This is documentation for the next version of Grafana Alloy Documentation. For the latest stable release, go to the latest version.

Documentationbreadcrumb arrow Grafana Alloybreadcrumb arrow Referencebreadcrumb arrow Componentsbreadcrumb arrow lokibreadcrumb arrow loki.secretfilter
Experimental Open source

loki.secretfilter

EXPERIMENTAL: This is an experimental component. Experimental components are subject to frequent breaking changes, and may be removed with no equivalent replacement. To enable and use an experimental component, you must set the stability.level flag to experimental.

loki.secretfilter receives log entries and redacts detected secrets from the log lines. The detection relies on regular expression patterns, defined in the Gitleaks configuration file embedded within the component. loki.secretfilter can also use a custom configuration file based on the Gitleaks configuration file structure.

Caution

Personally Identifiable Information (PII) isn’t currently in scope and some secrets could remain undetected. This component may generate false positives or redact too much. Don’t rely solely on this component to redact sensitive information.

Note

This component operates on log lines and doesn’t scan labels or other metadata.

Caution

Detecting secrets can be resource-intensive and can increase CPU usage significantly. Roll out this component gradually and monitor resource usage. Place loki.secretfilter after components that reduce log volume so it processes fewer lines.

Usage

Alloy 
loki.secretfilter "<LABEL>" {
    forward_to = <RECEIVER_LIST>
}

Arguments

You can use the following arguments with loki.secretfilter:

NameTypeDescriptionDefaultRequired
forward_tolist(LogsReceiver)List of receivers to send log entries to.yes
gitleaks_configstringPath to a custom Gitleaks TOML config file. If empty, the default Gitleaks config is used.""no
origin_labelstringLoki label to use for the secrets_redacted_by_origin metric. If empty, that metric is not registered.""no
redact_withstringTemplate for the redaction placeholder. Use $SECRET_NAME and $SECRET_HASH. E.g.: "<$SECRET_NAME:$SECRET_HASH>"""no
redact_percentuintWhen redact_with is not set: percent of the secret to redact (1–100), where 100 is full redaction80no

The gitleaks_config argument is the path to a custom Gitleaks TOML config file. The file supports the standard Gitleaks structure (rules, allowlists, and [extend] to extend the default config). If gitleaks_config is empty, the component uses the default Gitleaks configuration embedded in the component.

Note

The default configuration may change between Alloy versions. For consistent behavior, use an external configuration file via gitleaks_config.

Redaction behavior:

  • If redact_with is set, it is used as the replacement string for every detected secret. The supported placeholders are $SECRET_NAME (rule ID) and $SECRET_HASH (SHA1 hash of the secret).
  • If redact_with is not set, redaction is percentage-based (Gitleaks-style). redact_percent controls how much of the secret is redacted. For example, 80 shows the first 20% of the secret followed by "...". 100 replaces the entire secret with "REDACTED". When redact_percent is 0 or unset, 80% redaction is used.

Origin metric: The origin_label argument specifies which Loki label to use for the secrets_redacted_by_origin metric, so you can track how many secrets were redacted per source or environment.

Blocks

The loki.secretfilter component doesn’t support any blocks. You can configure this component with arguments.

Exported fields

The following fields are exported and can be referenced by other components:

NameTypeDescription
receiverLogsReceiverA value that other components can use to send log entries to.

Component health

loki.secretfilter is only reported as unhealthy if given an invalid configuration.

Debug metrics

loki.secretfilter exposes the following Prometheus metrics:

NameTypeDescription
loki_secretfilter_processing_duration_secondsSummaryTime taken to process and redact logs, in seconds.
loki_secretfilter_secrets_redacted_totalCounterTotal number of secrets redacted.
loki_secretfilter_secrets_redacted_by_rule_totalCounterNumber of secrets redacted, partitioned by rule name.
loki_secretfilter_secrets_redacted_by_originCounterNumber of secrets redacted, partitioned by origin label, when origin_label is set.

Example

This example uses loki.secretfilter to redact secrets from log lines before forwarding them to a Loki receiver. It uses a custom redaction template with $SECRET_NAME and $SECRET_HASH.

Alternatively, you can:

  • Omit redact_with to use percentage-based redaction, which defaults to 80% redacted.
  • Set redact_percent to 100 for full redaction.
  • Set gitleaks_config to point to a custom Gitleaks TOML configuration file.
Alloy 
local.file_match "local_logs" {
    path_targets = "<PATH_TARGETS>"
}

loki.source.file "local_logs" {
    targets    = local.file_match.local_logs.targets
    forward_to = [loki.secretfilter.secret_filter.receiver]
}

loki.secretfilter "secret_filter" {
    forward_to  = [loki.write.local_loki.receiver]
    redact_with = "<ALLOY-REDACTED-SECRET:$SECRET_NAME:$SECRET_HASH>"
    // optional: gitleaks_config = "/etc/alloy/gitleaks.toml"
    // optional: redact_percent = 100  // use when redact_with is not set
}

loki.write "local_loki" {
    endpoint {
        url = "<LOKI_ENDPOINT>"
    }
}

Replace the following:

  • <PATH_TARGETS>: The paths to the log files to monitor.
  • <LOKI_ENDPOINT>: The URL of the Loki instance to send logs to.

Compatible components

loki.secretfilter can accept arguments from the following components:

loki.secretfilter has exports that can be consumed by the following components:

Note

Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.