cjones/containers
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
676e159e34d97b91d3900b650a8e7ad53a75f03d
containers/loki/README.md

2.8 KiB
Raw Blame History

Homelab Log Aggregation Stack

Grafana Alloy + Loki + Grafana, configured for:

  • MikroTik RB5009 (and other network devices) via syslog
  • Docker container logs on the host machine

Quick Start

# (Optional) load secrets first if using the Vaultwarden secrets workflow
# ./secrets-load.sh docker/loki-stack .env

docker compose up -d

Grafana will be available at http://<host-ip>:3098 Default login: admin / admin — you will be prompted to change this.

MikroTik RB5009 Configuration

In RouterOS (Winbox or SSH), run:

# Create a remote logging action pointing at this Docker host
/system logging action
add name=remote-loki \
    target=remote \
    remote=<YOUR-DOCKER-HOST-IP> \
    remote-port=514 \
    bsd-syslog=yes \
    syslog-facility=local0 \
    syslog-severity=auto

# Send all log topics to Loki
/system logging
add action=remote-loki topics=all

To verify it's working, SSH into the RB5009 and run:

/log print follow

...then in Grafana, open Explore → Loki and query {source="network"}. You should see entries appearing within a few seconds.

Useful LogQL Queries

All RB5009 logs:

{job="syslog", source="network"}

RB5009 interface/link events only:

{job="syslog", source="network"} |= "link"

All logs from a specific Docker container:

{job="docker", container="myapp"}

Errors across all Docker containers:

{job="docker"} |= "error" | logfmt | level="error"

Everything in the last 24 hours, newest first:

{job=~"syslog|docker"} | line_format "{{.source}} {{.container}} {{.message}}"

File Layout

loki-stack/
├── docker-compose.yml
├── alloy/
│   └── config.alloy        # Alloy pipeline config (syslog + Docker)
├── loki/
│   └── loki-config.yml     # Loki storage and retention config
└── grafana/
    └── provisioning/
        └── datasources/
            └── loki.yml    # Auto-provisions Loki as default datasource

Retention

Logs are kept for 90 days by default. To change this, edit loki/loki-config.yml:

limits_config:
  retention_period: 30d   # or 180d, etc.

Then restart Loki: docker compose restart loki

Adding More Syslog Sources

Any device that can send syslog (UDP/TCP 514) will work automatically — the host label will be set from the syslog hostname field, so you can filter per-device in Grafana with {host="my-device-hostname"}.

Integrating with the Vaultwarden Secrets Workflow

If you're using the secrets-load.sh script, store the Grafana admin password as a custom field named GF_SECURITY_ADMIN_PASSWORD in a Vaultwarden item called docker/loki-stack, then replace the hardcoded value in docker-compose.yml with:

env_file:
  - .env
Reference in New Issue View Git Blame Copy Permalink