I’m currently using the fluentbit http output plugin, fluentbit can act as an otel collector with an input plugin which could then be routed to the http output plugin. Long term I’ll probably look at adding it but there’s other features that take priority in the app itself such as scheduled searching and notifications/alerting

Thanks! definitely aiming for a stupid easy installation/management for the app itself; but in my experience getting a wide range of supported log sources is no small feat. I’ve been using fluentbit to handle collection from different sources and using the following has been working well for me:

• docker ‘journald’ log driver
• fluentbit ‘systemd’ input
• fluentbit ‘http’ output like the one in the readme

with that setup you can search for container logs by name which works great with compose:

or process logs from an nginx container like this to see traffic from external hosts:

I’ll add a more complete example to the docs, but if you look in the repo there’s a complete example for receiving and ingesting syslog that you can run with just “docker compose up”

Oh I wasn’t using it as a full recursive resolver - just reading the resolv.conf set by docker and sending requests

More good points, thank you! for trust-dns-resolver that’s a relic from a previous iteration that had polling external sources and needed to resolve dns records. Since i haven’t gotten around to re-implementing that feature it should be removed. As for why - I actually needed to bring my own resolver since the docker container is a scratch image containing only some base directories and the server binary so there isn’t any OS etc to lean on for things like dns; means that the whole image is ~15.5MB which is nice and negates a whole class of vulnerabilities.

Understood that your actual point is to document this stuff and not answer the trivia question though

Thanks! it’s definitely got a way to go before it’s remotely competitive with any of the enterprise solutions out there, but you make a good point about having comparisons so I’ll look at adding it.

I’m basically building it to have a KQL/LogScale/Splunk/Sumologic style search experience while being trivial to deploy (relative to others at least…) since I miss having that kind of search tooling when not at work; but I don’t want to pay for or maintain that kind of thing in a lab context. It creates a Tantivy index per day for log storage (with scoring and postings disabled for space savings).

In the end my main goal of the project was as a vehicle to get better at programming with, and if I get a tool I can use for my lab then that’s great too lol.

So the PC connected to opnsense is running proxmox for it’s OS? Create a bridge for each physical interface, then add a tagged interface to it for the one connected to opnsense; Eg, vmbr2 could have enp2s0.100 and enp9s1f0 as members. Just add .vlanid to the end of the interface name in the bridge settings in proxmox, and don’t make the bridges vlan aware. If vmbr0 is vlan aware then just add vmbr0.100 instead of enp2s0.100 With that setup the server will switch packets between the vlans on enp2s0 and the other interfaces. Don’t need to put any VMs on the bridges

Will add: this is using the PC like a switch, you’re probably better off using an actual switch with vlan configuration instead

deleted by creator