jramos/ajarbot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
bb86a9eef5de9220e96ab81a0dab454734c73f20
ajarbot/promtail-config-optimized.yaml
Jordan Ramos bb86a9eef5 Add Cloudflare and Loki MCP server integrations 
Features:
- Cloudflare Code Mode MCP: Exposes entire Cloudflare API (2,500+ endpoints)
  via remote MCP server at https://mcp.cloudflare.com/mcp
  * Two tools: search() to query OpenAPI spec, execute() to run JS code
  * Uses npx mcp-remote as stdio bridge
  * Auth via CLOUDFLARE_API_TOKEN as Bearer header

- Loki MCP Server: Log querying and analysis via Loki HTTP API
  * Query logs with LogQL syntax
  * Real-time log streaming support
  * Label introspection and metrics queries
  * Configurable via LOKI_URL environment variable

Technical changes:
- Created mcp_servers/cloudflare/ with config and connection logic
- Created mcp_servers/loki/ with HTTP client and MCP tool wrappers
- Added promtail-config-optimized.yaml for syslog ingestion config
- Updated .env.example with Cloudflare and Loki configuration templates

Both integrations:
- Use environment variables for configuration (no hardcoded credentials)
- Include feature flags (CLOUDFLARE_MCP_ENABLED, LOKI_MCP_ENABLED)
- Follow existing MCP server patterns for consistency

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-24 12:35:04 -07:00

86 lines
2.7 KiB
YAML
Raw Blame History

server:
http_listen_port: 9080
grpc_listen_port: 0
positions:
filename: /tmp/positions.yaml
clients:
- url: http://loki:3100/loki/api/v1/push
scrape_configs:
- job_name: syslog_ingest
syslog:
listen_address: 0.0.0.0:1514
listen_protocol: tcp
idle_timeout: 60s
label_structured_data: yes
labels:
job: "syslog_combined"
relabel_configs:
- source_labels: ['__syslog_message_hostname']
target_label: 'host'
# ============================================================
# SYSLOG NOISE FILTERS
# Estimated ~80-85% volume reduction from Dream Router
# Applied: 2026-02-23
# ============================================================
pipeline_stages:
# --- HIGH VOLUME DROPS (~60-70% of all logs) ---
# mDNS multicast (IPv4) - Apple/Chromecast/IoT discovery
# Fires across EVERY VLAN (br0, br2, br5, br10, br11, br12)
- drop:
expression: 'DST=224\.0\.0\.251'
drop_counter_reason: "mdns_ipv4_multicast"
# mDNS multicast (IPv6)
- drop:
expression: 'DST=ff02::fb'
drop_counter_reason: "mdns_ipv6_multicast"
# mDNS port catch-all (anything remaining on port 5353)
- drop:
expression: 'DPT=5353'
drop_counter_reason: "mdns_port_5353"
# --- MEDIUM VOLUME DROPS (~15-20%) ---
# mca-ctrl / stahtd daemon noise - fires every 2-3 seconds
- drop:
expression: 'no input for event'
drop_counter_reason: "mca_ctrl_stahtd_noise"
# --- LOW VOLUME DROPS (~3-5%) ---
# UniFi device discovery broadcasts
- drop:
expression: 'DPT=10001'
drop_counter_reason: "unifi_discovery"
# hostapd WiFi AP check systemd spam (~every 30s)
- drop:
expression: 'hostapd-global-check'
drop_counter_reason: "hostapd_check_spam"
# Duplicate DNAT entries for port forwards (keeps the WAN_IN Allow line)
- drop:
expression: 'PortForward.*DNAT'
drop_counter_reason: "duplicate_dnat"
# Internal ICMP gateway pings - devices checking if gateway alive
- drop:
expression: 'PROTO=ICMP.*DST=192\.168\.'
drop_counter_reason: "internal_icmp_pings"
# ============================================================
# WHAT WE KEEP:
# - [WAN_LOCAL]Block → real attack attempts (security value)
# - [WAN_IN]Allow → legit inbound traffic log
# - Daemon errors/warnings
# - DHCP/DNS logs
# - mcad interval changes (rare, informational)
# - Everything from serviceslab (Proxmox host)
# ============================================================
Reference in New Issue View Git Blame Copy Permalink