diff --git a/loki/compose.yaml b/loki/compose.yaml index 94a5701..736f345 100644 --- a/loki/compose.yaml +++ b/loki/compose.yaml @@ -40,8 +40,8 @@ services: networks: - logging ports: - - "514:514/udp" # Syslog UDP (for MikroTik and other network devices) - - "514:514/tcp" # Syslog TCP + - "5140:5140/udp" # Syslog UDP (for MikroTik and other network devices) + - "5140:5140/tcp" # Syslog TCP - "12345:12345" # Alloy UI (optional, useful for debugging) volumes: - ./config/alloy.alloy:/etc/alloy/config.alloy:ro diff --git a/loki/config/alloy.alloy b/loki/config/alloy.alloy index 47a68ec..a58168a 100644 --- a/loki/config/alloy.alloy +++ b/loki/config/alloy.alloy @@ -9,42 +9,42 @@ loki.source.syslog "network_devices" { listener { - address = "0.0.0.0:514" - protocol = "udp" - labels = { + address = "0.0.0.0:5140" + protocol = "udp" + syslog_format = "rfc3164" + labels = { job = "syslog", source = "network", } } listener { - address = "0.0.0.0:514" - protocol = "tcp" - labels = { + address = "0.0.0.0:5140" + protocol = "tcp" + syslog_format = "rfc3164" + labels = { job = "syslog", source = "network", } } - - // loki.source.syslog automatically extracts hostname, app, facility, and - // severity from RFC3164/RFC5424 messages and exposes them as internal - // labels. We promote them to real Loki labels in the process stage below. forward_to = [loki.process.syslog_relabel.receiver] } -// Promote the syslog metadata fields to Loki labels. + +// Enrich syslog entries with a hostname label extracted from the syslog message loki.process "syslog_relabel" { + forward_to = [loki.write.local_loki.receiver] + stage.labels { values = { - host = "__syslog_message_hostname", + // These internal __syslog_message_ labels are created by the source component + hostname = "__syslog_message_hostname", + app = "__syslog_message_app_name", severity = "__syslog_message_severity", facility = "__syslog_message_facility", - app = "__syslog_message_app_name", } } - forward_to = [loki.write.default.receiver] } - // ── 2. DOCKER CONTAINER LOGS ───────────────────────────────────────────────── // Tails logs from all Docker containers on this host. // Adds container name and image as labels for easy filtering. @@ -76,13 +76,13 @@ loki.source.docker "docker_logs" { host = "unix:///var/run/docker.sock" targets = discovery.relabel.docker_labels.output labels = { job = "docker" } - forward_to = [loki.write.default.receiver] + forward_to = [loki.write.local_loki.receiver] } // ── 3. LOKI WRITE TARGET ────────────────────────────────────────────────────── -loki.write "default" { +loki.write "local_loki" { endpoint { url = "http://loki:3100/loki/api/v1/push" } diff --git a/loki/config/loki.yml b/loki/config/loki.yml index 851e56b..d50250d 100644 --- a/loki/config/loki.yml +++ b/loki/config/loki.yml @@ -35,6 +35,8 @@ schema_config: # homelab troubleshooting — long enough to catch recurring issues. limits_config: retention_period: 90d + reject_old_samples: true + reject_old_samples_max_age: 168h # 7 days — increase if needed ingestion_rate_mb: 4 ingestion_burst_size_mb: 8 diff --git a/loki/loki/loki-config.yml b/loki/loki/loki-config.yml index 1ed1e68..ceea9ac 100644 --- a/loki/loki/loki-config.yml +++ b/loki/loki/loki-config.yml @@ -24,7 +24,9 @@ common: # 90 days is generous but reasonable for a homelab — tune down if disk is tight. limits_config: retention_period: 90d - # Reject log lines larger than 256KB (protects against runaway logging) + reject_old_samples: true + reject_old_samples_max_age: 168h # 7 days — increase if needed + # Reject log lines larger than 256KB (protects against runaway logging) max_line_size: 256KB schema_config: