns for consistency Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> 2026-02-24 12:35:04 -07:00			`server:`
			`http_listen_port: 9080`
			`grpc_listen_port: 0`

			`positions:`
			`filename: /tmp/positions.yaml`

			`clients:`
			`- url: http://loki:3100/loki/api/v1/push`

			`scrape_configs:`
			`- job_name: syslog_ingest`
			`syslog:`
			`listen_address: 0.0.0.0:1514`
			`listen_protocol: tcp`
			`idle_timeout: 60s`
			`label_structured_data: yes`
			`labels:`
			`job: "syslog_combined"`
			`relabel_configs:`
			`- source_labels: ['__syslog_message_hostname']`
			`target_label: 'host'`

			`# ============================================================`
			`# SYSLOG NOISE FILTERS`
			`# Estimated ~80-85% volume reduction from Dream Router`
			`# Applied: 2026-02-23`
			`# ============================================================`
			`pipeline_stages:`
			`# --- HIGH VOLUME DROPS (~60-70% of all logs) ---`

			`# mDNS multicast (IPv4) - Apple/Chromecast/IoT discovery`
			`# Fires across EVERY VLAN (br0, br2, br5, br10, br11, br12)`
			`- drop:`
			`expression: 'DST=224\.0\.0\.251'`
			`drop_counter_reason: "mdns_ipv4_multicast"`

			`# mDNS multicast (IPv6)`
			`- drop:`
			`expression: 'DST=ff02::fb'`
			`drop_counter_reason: "mdns_ipv6_multicast"`

			`# mDNS port catch-all (anything remaining on port 5353)`
			`- drop:`
			`expression: 'DPT=5353'`
			`drop_counter_reason: "mdns_port_5353"`

			`# --- MEDIUM VOLUME DROPS (~15-20%) ---`

			`# mca-ctrl / stahtd daemon noise - fires every 2-3 seconds`
			`- drop:`
			`expression: 'no input for event'`
			`drop_counter_reason: "mca_ctrl_stahtd_noise"`

			`# --- LOW VOLUME DROPS (~3-5%) ---`

			`# UniFi device discovery broadcasts`
			`- drop:`
			`expression: 'DPT=10001'`
			`drop_counter_reason: "unifi_discovery"`

			`# hostapd WiFi AP check systemd spam (~every 30s)`
			`- drop:`
			`expression: 'hostapd-global-check'`
			`drop_counter_reason: "hostapd_check_spam"`

			`# Duplicate DNAT entries for port forwards (keeps the WAN_IN Allow line)`
			`- drop:`
			`expression: 'PortForward.*DNAT'`
			`drop_counter_reason: "duplicate_dnat"`

			`# Internal ICMP gateway pings - devices checking if gateway alive`
			`- drop:`
			`expression: 'PROTO=ICMP.*DST=192\.168\.'`
			`drop_counter_reason: "internal_icmp_pings"`

			`# ============================================================`
			`# WHAT WE KEEP:`
			`# - [WAN_LOCAL]Block → real attack attempts (security value)`
			`# - [WAN_IN]Allow → legit inbound traffic log`
			`# - Daemon errors/warnings`
			`# - DHCP/DNS logs`
			`# - mcad interval changes (rare, informational)`
			`# - Everything from serviceslab (Proxmox host)`
			`# ============================================================`