This tool uses netlink sockets to receive netfilter log messages and write them to loki without having to install ulogd.
By default, log messages generated by nftables will go to the kernel log, which can mean a lot of spam in dmesg, kern.log, and possibly syslog. However, nftables lets you specify a 'log group'. For example, here is a trivial you can establish a ruleset that only allows packets through associated with an established connection. The last rule in this example chain logs the packet before dropping it:
chain only_established {
type filter hook input priority filter
ct state established,related counter accept
log prefix "input_drop" group 2 drop
}
Nftables writes this log message on a netlink socket that can be read from userspace.
The normal path for getting these logs is to install ulogd, then configure ulogd to put text files somewhere that promtail can parse. Promtail then pushes them to loki. Running this way for a while I found it was hard to get a set of configurations on both the ulogd and promtail side to get these logs in a format that was useful to me. My main goal is to be able to display these logs in a grafana.
This app is not very configurable. The next step is to fix that by adding arguments.