This is documentation for the next version of Grafana Alloy Documentation. For the latest stable release, go to the latest version.

Documentationbreadcrumb arrow Grafana Alloybreadcrumb arrow Referencebreadcrumb arrow Componentsbreadcrumb arrow lokibreadcrumb arrow loki.secretfilter
Experimental Open source

loki.secretfilter

EXPERIMENTAL: This is an experimental component. Experimental components are subject to frequent breaking changes, and may be removed with no equivalent replacement. To enable and use an experimental component, you must set the stability.level flag to experimental.

loki.secretfilter receives log entries and redacts detected secrets from the log lines. The detection relies on regular expression patterns, defined in the Gitleaks configuration file embedded within the component. loki.secretfilter can also use a custom configuration file based on the Gitleaks configuration file structure.

Caution

Personally Identifiable Information (PII) isn’t currently in scope and some secrets could remain undetected. This component may generate false positives or redact too much. Don’t rely solely on this component to redact sensitive information.

Note

This component operates on log lines and doesn’t scan labels or other metadata.

Caution

Detecting secrets can be resource-intensive and can increase CPU usage significantly. Roll out this component gradually and monitor resource usage. Place loki.secretfilter after components that reduce log volume so it processes fewer lines.

Usage

Alloy 
loki.secretfilter "<LABEL>" {
    forward_to = <RECEIVER_LIST>
}

Arguments

You can use the following arguments with loki.secretfilter:

NameTypeDescriptionDefaultRequired
forward_tolist(LogsReceiver)List of receivers to send log entries to.yes
gitleaks_configstringPath to a custom Gitleaks TOML config file. If empty, the default Gitleaks config is used.""no
origin_labelstringLoki label to use for the secrets_redacted_by_origin metric. If empty, that metric is not registered.""no
ratefloatEntry sampling rate in [0.0, 1.0] where 1 processes all entries. Unsampled entries are forwarded unchanged.1.0no
redact_withstringTemplate for the redaction placeholder. Use $SECRET_NAME and $SECRET_HASH, for example, "<$SECRET_NAME:$SECRET_HASH>"""no
redact_percentuintWhen redact_with is not set: percent of the secret to redact (1–100), where 100 is full redaction.80no
drop_on_timeoutboolWhen true, drop entries that exceed processing_timeout instead of forwarding them unredacted.falseno
processing_timeoutdurationMaximum time allowed to process a single log entry. 0 disables the timeout.0no

The gitleaks_config argument is the path to a custom Gitleaks TOML config file. The file supports the standard Gitleaks structure (rules, allowlists, and [extend] to extend the default config). If gitleaks_config is empty, the component uses the default Gitleaks configuration embedded in the component.

Note

The default configuration may change between Alloy versions. For consistent behavior, use an external configuration file via gitleaks_config.

Redaction behavior:

  • If redact_with is set, it is used as the replacement string for every detected secret. The supported placeholders are $SECRET_NAME (rule ID) and $SECRET_HASH (SHA1 hash of the secret).
  • If redact_with is not set, redaction is percentage-based (Gitleaks-style). redact_percent controls how much of the secret is redacted. For example, 80 shows the first 20% of the secret followed by "...". 100 replaces the entire secret with "REDACTED". When redact_percent is 0 or unset, 80% redaction is used.

Sampling: The rate argument controls what fraction of log entries are processed by the secret filter. Entries that Alloy does not select based on the sampling rate pass through unchanged, with no detection or redaction applied. Use a value below 1.0, for example, 0.1 for 10%, to reduce CPU usage when processing high-volume logs. Monitor loki_secretfilter_entries_bypassed_total to observe how many entries were skipped.

Origin metric: The origin_label argument specifies which Loki label to use for the secrets_redacted_by_origin metric, so you can track how many secrets were redacted per source or environment.

Processing timeout: The processing_timeout argument sets a maximum duration for processing each log entry. When the timeout is exceeded, the loki_secretfilter_lines_timed_out_total metric is incremented. By default (drop_on_timeout = false), the original unredacted entry is forwarded so no log lines are lost. When drop_on_timeout = true, entries that exceed the timeout are dropped and the loki_secretfilter_lines_dropped_total metric is incremented.

Caution

Setting drop_on_timeout = true means log lines can be silently dropped. A dropped line can’t be recovered, whereas an unredacted line containing a secret can still be detected and mitigated later. Use this option only when dropping lines is preferable to forwarding potentially unredacted data.

Blocks

The loki.secretfilter component doesn’t support any blocks. You can configure this component with arguments.

Exported fields

The following fields are exported and can be referenced by other components:

NameTypeDescription
receiverLogsReceiverA value that other components can use to send log entries to.

Component health

loki.secretfilter is only reported as unhealthy if given an invalid configuration.

Debug metrics

loki.secretfilter exposes the following Prometheus metrics:

NameTypeDescription
loki_secretfilter_entries_bypassed_totalCounterTotal number of entries forwarded without processing due to sampling.
loki_secretfilter_lines_dropped_totalCounterTotal number of log lines dropped due to processing timeout, when drop_on_timeout is true.
loki_secretfilter_lines_timed_out_totalCounterTotal number of log lines that exceeded the processing timeout, whether dropped or forwarded.
loki_secretfilter_processing_duration_secondsSummaryTime taken to process and redact logs, in seconds.
loki_secretfilter_secrets_redacted_totalCounterTotal number of secrets redacted.
loki_secretfilter_secrets_redacted_by_rule_totalCounterNumber of secrets redacted, partitioned by rule name.
loki_secretfilter_secrets_redacted_by_originCounterNumber of secrets redacted, partitioned by origin label, when origin_label is set.

Example

This example uses loki.secretfilter to redact secrets from log lines before forwarding them to a Loki receiver. It uses a custom redaction template with $SECRET_NAME and $SECRET_HASH.

Alternatively, you can:

  • Omit redact_with to use percentage-based redaction, which defaults to 80% redacted.
  • Set redact_percent to 100 for full redaction.
  • Set gitleaks_config to point to a custom Gitleaks TOML configuration file.
  • Set rate to a value below 1.0 to sample entries and reduce CPU usage; entries not selected are forwarded unchanged.
Alloy 
local.file_match "local_logs" {
    path_targets = "<PATH_TARGETS>"
}

loki.source.file "local_logs" {
    targets    = local.file_match.local_logs.targets
    forward_to = [loki.secretfilter.secret_filter.receiver]
}

loki.secretfilter "secret_filter" {
    forward_to  = [loki.write.local_loki.receiver]
    redact_with = "<ALLOY-REDACTED-SECRET:$SECRET_NAME:$SECRET_HASH>"
    // optional: gitleaks_config = "/etc/alloy/gitleaks.toml"
    // optional: redact_percent = 100  // use when redact_with is not set
}

loki.write "local_loki" {
    endpoint {
        url = "<LOKI_ENDPOINT>"
    }
}

Replace the following:

  • <PATH_TARGETS>: The paths to the log files to monitor.
  • <LOKI_ENDPOINT>: The URL of the Loki instance to send logs to.

Compatible components

loki.secretfilter can accept arguments from the following components:

loki.secretfilter has exports that can be consumed by the following components:

Note

Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.