fix alloy configuration

loki/config/alloy.alloy

@@ -1,98 +1,89 @@
-// Alloy configuration
-// Collects: (1) Docker container logs, (2) Syslog from network devices (MikroTik etc.)
-// Pushes everything to local Loki instance.
+// Grafana Alloy configuration
+// Collects:
+//   1. Syslog over UDP/TCP port 514  — for MikroTik RB5009 and other network gear
+//   2. Docker container logs          — for all containers on this host
+// Forwards everything to Loki.
 
-// ── Loki destination ──────────────────────────────────────────────────────────
-loki.write "local_loki" {
-  endpoint {
-    url = "http://loki:3100/loki/api/v1/push"
-  }
-}
+// ── 1. SYSLOG RECEIVER ────────────────────────────────────────────────────────
+// Listens on 514 UDP and TCP. Point your MikroTik logging action at this host.
 
-// ── Docker container log collection ──────────────────────────────────────────
-// Discovers all running containers and tails their logs automatically.
-// New containers are picked up without restarting Alloy.
-
-discovery.docker "containers" {
-  host = "unix:///var/run/docker.sock"
-}
-
-discovery.relabel "docker_labels" {
-  targets = discovery.docker.containers.targets
-
-  // Use container name as the job label (strips the leading slash Docker adds)
-  rule {
-    source_labels = ["__meta_docker_container_name"]
-    regex         = "/(.*)"
-    target_label  = "container"
-  }
-
-  // Carry through the Docker Compose service name if present
-  rule {
-    source_labels = ["__meta_docker_container_label_com_docker_compose_service"]
-    target_label  = "service"
-  }
-
-  // Carry through the Docker Compose project name if present
-  rule {
-    source_labels = ["__meta_docker_container_label_com_docker_compose_project"]
-    target_label  = "compose_project"
-  }
-
-  rule {
-    target_label = "source"
-    replacement  = "docker"
-  }
-}
-
-loki.source.docker "docker_logs" {
-  host          = "unix:///var/run/docker.sock"
-  targets       = discovery.relabel.docker_labels.output
-  forward_to    = [loki.write.local_loki.receiver]
-  relabeling {
-    source_labels = ["__meta_docker_container_name"]
-    regex         = "/(.*)"
-    target_label  = "container"
-  }
-}
-
-// ── Syslog receiver (MikroTik RB5009 and other network devices) ──────────────
-// Listens on UDP 514 and TCP 514.
-// On your RB5009, set the remote logging action to point at this host's IP.
-
-loki.source.syslog "network_syslog" {
+loki.source.syslog "network_devices" {
   listener {
     address  = "0.0.0.0:514"
     protocol = "udp"
-    labels = {
-      source = "syslog",
-      job    = "network_devices",
+    labels   = {
+      job    = "syslog",
+      source = "network",
     }
   }
   listener {
     address  = "0.0.0.0:514"
     protocol = "tcp"
-    labels = {
-      source = "syslog",
-      job    = "network_devices",
+    labels   = {
+      job    = "syslog",
+      source = "network",
     }
   }
 
+  // loki.source.syslog automatically extracts hostname, app, facility, and
+  // severity from RFC3164/RFC5424 messages and exposes them as internal
+  // labels. We promote them to real Loki labels in the process stage below.
   forward_to = [loki.process.syslog_relabel.receiver]
 }
 
-// Enrich syslog entries with a hostname label extracted from the syslog message
+// Promote the syslog metadata fields to Loki labels.
 loki.process "syslog_relabel" {
-  forward_to = [loki.write.local_loki.receiver]
-
-  stage.syslog {}   // Parses RFC3164/RFC5424 syslog and extracts hostname, app, facility, severity
-
   stage.labels {
     values = {
-      hostname = "hostname",   // Extracted by stage.syslog
-      app      = "app_name",   // e.g. "dhcp", "firewall", "interface" on RouterOS
-      severity = "severity",
-      facility = "facility",
+      host     = "__syslog_message_hostname",
+      severity = "__syslog_message_severity",
+      facility = "__syslog_message_facility",
+      app      = "__syslog_message_app_name",
     }
   }
+  forward_to = [loki.write.default.receiver]
+}
+
+
+// ── 2. DOCKER CONTAINER LOGS ─────────────────────────────────────────────────
+// Tails logs from all Docker containers on this host.
+// Adds container name and image as labels for easy filtering.
+
+discovery.docker "containers" {
+  host = "unix:///var/run/docker.sock"
+}
+
+// Relabel Docker metadata into useful Loki labels.
+discovery.relabel "docker_labels" {
+  targets = discovery.docker.containers.targets
+
+  rule {
+    source_labels = ["__meta_docker_container_name"]
+    regex         = "/(.*)"
+    target_label  = "container"
+  }
+  rule {
+    source_labels = ["__meta_docker_container_log_stream"]
+    target_label  = "stream"
+  }
+  rule {
+    source_labels = ["__meta_docker_image_name"]
+    target_label  = "image"
+  }
+}
+
+loki.source.docker "docker_logs" {
+  host       = "unix:///var/run/docker.sock"
+  targets    = discovery.relabel.docker_labels.output
+  labels     = { job = "docker" }
+  forward_to = [loki.write.default.receiver]
+}
+
+
+// ── 3. LOKI WRITE TARGET ──────────────────────────────────────────────────────
+
+loki.write "default" {
+  endpoint {
+    url = "http://loki:3100/loki/api/v1/push"
+  }
 }

loki/config/alloy.original

@@ -0,0 +1,98 @@
+// Alloy configuration
+// Collects: (1) Docker container logs, (2) Syslog from network devices (MikroTik etc.)
+// Pushes everything to local Loki instance.
+
+// ── Loki destination ──────────────────────────────────────────────────────────
+loki.write "local_loki" {
+  endpoint {
+    url = "http://loki:3100/loki/api/v1/push"
+  }
+}
+
+// ── Docker container log collection ──────────────────────────────────────────
+// Discovers all running containers and tails their logs automatically.
+// New containers are picked up without restarting Alloy.
+
+discovery.docker "containers" {
+  host = "unix:///var/run/docker.sock"
+}
+
+discovery.relabel "docker_labels" {
+  targets = discovery.docker.containers.targets
+
+  // Use container name as the job label (strips the leading slash Docker adds)
+  rule {
+    source_labels = ["__meta_docker_container_name"]
+    regex         = "/(.*)"
+    target_label  = "container"
+  }
+
+  // Carry through the Docker Compose service name if present
+  rule {
+    source_labels = ["__meta_docker_container_label_com_docker_compose_service"]
+    target_label  = "service"
+  }
+
+  // Carry through the Docker Compose project name if present
+  rule {
+    source_labels = ["__meta_docker_container_label_com_docker_compose_project"]
+    target_label  = "compose_project"
+  }
+
+  rule {
+    target_label = "source"
+    replacement  = "docker"
+  }
+}
+
+loki.source.docker "docker_logs" {
+  host          = "unix:///var/run/docker.sock"
+  targets       = discovery.relabel.docker_labels.output
+  forward_to    = [loki.write.local_loki.receiver]
+  relabeling {
+    source_labels = ["__meta_docker_container_name"]
+    regex         = "/(.*)"
+    target_label  = "container"
+  }
+}
+
+// ── Syslog receiver (MikroTik RB5009 and other network devices) ──────────────
+// Listens on UDP 514 and TCP 514.
+// On your RB5009, set the remote logging action to point at this host's IP.
+
+loki.source.syslog "network_syslog" {
+  listener {
+    address  = "0.0.0.0:514"
+    protocol = "udp"
+    labels = {
+      source = "syslog",
+      job    = "network_devices",
+    }
+  }
+  listener {
+    address  = "0.0.0.0:514"
+    protocol = "tcp"
+    labels = {
+      source = "syslog",
+      job    = "network_devices",
+    }
+  }
+
+  forward_to = [loki.process.syslog_relabel.receiver]
+}
+
+// Enrich syslog entries with a hostname label extracted from the syslog message
+loki.process "syslog_relabel" {
+  forward_to = [loki.write.local_loki.receiver]
+
+  stage.syslog {}   // Parses RFC3164/RFC5424 syslog and extracts hostname, app, facility, severity
+
+  stage.labels {
+    values = {
+      hostname = "hostname",   // Extracted by stage.syslog
+      app      = "app_name",   // e.g. "dhcp", "firewall", "interface" on RouterOS
+      severity = "severity",
+      facility = "facility",
+    }
+  }
+}