update Loki output to reflect the new API (version before of Loki <1 …

config.go

@@ -120,7 +120,7 @@ func getConfig() *types.Configuration {
 	v.SetDefault("Loki.MutualTLS", false)
 	v.SetDefault("Loki.CheckCert", true)
 	v.SetDefault("Loki.Tenant", "")
-	v.SetDefault("Loki.Endpoint", "/api/prom/push")
+	v.SetDefault("Loki.Endpoint", "/loki/api/v1/push")
 	v.SetDefault("Loki.ExtraLabels", "")
 
 	v.SetDefault("AWS.AccessKeyID", "")

config_example.yaml

@@ -86,7 +86,7 @@ loki:
   # mutualtls: false # if true, checkcert flag will be ignored (server cert will always be checked)
   # checkcert: true # check if ssl certificate of the output is valid (default: true)
   # tenant: "" # Add the tenant header if needed. Tenant header is enabled only if not empty
-  # endpoint: "/api/prom/push" # The endpoint URL path, default is "/api/prom/push" more info : https://grafana.com/docs/loki/latest/api/#post-apiprompush
+  # endpoint: "/loki/api/v1/push" # The endpoint URL path, default is "/loki/api/v1/push" more info : https://grafana.com/docs/loki/latest/api/#post-apiprompush
   # extralabels: "" # comma separated list of fields to use as labels additionally to rule, source, priority, tags and custom_fields
 
 nats:

outputs/loki.go

@@ -1,9 +1,9 @@
 package outputs
 
 import (
+	"fmt"
 	"log"
 	"strings"
-	"time"
 
 	"github.com/falcosecurity/falcosidekick/types"
 )
@@ -13,34 +13,32 @@ type lokiPayload struct {
 }
 
 type lokiStream struct {
-	Labels  string      `json:"labels"`
-	Entries []lokiEntry `json:"entries"`
+	Stream map[string]string `json:"stream"`
+	Values []lokiValue       `json:"values"`
 }
 
-type lokiEntry struct {
-	Ts   string `json:"ts"`
-	Line string `json:"line"`
-}
+type lokiValue = []string
 
 // The Content-Type to send along with the request
 const LokiContentType = "application/json"
 
 func newLokiPayload(falcopayload types.FalcoPayload, config *types.Configuration) lokiPayload {
-	le := lokiEntry{Ts: falcopayload.Time.Format(time.RFC3339), Line: falcopayload.Output}
-	ls := lokiStream{Entries: []lokiEntry{le}}
+	s := make(map[string]string, 3+len(falcopayload.OutputFields)+len(config.Loki.ExtraLabelsList)+len(falcopayload.Tags))
+	s["rule"] = falcopayload.Rule
+	s["source"] = falcopayload.Source
+	s["priority"] = falcopayload.Priority.String()
 
-	var s string
 	for i, j := range falcopayload.OutputFields {
 		switch v := j.(type) {
 		case string:
 			for k := range config.Customfields {
 				if i == k {
-					s += strings.ReplaceAll(strings.ReplaceAll(strings.ReplaceAll(i, ".", ""), "]", ""), "[", "") + "=\"" + strings.ReplaceAll(v, "\"", "") + "\","
+					s[strings.ReplaceAll(strings.ReplaceAll(strings.ReplaceAll(i, ".", ""), "]", ""), "[", "")] = strings.ReplaceAll(v, "\"", "")
 				}
 			}
 			for _, k := range config.Loki.ExtraLabelsList {
 				if i == k {
-					s += strings.ReplaceAll(strings.ReplaceAll(strings.ReplaceAll(i, ".", ""), "]", ""), "[", "") + "=\"" + strings.ReplaceAll(v, "\"", "") + "\","
+					s[strings.ReplaceAll(strings.ReplaceAll(strings.ReplaceAll(i, ".", ""), "]", ""), "[", "")] = strings.ReplaceAll(v, "\"", "")
 				}
 			}
 		default:
@@ -49,16 +47,15 @@ func newLokiPayload(falcopayload types.FalcoPayload, config *types.Configuration
 	}
 
 	if len(falcopayload.Tags) != 0 {
-		s += "tags=\"" + strings.Join(falcopayload.Tags, ",") + "\","
+		s["tags"] = strings.Join(falcopayload.Tags, ",")
 	}
 
-	s += "rule=\"" + falcopayload.Rule + "\","
-	s += "source=\"" + falcopayload.Source + "\","
-	s += "priority=\"" + falcopayload.Priority.String() + "\""
-
-	ls.Labels = "{" + s + "}"
-
-	return lokiPayload{Streams: []lokiStream{ls}}
+	return lokiPayload{Streams: []lokiStream{
+		{
+			Stream: s,
+			Values: []lokiValue{[]string{fmt.Sprintf("%v", falcopayload.Time.UnixNano()), falcopayload.Output}},
+		},
+	}}
 }
 
 // LokiPost posts event to Loki

outputs/loki_test.go

@@ -13,13 +13,13 @@ func TestNewLokiPayload(t *testing.T) {
 	expectedOutput := lokiPayload{
 		Streams: []lokiStream{
 			{
-				Labels: "{tags=\"test,example\",rule=\"Test rule\",source=\"syscalls\",priority=\"Debug\"}",
-				Entries: []lokiEntry{
-					{
-						Ts:   "2001-01-01T01:10:00Z",
-						Line: "This is a test from falcosidekick",
-					},
+				Stream: map[string]string{
+					"tags":     "test,example",
+					"rule":     "Test rule",
+					"source":   "syscalls",
+					"priority": "Debug",
 				},
+				Values: []lokiValue{[]string{"978311400000000000", "This is a test from falcosidekick"}},
 			},
 		},
 	}