Log Formats & Filters Reference
Built-in Formats
Section titled “Built-in Formats”Glouton includes built-in log formats for common services. These can be referenced by name in file receivers, container configuration, or service definitions.
Naming Convention
Section titled “Naming Convention”Built-in formats follow a naming convention:
{service}— for parsing host log files (e.g.,nginx_access,redis){service}_docker— for parsing container logs (e.g.,nginx_docker,redis_docker){service}_both— works with both host files and containers (e.g.,nginx_both,apache_both)
Format Reference
Section titled “Format Reference”| Service | Host Formats | Container Formats | Combined |
|---|---|---|---|
| Nginx | nginx_access, nginx_error | — | nginx_both |
| Apache | apache_access, apache_error | — | apache_both |
| PostgreSQL | postgresql | postgresql_docker | — |
| MySQL | mysql | mysql_docker | — |
| Redis | redis | redis_docker | — |
| Valkey | valkey | valkey_docker | — |
| Kafka | kafka | kafka_docker | — |
| HAProxy | haproxy | haproxy_docker | — |
| MongoDB | mongodb | mongodb_docker | — |
| RabbitMQ | rabbitmq | rabbitmq_docker | — |
| JSON | json | — | — |
| Go slog | json_golang_slog | — | — |
What Formats Do
Section titled “What Formats Do”Each built-in format provides:
- Log parsing — extracts structured fields from log lines (e.g., HTTP method, status code, client IP)
- Timestamp extraction — parses timestamps from log entries into the standard OpenTelemetry timestamp field
- Severity mapping — maps service-specific severity levels (e.g.,
[error],WRN) to standard OpenTelemetry severity levels
Custom Formats
Section titled “Custom Formats”Define custom log formats using the log.opentelemetry.known_log_formats
setting. Each format is a list of Stanza operators.
log.opentelemetry.known_log_formats: my_app_parser: - type: json_parser timestamp: parse_from: attributes.time layout: '%Y-%m-%dT%H:%M:%S.%L%z' layout_type: strptime severity: parse_from: attributes.level mapping: debug: 'DBG' info: 'INF' warn: 'WRN' error: 'ERR' fatal: 'FTL' - type: remove field: attributes['some-attr']In the above example, the timestamp and severity sections are optional settings of the json_parser operator.
Similarly, inside the severity setting, the mapping field is optional.
Custom formats do not override the built-in defaults unless they share the same name.
Available Operator Types
Section titled “Available Operator Types”Operators are based on Stanza’s operators. The full list of available types includes:
- Parsers:
json_parser,regex_parser,csv_parser,syslog_parser,key_value_parser - Transform:
add,remove,move,copy,flatten,retain - Filter:
filter - Router:
router
See the Stanza operators documentation for the complete reference.
Known Log Filters
Section titled “Known Log Filters”Define reusable log filters with log.opentelemetry.known_log_filters.
These can be referenced by name in service or container configurations.
log.opentelemetry.known_log_filters: min_level_info: include: match_type: strict severity_number: min: info match_undefined: trueGlobal Filters
Section titled “Global Filters”Global filters apply to all log sources: auto-discovered services, file receivers,
container logs, and OTLP receivers. Configure them with
log.opentelemetry.global_filters.
OTTL Drop Filter
Section titled “OTTL Drop Filter”Drop matching log records using OpenTelemetry Transformation Language expressions:
log.opentelemetry.global_filters: log_record: - "Hour(Now()) < 7 or Hour(Now()) > 19"Include / Exclude Filters
Section titled “Include / Exclude Filters”log.opentelemetry.global_filters: include: match_type: strict record_attributes: - key: 'container.name' value: 'app-01' exclude: match_type: regexp severity_texts: - 'debug' - 'trace'Filter Structure Reference
Section titled “Filter Structure Reference”Both per-receiver filters and global filters support the same structure:
| Field | Description |
|---|---|
log_record | List of OTTL expressions; matching records are dropped |
include.match_type | strict (exact match) or regexp |
include.resource_attributes | Match on resource attributes (key/value pairs) |
include.record_attributes | Match on record attributes (key/value pairs) |
include.severity_texts | Match on severity text values |
include.severity_number | Match on severity number (min, match_undefined) |
include.bodies | Match on log body content |
exclude | Same structure as include |
Behavior notes:
- All conditions within
includeorexcludeuse OR logic - Entries inside each section are also OR conditions
- When both
includeandexcludeare specified,includefiltering occurs first