diff --git a/loki/config/alloy.alloy b/loki/config/alloy.alloy index 8161b0e..47a68ec 100644 --- a/loki/config/alloy.alloy +++ b/loki/config/alloy.alloy @@ -1,98 +1,89 @@ -// Alloy configuration -// Collects: (1) Docker container logs, (2) Syslog from network devices (MikroTik etc.) -// Pushes everything to local Loki instance. +// Grafana Alloy configuration +// Collects: +// 1. Syslog over UDP/TCP port 514 — for MikroTik RB5009 and other network gear +// 2. Docker container logs — for all containers on this host +// Forwards everything to Loki. -// ── Loki destination ────────────────────────────────────────────────────────── -loki.write "local_loki" { - endpoint { - url = "http://loki:3100/loki/api/v1/push" - } -} +// ── 1. SYSLOG RECEIVER ──────────────────────────────────────────────────────── +// Listens on 514 UDP and TCP. Point your MikroTik logging action at this host. -// ── Docker container log collection ────────────────────────────────────────── -// Discovers all running containers and tails their logs automatically. -// New containers are picked up without restarting Alloy. - -discovery.docker "containers" { - host = "unix:///var/run/docker.sock" -} - -discovery.relabel "docker_labels" { - targets = discovery.docker.containers.targets - - // Use container name as the job label (strips the leading slash Docker adds) - rule { - source_labels = ["__meta_docker_container_name"] - regex = "/(.*)" - target_label = "container" - } - - // Carry through the Docker Compose service name if present - rule { - source_labels = ["__meta_docker_container_label_com_docker_compose_service"] - target_label = "service" - } - - // Carry through the Docker Compose project name if present - rule { - source_labels = ["__meta_docker_container_label_com_docker_compose_project"] - target_label = "compose_project" - } - - rule { - target_label = "source" - replacement = "docker" - } -} - -loki.source.docker "docker_logs" { - host = "unix:///var/run/docker.sock" - targets = discovery.relabel.docker_labels.output - forward_to = [loki.write.local_loki.receiver] - relabeling { - source_labels = ["__meta_docker_container_name"] - regex = "/(.*)" - target_label = "container" - } -} - -// ── Syslog receiver (MikroTik RB5009 and other network devices) ────────────── -// Listens on UDP 514 and TCP 514. -// On your RB5009, set the remote logging action to point at this host's IP. - -loki.source.syslog "network_syslog" { +loki.source.syslog "network_devices" { listener { address = "0.0.0.0:514" protocol = "udp" - labels = { - source = "syslog", - job = "network_devices", + labels = { + job = "syslog", + source = "network", } } listener { address = "0.0.0.0:514" protocol = "tcp" - labels = { - source = "syslog", - job = "network_devices", + labels = { + job = "syslog", + source = "network", } } + // loki.source.syslog automatically extracts hostname, app, facility, and + // severity from RFC3164/RFC5424 messages and exposes them as internal + // labels. We promote them to real Loki labels in the process stage below. forward_to = [loki.process.syslog_relabel.receiver] } -// Enrich syslog entries with a hostname label extracted from the syslog message +// Promote the syslog metadata fields to Loki labels. loki.process "syslog_relabel" { - forward_to = [loki.write.local_loki.receiver] - - stage.syslog {} // Parses RFC3164/RFC5424 syslog and extracts hostname, app, facility, severity - stage.labels { values = { - hostname = "hostname", // Extracted by stage.syslog - app = "app_name", // e.g. "dhcp", "firewall", "interface" on RouterOS - severity = "severity", - facility = "facility", + host = "__syslog_message_hostname", + severity = "__syslog_message_severity", + facility = "__syslog_message_facility", + app = "__syslog_message_app_name", } } + forward_to = [loki.write.default.receiver] +} + + +// ── 2. DOCKER CONTAINER LOGS ───────────────────────────────────────────────── +// Tails logs from all Docker containers on this host. +// Adds container name and image as labels for easy filtering. + +discovery.docker "containers" { + host = "unix:///var/run/docker.sock" +} + +// Relabel Docker metadata into useful Loki labels. +discovery.relabel "docker_labels" { + targets = discovery.docker.containers.targets + + rule { + source_labels = ["__meta_docker_container_name"] + regex = "/(.*)" + target_label = "container" + } + rule { + source_labels = ["__meta_docker_container_log_stream"] + target_label = "stream" + } + rule { + source_labels = ["__meta_docker_image_name"] + target_label = "image" + } +} + +loki.source.docker "docker_logs" { + host = "unix:///var/run/docker.sock" + targets = discovery.relabel.docker_labels.output + labels = { job = "docker" } + forward_to = [loki.write.default.receiver] +} + + +// ── 3. LOKI WRITE TARGET ────────────────────────────────────────────────────── + +loki.write "default" { + endpoint { + url = "http://loki:3100/loki/api/v1/push" + } } diff --git a/loki/config/alloy.original b/loki/config/alloy.original new file mode 100644 index 0000000..8161b0e --- /dev/null +++ b/loki/config/alloy.original @@ -0,0 +1,98 @@ +// Alloy configuration +// Collects: (1) Docker container logs, (2) Syslog from network devices (MikroTik etc.) +// Pushes everything to local Loki instance. + +// ── Loki destination ────────────────────────────────────────────────────────── +loki.write "local_loki" { + endpoint { + url = "http://loki:3100/loki/api/v1/push" + } +} + +// ── Docker container log collection ────────────────────────────────────────── +// Discovers all running containers and tails their logs automatically. +// New containers are picked up without restarting Alloy. + +discovery.docker "containers" { + host = "unix:///var/run/docker.sock" +} + +discovery.relabel "docker_labels" { + targets = discovery.docker.containers.targets + + // Use container name as the job label (strips the leading slash Docker adds) + rule { + source_labels = ["__meta_docker_container_name"] + regex = "/(.*)" + target_label = "container" + } + + // Carry through the Docker Compose service name if present + rule { + source_labels = ["__meta_docker_container_label_com_docker_compose_service"] + target_label = "service" + } + + // Carry through the Docker Compose project name if present + rule { + source_labels = ["__meta_docker_container_label_com_docker_compose_project"] + target_label = "compose_project" + } + + rule { + target_label = "source" + replacement = "docker" + } +} + +loki.source.docker "docker_logs" { + host = "unix:///var/run/docker.sock" + targets = discovery.relabel.docker_labels.output + forward_to = [loki.write.local_loki.receiver] + relabeling { + source_labels = ["__meta_docker_container_name"] + regex = "/(.*)" + target_label = "container" + } +} + +// ── Syslog receiver (MikroTik RB5009 and other network devices) ────────────── +// Listens on UDP 514 and TCP 514. +// On your RB5009, set the remote logging action to point at this host's IP. + +loki.source.syslog "network_syslog" { + listener { + address = "0.0.0.0:514" + protocol = "udp" + labels = { + source = "syslog", + job = "network_devices", + } + } + listener { + address = "0.0.0.0:514" + protocol = "tcp" + labels = { + source = "syslog", + job = "network_devices", + } + } + + forward_to = [loki.process.syslog_relabel.receiver] +} + +// Enrich syslog entries with a hostname label extracted from the syslog message +loki.process "syslog_relabel" { + forward_to = [loki.write.local_loki.receiver] + + stage.syslog {} // Parses RFC3164/RFC5424 syslog and extracts hostname, app, facility, severity + + stage.labels { + values = { + hostname = "hostname", // Extracted by stage.syslog + app = "app_name", // e.g. "dhcp", "firewall", "interface" on RouterOS + severity = "severity", + facility = "facility", + } + } +}