server:
  http_listen_port: 9080
  grpc_listen_port: 0

positions:
  filename: /tmp/positions.yaml

clients:
  - url: http://loki:3100/loki/api/v1/push

scrape_configs:
  - job_name: syslog_ingest
    syslog:
      listen_address: 0.0.0.0:1514
      listen_protocol: tcp
      idle_timeout: 60s
      label_structured_data: yes
      labels:
        job: "syslog_combined"
    relabel_configs:
      - source_labels: ['__syslog_message_hostname']
        target_label: 'host'

    # ============================================================
    # SYSLOG NOISE FILTERS
    # Estimated ~80-85% volume reduction from Dream Router
    # Applied: 2026-02-23
    # ============================================================
    pipeline_stages:
      # --- HIGH VOLUME DROPS (~60-70% of all logs) ---

      # mDNS multicast (IPv4) - Apple/Chromecast/IoT discovery
      # Fires across EVERY VLAN (br0, br2, br5, br10, br11, br12)
      - drop:
          expression: 'DST=224\.0\.0\.251'
          drop_counter_reason: "mdns_ipv4_multicast"

      # mDNS multicast (IPv6)
      - drop:
          expression: 'DST=ff02::fb'
          drop_counter_reason: "mdns_ipv6_multicast"

      # mDNS port catch-all (anything remaining on port 5353)
      - drop:
          expression: 'DPT=5353'
          drop_counter_reason: "mdns_port_5353"

      # --- MEDIUM VOLUME DROPS (~15-20%) ---

      # mca-ctrl / stahtd daemon noise - fires every 2-3 seconds
      - drop:
          expression: 'no input for event'
          drop_counter_reason: "mca_ctrl_stahtd_noise"

      # --- LOW VOLUME DROPS (~3-5%) ---

      # UniFi device discovery broadcasts
      - drop:
          expression: 'DPT=10001'
          drop_counter_reason: "unifi_discovery"

      # hostapd WiFi AP check systemd spam (~every 30s)
      - drop:
          expression: 'hostapd-global-check'
          drop_counter_reason: "hostapd_check_spam"

      # Duplicate DNAT entries for port forwards (keeps the WAN_IN Allow line)
      - drop:
          expression: 'PortForward.*DNAT'
          drop_counter_reason: "duplicate_dnat"

      # Internal ICMP gateway pings - devices checking if gateway alive
      - drop:
          expression: 'PROTO=ICMP.*DST=192\.168\.'
          drop_counter_reason: "internal_icmp_pings"

      # ============================================================
      # WHAT WE KEEP:
      # - [WAN_LOCAL]Block  → real attack attempts (security value)
      # - [WAN_IN]Allow     → legit inbound traffic log
      # - Daemon errors/warnings
      # - DHCP/DNS logs
      # - mcad interval changes (rare, informational)
      # - Everything from serviceslab (Proxmox host)
      # ============================================================