---
title: "loki.source.podlogs | Grafana Alloy documentation"
description: "Learn about loki.source.podlogs"
---

# `loki.source.podlogs`

`loki.source.podlogs` discovers `PodLogs` resources on Kubernetes. The `PodLogs` resources provide rules for which Kubernetes Pods to discover on your cluster.

`loki.source.podlogs` uses the Kubernetes API to tail the logs from the discovered Kubernetes Pods.

`loki.source.podlogs` is similar to `loki.source.kubernetes`, but uses custom resources rather than being fed targets from another component.

> Note
> 
> Because `loki.source.podlogs` uses the Kubernetes API to tail logs, it uses more network traffic and CPU consumption of Kubelets than `loki.source.file`.

You can specify multiple `loki.source.podlogs` components by giving them different labels.

## Usage

Alloy ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```alloy
loki.source.podlogs "<LABEL>" {
  forward_to = <RECEIVER_LIST>
}
```

## Arguments

The component starts a new reader for each of the given `targets` and fans out log entries to the list of receivers passed in `forward_to`.

You can use the following arguments with `loki.source.podlogs`:

Expand table

| Name                         | Type                 | Description                                                                       | Default | Required |
|------------------------------|----------------------|-----------------------------------------------------------------------------------|---------|----------|
| `forward_to`                 | `list(LogsReceiver)` | List of receivers to send log entries to.                                         |         | yes      |
| `preserve_discovered_labels` | `bool`               | Preserve discovered pod metadata labels for use by downstream components.         | `false` | no       |
| `tail_from_end`              | `bool`               | Start reading from the end of the log stream for newly discovered Pod containers. | `false` | no       |

`loki.source.podlogs` searches for `PodLogs` resources on Kubernetes. Each `PodLogs` resource describes a set of pods to tail logs from.

When `tail_from_end` is `false` (the default), `loki.source.podlogs` reads all available logs from the Kubernetes API for newly discovered Pod containers. For long-running Pods, this can result in a large volume of logs being processed, which may be rejected by the downstream Loki instance if they are too old. Set `tail_from_end` to `true` to only read new logs from the point of discovery, ignoring the historical log buffer. If a last-read offset is already saved for a Pod, `loki.source.podlogs` will resume from that position and ignore the `tail_from_end` argument.

When `preserve_discovered_labels` is `true`, `loki.source.podlogs` preserves discovered Pod metadata labels so they can be accessed by downstream components. This enables component chaining where discovered Pod metadata labels can be accessed by components like `loki.relabel`. The preserved labels include all the Pod metadata labels that are available for relabeling within PodLogs custom resources.

## `PodLogs` custom resource

The `PodLogs` resource describes a set of Pods to collect logs from.

> Note
> 
> `loki.source.podlogs` looks for `PodLogs` of `monitoring.grafana.com/v1alpha2`, and isn’t compatible with `PodLogs` from the Agent Operator, which are version `v1alpha1`.

Expand table

| Field        | Type                                                                                                  | Description                                   |
|--------------|-------------------------------------------------------------------------------------------------------|-----------------------------------------------|
| `apiVersion` | string                                                                                                | `monitoring.grafana.com/v1alpha2`             |
| `kind`       | string                                                                                                | `PodLogs`                                     |
| `metadata`   | [ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#objectmeta-v1-meta) | Metadata for the PodLogs.                     |
| `spec`       | [PodLogsSpec](#podlogsspec)                                                                           | Definition of what Pods to collect logs from. |

### `PodLogsSpec`

`PodLogsSpec` describes a set of Pods to collect logs from.

Expand table

| Field               | Type                                                                                                            | Description                                                  |
|---------------------|-----------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------|
| `selector`          | [LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#labelselector-v1-meta)     | Label selector of Pods to collect logs from.                 |
| `namespaceSelector` | [LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#labelselector-v1-meta)     | Label selector of Namespaces that Pods can be discovered in. |
| `relabelings`       | [RelabelConfig](https://prometheus-operator.dev/docs/api-reference/api/#monitoring.coreos.com/v1.RelabelConfig) | Relabel rules to apply to discovered Pods.                   |

If `selector` is left as the default value, all Pods are discovered. If `namespaceSelector` is left as the default value, all Namespaces are used for Pod discovery.

The `relabelings` field can be used to modify labels from discovered Pods. The following meta labels are available for relabeling:

- `__meta_kubernetes_namespace`: The namespace of the Pod.
- `__meta_kubernetes_pod_annotation_<annotationname>`: Each annotation from the Pod.
- `__meta_kubernetes_pod_annotationpresent_<annotationname>`: `true` for each annotation from the Pod.
- `__meta_kubernetes_pod_container_image`: The image the container is using.
- `__meta_kubernetes_pod_container_init`: `true` if the container is an `InitContainer`.
- `__meta_kubernetes_pod_container_name`: Name of the container.
- `__meta_kubernetes_pod_controller_kind`: Object kind of the Pod’s controller.
- `__meta_kubernetes_pod_controller_name`: Name of the Pod’s controller.
- `__meta_kubernetes_pod_host_ip`: The current host IP of the Pod object.
- `__meta_kubernetes_pod_ip`: The Pod IP of the Pod.
- `__meta_kubernetes_pod_label_<labelname>`: Each label from the Pod.
- `__meta_kubernetes_pod_labelpresent_<labelname>`: `true` for each label from the Pod.
- `__meta_kubernetes_pod_name`: The name of the Pod.
- `__meta_kubernetes_pod_node_name`: The name of the node the Pod is scheduled onto.
- `__meta_kubernetes_pod_phase`: Set to `Pending`, `Running`, `Succeeded`, `Failed` or `Unknown` in the lifecycle.
- `__meta_kubernetes_pod_ready`: Set to `true` or `false` for the Pod’s ready state.
- `__meta_kubernetes_pod_uid`: The UID of the Pod.

In addition to the meta labels, the following labels are exposed to tell `loki.source.podlogs` which container to tail:

- `__pod_container_name__`: The container name within the Pod.
- `__pod_name__`: The name of the Pod.
- `__pod_namespace__`: The namespace of the Pod.
- `__pod_uid__`: The UID of the Pod.

## Blocks

You can use the following blocks with `loki.source.podlogs`:

No valid configuration blocks found.

### `client`

The `client` block configures the Kubernetes client used to tail logs from containers. If the `client` block isn’t provided, the default in-cluster configuration with the service account of the running Alloy Pod is used.

The following arguments are supported:

Expand table

| Name                     | Type                | Description                                                                                      | Default | Required |
|--------------------------|---------------------|--------------------------------------------------------------------------------------------------|---------|----------|
| `api_server`             | `string`            | URL of the Kubernetes API server.                                                                |         | no       |
| `bearer_token_file`      | `string`            | File containing a bearer token to authenticate with.                                             |         | no       |
| `bearer_token`           | `secret`            | Bearer token to authenticate with.                                                               |         | no       |
| `enable_http2`           | `bool`              | Whether HTTP2 is supported for requests.                                                         | `true`  | no       |
| `follow_redirects`       | `bool`              | Whether redirects returned by the server should be followed.                                     | `true`  | no       |
| `http_headers`           | `map(list(secret))` | Custom HTTP headers to be sent along with each request. The map key is the header name.          |         | no       |
| `kubeconfig_file`        | `string`            | Path of the `kubeconfig` file to use for connecting to Kubernetes.                               |         | no       |
| `no_proxy`               | `string`            | Comma-separated list of IP addresses, CIDR notations, and domain names to exclude from proxying. |         | no       |
| `proxy_connect_header`   | `map(list(secret))` | Specifies headers to send to proxies during CONNECT requests.                                    |         | no       |
| `proxy_from_environment` | `bool`              | Use the proxy URL indicated by environment variables.                                            | `false` | no       |
| `proxy_url`              | `string`            | HTTP proxy to send requests through.                                                             |         | no       |

At most, one of the following can be provided:

- \[`authorization`]\[authorization] block
- \[`basic_auth`]\[basic\_auth]block
- \[`bearer_token_file`]\[client] argument
- \[`bearer_token`]\[client] argument
- \[`oauth2`]\[oauth2] block

`no_proxy` can contain IPs, CIDR notations, and domain names. IP and domain names can contain port numbers. `proxy_url` must be configured if `no_proxy` is configured.

`proxy_from_environment` uses the environment variables HTTP\_PROXY, HTTPS\_PROXY, and NO\_PROXY (or the lowercase versions thereof). Requests use the proxy from the environment variable matching their scheme, unless excluded by NO\_PROXY. `proxy_url` and `no_proxy` must not be configured if `proxy_from_environment` is configured.

`proxy_connect_header` should only be configured if `proxy_url` or `proxy_from_environment` are configured.

### `authorization`

Expand table

| Name               | Type     | Description                                | Default | Required |
|--------------------|----------|--------------------------------------------|---------|----------|
| `credentials_file` | `string` | File containing the secret value.          |         | no       |
| `credentials`      | `secret` | Secret value.                              |         | no       |
| `type`             | `string` | Authorization type, for example, “Bearer”. |         | no       |

`credential` and `credentials_file` are mutually exclusive, and only one can be provided inside an `authorization` block.

> Warning
> 
> Using `credentials_file` causes the file to be read on every outgoing request. Use the `local.file` component with the `credentials` attribute instead to avoid unnecessary reads.

### `basic_auth`

Expand table

| Name            | Type     | Description                              | Default | Required |
|-----------------|----------|------------------------------------------|---------|----------|
| `password_file` | `string` | File containing the basic auth password. |         | no       |
| `password`      | `secret` | Basic auth password.                     |         | no       |
| `username`      | `string` | Basic auth username.                     |         | no       |

`password` and `password_file` are mutually exclusive, and only one can be provided inside a `basic_auth` block.

> Warning
> 
> Using `password_file` causes the file to be read on every outgoing request. Use the `local.file` component with the `password` attribute instead to avoid unnecessary reads.

### `clustering`

Expand table

| Name      | Type   | Description                                         | Default | Required |
|-----------|--------|-----------------------------------------------------|---------|----------|
| `enabled` | `bool` | Distribute log collection with other cluster nodes. |         | yes      |

When Alloy is [using clustering](../../../../get-started/clustering/), and `enabled` is set to true, then this `loki.source.podlogs` component instance opts-in to participating in the cluster to distribute the load of log collection between all cluster nodes.

If Alloy is *not* running in clustered mode, then the block is a no-op and `loki.source.podlogs` collects logs based on every PodLogs resource discovered.

Clustering looks only at the following labels for determining the shard key:

- `__pod_namespace__`
- `__pod_name__`
- `__pod_container_name__`
- `__pod_uid__`
- `__meta_kubernetes_namespace`
- `__meta_kubernetes_pod_name`
- `__meta_kubernetes_pod_container_name`
- `__meta_kubernetes_pod_uid`
- `container`
- `pod`
- `job`
- `namespace`

### `node_filter`

The `node_filter` block configures node-based filtering for Pod discovery.

The following arguments are supported:

Expand table

| Name        | Type     | Description                                                                               | Default | Required |
|-------------|----------|-------------------------------------------------------------------------------------------|---------|----------|
| `enabled`   | `bool`   | Enable node-based filtering for Pod discovery.                                            | `false` | no       |
| `node_name` | `string` | Node name to filter Pods by. Falls back to the `NODE_NAME` environment variable if empty. | `""`    | no       |

When you set `enabled` to `true`, `loki.source.podlogs` only discovers and collects logs from Pods running on the specified node. This is particularly useful when running Alloy as a DaemonSet to avoid collecting logs from Pods on other nodes.

If you don’t specify `node_name`, `loki.source.podlogs` attempts to use the `NODE_NAME` environment variable. This allows for easy configuration in DaemonSet deployments where you can inject the node name with the [Kubernetes downward API](https://kubernetes.io/docs/concepts/workloads/pods/downward-api/).

Example DaemonSet configuration:

YAML ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```yaml
env:
  - name: NODE_NAME
    valueFrom:
      fieldRef:
        fieldPath: spec.nodeName
```

Node filtering significantly reduces API server load and network traffic by limiting Pod discovery to only the local node, making it highly recommended for DaemonSet deployments in large clusters.

### `match_expression`

The `match_expression` block describes a Kubernetes label match expression for `PodLogs` or Namespace discovery.

The following arguments are supported:

Expand table

| Name       | Type           | Description                        | Default | Required |
|------------|----------------|------------------------------------|---------|----------|
| `key`      | `string`       | The label name to match against.   |         | yes      |
| `operator` | `string`       | The operator to use when matching. |         | yes      |
| `values`   | `list(string)` | The values used when matching.     |         | no       |

The `operator` argument must be one of the following strings:

- `"In"`
- `"NotIn"`
- `"Exists"`
- `"DoesNotExist"`

Both `selector` and `namespace_selector` can make use of multiple `match_expression` inner blocks which are treated as AND clauses.

### `oauth2`

Expand table

| Name                     | Type                | Description                                                                                      | Default | Required |
|--------------------------|---------------------|--------------------------------------------------------------------------------------------------|---------|----------|
| `client_id`              | `string`            | OAuth2 client ID.                                                                                |         | no       |
| `client_secret_file`     | `string`            | File containing the OAuth2 client secret.                                                        |         | no       |
| `client_secret`          | `secret`            | OAuth2 client secret.                                                                            |         | no       |
| `endpoint_params`        | `map(string)`       | Optional parameters to append to the token URL.                                                  |         | no       |
| `no_proxy`               | `string`            | Comma-separated list of IP addresses, CIDR notations, and domain names to exclude from proxying. |         | no       |
| `proxy_connect_header`   | `map(list(secret))` | Specifies headers to send to proxies during CONNECT requests.                                    |         | no       |
| `proxy_from_environment` | `bool`              | Use the proxy URL indicated by environment variables.                                            | `false` | no       |
| `proxy_url`              | `string`            | HTTP proxy to send requests through.                                                             |         | no       |
| `scopes`                 | `list(string)`      | List of scopes to authenticate with.                                                             |         | no       |
| `token_url`              | `string`            | URL to fetch the token from.                                                                     |         | no       |

`client_secret` and `client_secret_file` are mutually exclusive, and only one can be provided inside an `oauth2` block.

> Warning
> 
> Using `client_secret_file` causes the file to be read on every outgoing request. Use the `local.file` component with the `client_secret` attribute instead to avoid unnecessary reads.

The `oauth2` block may also contain a separate `tls_config` sub-block.

`no_proxy` can contain IPs, CIDR notations, and domain names. IP and domain names can contain port numbers. `proxy_url` must be configured if `no_proxy` is configured.

`proxy_from_environment` uses the environment variables HTTP\_PROXY, HTTPS\_PROXY, and NO\_PROXY (or the lowercase versions thereof). Requests use the proxy from the environment variable matching their scheme, unless excluded by NO\_PROXY. `proxy_url` and `no_proxy` must not be configured if `proxy_from_environment` is configured.

`proxy_connect_header` should only be configured if `proxy_url` or `proxy_from_environment` are configured.

### `selector` and `namespace_selector`

The `selector` and `namespce_selector` blocks describe a Kubernetes label selector for `PodLogs` or Namespace discovery.

The following arguments are supported:

Expand table

| Name           | Type          | Description                                       | Default | Required |
|----------------|---------------|---------------------------------------------------|---------|----------|
| `match_labels` | `map(string)` | Label keys and values used to discover resources. | `{}`    | no       |

When the `match_labels` argument is empty, all resources are matched.

### `tls_config`

Expand table

| Name                   | Type     | Description                                              | Default | Required |
|------------------------|----------|----------------------------------------------------------|---------|----------|
| `ca_pem`               | `string` | CA PEM-encoded text to validate the server with.         |         | no       |
| `ca_file`              | `string` | CA certificate to validate the server with.              |         | no       |
| `cert_pem`             | `string` | Certificate PEM-encoded text for client authentication.  |         | no       |
| `cert_file`            | `string` | Certificate file for client authentication.              |         | no       |
| `insecure_skip_verify` | `bool`   | Disables validation of the server certificate.           |         | no       |
| `key_file`             | `string` | Key file for client authentication.                      |         | no       |
| `key_pem`              | `secret` | Key PEM-encoded text for client authentication.          |         | no       |
| `min_version`          | `string` | Minimum acceptable TLS version.                          |         | no       |
| `server_name`          | `string` | ServerName extension to indicate the name of the server. |         | no       |

The following pairs of arguments are mutually exclusive and can’t both be set simultaneously:

- `ca_pem` and `ca_file`
- `cert_pem` and `cert_file`
- `key_pem` and `key_file`

When configuring client authentication, both the client certificate (using `cert_pem` or `cert_file`) and the client key (using `key_pem` or `key_file`) must be provided.

When `min_version` isn’t provided, the minimum acceptable TLS version is inherited from Go’s default minimum version, TLS 1.2. If `min_version` is provided, it must be set to one of the following strings:

- `"TLS10"` (TLS 1.0)
- `"TLS11"` (TLS 1.1)
- `"TLS12"` (TLS 1.2)
- `"TLS13"` (TLS 1.3)

## Exported fields

When `preserve_discovered_labels` is set to `false`, `loki.source.podlogs` doesn’t export any discovered fields (`__meta` labels).

When `preserve_discovered_labels` is set to `true`, `loki.source.podlogs` sends the discovered labels to the downstream components, and then the labels are dropped by either `loki.process` or `loki.write` when the pipeline is completed.

## Component health

`loki.source.podlogs` is only reported as unhealthy if given an invalid configuration.

## Debug information

`loki.source.podlogs` exposes some target-level debug information per target:

- The labels associated with the target.
- The full set of labels which were found during service discovery.
- The most recent time a log line was read and forwarded to the next components in the pipeline.
- The most recent error from tailing, if any.

## Debug metrics

`loki.source.podlogs` doesn’t expose any component-specific debug metrics.

## Example

This example discovers all `PodLogs` resources and forwards collected logs to a `loki.write` component so they’re written to Loki.

Alloy ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```alloy
loki.source.podlogs "default" {
  forward_to = [loki.write.local.receiver]
}

loki.write "local" {
  endpoint {
    url = sys.env("LOKI_URL")
  }
}
```

This example shows how to preserve discovered Pod labels for use by downstream components:

Alloy ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```alloy
loki.source.podlogs "with_label_preservation" {
  forward_to                  = [loki.write.local.receiver]
  preserve_discovered_labels  = true
}

loki.relabel "pod_relabeling" {
  forward_to = [loki.write.local.receiver]

  rule {
    source_labels = ["__meta_kubernetes_pod_label_app"]
    target_label  = "app"
  }

  rule {
    source_labels = ["__meta_kubernetes_pod_annotation_version"]
    target_label  = "version"
  }
}

loki.write "local" {
  endpoint {
    url = sys.env("LOKI_URL")
  }
}
```

This example shows how to use node filtering for DaemonSet deployments to collect logs only from Pods running on the current node:

Alloy ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```alloy
loki.source.podlogs "daemonset" {
  forward_to = [loki.write.local.receiver]
  
  node_filter {
    enabled = true
    // node_name will be automatically read from NODE_NAME environment variable
  }
}

loki.write "local" {
  endpoint {
    url = sys.env("LOKI_URL")
  }
}
```

## Compatible components

`loki.source.podlogs` can accept arguments from the following components:

- Components that export [Loki `LogsReceiver`](../../../compatibility/#loki-logsreceiver-exporters)

> Note
> 
> Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.