suricata-grafana-docker/promtail-config.yml

server:
  http_listen_port: 9080
  grpc_listen_port: 0
# Log only messages with the given severity or above. Supported values [debug,
# info, warn, error]
#  log_level: debug
positions:
  filename: /tmp/positions.yaml
clients:
  - url: http://loki:3100/loki/api/v1/push
scrape_configs:
  - job_name: suricata
# json on eve.json
    pipeline_stages:
         - json:
             expressions:
               event_type: event_type
               src_ip: src_ip
               proto: proto
               dest_port: dest_port
               alert:
         - json:
             expressions:
               action: action
               signature_id: signature_id
               signature: signature
               category: category
               severity: severity
             source: alert
         - labels:
             event_type:
             src_ip:
             proto:
             dest_port:
             signature_id:
             signature:
             category:
             severity:
    static_configs:
      - targets:
        - localhost
        labels:
          job: suricata_logs
          __path__: /var/log/eve.json