This is documentation for the next version of Enterprise logs. For the latest stable release, go to the latest version.

ConfigurationReference

Configuration reference

Grafana Enterprise Logs can be configured using a YAML file - specified using the -config.file flag - or CLI flags. In case you combine both, CLI flags take precedence over the YAML config file.

The current configuration of any GEL component can be seen by visiting the /config HTTP path. Passwords are filtered out of this endpoint.

Reference

To specify which configuration file to load, pass the -config.file flag at the command line. The file is written in YAML format, defined by the scheme below. Brackets indicate that a parameter is optional. For Loki general configurations (ex: compactor, ingester configuration docs), see loki/docs.

Generic placeholders

  • <boolean>: a boolean that can take the values true or false
  • <int>: any integer matching the regular expression [1-9]+[0-9]*
  • <duration>: a duration matching the regular expression [0-9]+(ns|us|µs|ms|s|m|h|d|w|y) where y = 365 days
  • <string>: a regular string
  • <url>: a URL
  • <prefix>: a CLI flag prefix based on the context (look at the parent configuration block to see which CLI flags prefix should be used)
  • <time>: a timestamp, with available formats: 2006-01-20 (midnight, local timezone), 2006-01-20T15:04 (local timezone), and RFC 3339 formats: 2006-01-20T15:04:05Z (UTC) or 2006-01-20T15:04:05+07:00 (explicit timezone)

Use environment variables in the configuration

You can use environment variable references in the config file to set values that need to be configurable during deployment by using the -config.expand-env flag. To do this, use:

${VAR}

Where VAR is the name of the environment variable.

Each variable reference is replaced at startup by the value of the environment variable. The replacement is case-sensitive and occurs before the YAML file is parsed. References to undefined variables are replaced by empty strings unless you specify a default value or custom error text.

To specify a default value, use:

${VAR:default_value}

Where default_value is the value to use if the environment variable is undefined.

GEL specific supported contents and default values of the config file

# The admin_api_config configures the admin API.
[admin_api: <admin_api_config>]

# The admin_client_config configures how the Admin API service connects to the
# storage backend.
[admin_client: <admin_client_config>]

# The auth_config configures the authentication type to use.
[auth: <auth_config>]

# Unique ID of this cortex cluster.
# CLI flag: -cluster-name
[cluster_name: <string> | default = ""]

# The gateway_config configures the gateway proxy.
[gateway: <gateway_config>]

# The license_config configures the license validation module.
[license: <license_config>]

# The tokengen_config configures the tokengen target.
[tokengen: <tokengen_config>]

admin_api_config

The admin_api_config configures the admin API.

# Designated header to parse when searching for the grafana user ID of the user
# accessing the API.
# CLI flag: -admin.api.user-header-name
[user_header_name: <string> | default = "X-WEBAUTH-USER"]

leader_election:
  # This flag enables leader election for the admin api.
  # CLI flag: -admin-api.leader-election.enabled
  [enabled: <boolean> | default = false]

  ring:
    kvstore:
      # Backend storage to use for the ring. Supported values are: consul, etcd,
      # inmemory, memberlist, multi.
      # CLI flag: -admin-api.leader-election.ring.store
      [store: <string> | default = "consul"]

      # The prefix for the keys in the store. Should end with a /.
      # CLI flag: -admin-api.leader-election.ring.prefix
      [prefix: <string> | default = "leader-election/"]

      consul:
        # Hostname and port of Consul.
        # CLI flag: -admin-api.leader-election.ring.consul.hostname
        [host: <string> | default = "localhost:8500"]

        # ACL Token used to interact with Consul.
        # CLI flag: -admin-api.leader-election.ring.consul.acl-token
        [acl_token: <string> | default = ""]

        # HTTP timeout when talking to Consul
        # CLI flag: -admin-api.leader-election.ring.consul.client-timeout
        [http_client_timeout: <duration> | default = 20s]

        # Enable consistent reads to Consul.
        # CLI flag: -admin-api.leader-election.ring.consul.consistent-reads
        [consistent_reads: <boolean> | default = false]

        # Rate limit when watching key or prefix in Consul, in requests per
        # second. 0 disables the rate limit.
        # CLI flag: -admin-api.leader-election.ring.consul.watch-rate-limit
        [watch_rate_limit: <float> | default = 1]

        # Burst size used in rate limit. Values less than 1 are treated as 1.
        # CLI flag: -admin-api.leader-election.ring.consul.watch-burst-size
        [watch_burst_size: <int> | default = 1]

      etcd:
        # The etcd endpoints to connect to.
        # CLI flag: -admin-api.leader-election.ring.etcd.endpoints
        [endpoints: <list of string> | default = []]

        # The dial timeout for the etcd connection.
        # CLI flag: -admin-api.leader-election.ring.etcd.dial-timeout
        [dial_timeout: <duration> | default = 10s]

        # The maximum number of retries to do for failed ops.
        # CLI flag: -admin-api.leader-election.ring.etcd.max-retries
        [max_retries: <int> | default = 10]

        # Enable TLS.
        # CLI flag: -admin-api.leader-election.ring.etcd.tls-enabled
        [tls_enabled: <boolean> | default = false]

        # Path to the client certificate file, which will be used for
        # authenticating with the server. Also requires the key path to be
        # configured.
        # CLI flag: -admin-api.leader-election.ring.etcd.tls-cert-path
        [tls_cert_path: <string> | default = ""]

        # Path to the key file for the client certificate. Also requires the
        # client certificate to be configured.
        # CLI flag: -admin-api.leader-election.ring.etcd.tls-key-path
        [tls_key_path: <string> | default = ""]

        # Path to the CA certificates file to validate server certificate
        # against. If not set, the host's root CA certificates are used.
        # CLI flag: -admin-api.leader-election.ring.etcd.tls-ca-path
        [tls_ca_path: <string> | default = ""]

        # Override the expected name on the server certificate.
        # CLI flag: -admin-api.leader-election.ring.etcd.tls-server-name
        [tls_server_name: <string> | default = ""]

        # Skip validating server certificate.
        # CLI flag: -admin-api.leader-election.ring.etcd.tls-insecure-skip-verify
        [tls_insecure_skip_verify: <boolean> | default = false]

        # Etcd username.
        # CLI flag: -admin-api.leader-election.ring.etcd.username
        [username: <string> | default = ""]

        # Etcd password.
        # CLI flag: -admin-api.leader-election.ring.etcd.password
        [password: <string> | default = ""]

      multi:
        # Primary backend storage used by multi-client.
        # CLI flag: -admin-api.leader-election.ring.multi.primary
        [primary: <string> | default = ""]

        # Secondary backend storage used by multi-client.
        # CLI flag: -admin-api.leader-election.ring.multi.secondary
        [secondary: <string> | default = ""]

        # Mirror writes to secondary store.
        # CLI flag: -admin-api.leader-election.ring.multi.mirror-enabled
        [mirror_enabled: <boolean> | default = false]

        # Timeout for storing value to secondary store.
        # CLI flag: -admin-api.leader-election.ring.multi.mirror-timeout
        [mirror_timeout: <duration> | default = 2s]

    # Period at which to heartbeat to the ring.
    # CLI flag: -admin-api.leader-election.ring.heartbeat-period
    [heartbeat_period: <duration> | default = 15s]

    # The heartbeat timeout after which admin-api instances are considered
    # unhealthy within the ring.
    # CLI flag: -admin-api.leader-election.ring.heartbeat-timeout
    [heartbeat_timeout: <duration> | default = 1m]

    # Period to wait after generating tokens to resolve collisions. Required
    # when using a gossip ring KV store.
    # CLI flag: -admin-api.leader-election.ring.tokens-observe-period
    [tokens_observe_period: <duration> | default = 1m]

    # Name of network interface to read address from.
    # CLI flag: -admin-api.leader-election.ring.instance-interface-names
    [instance_interface_names: <list of string> | default = [eth0 en0]]

  client_config:
    # gRPC client max receive message size (bytes).
    # CLI flag: -admin-api.leader-election.client.grpc-max-recv-msg-size
    [max_recv_msg_size: <int> | default = 104857600]

    # gRPC client max send message size (bytes).
    # CLI flag: -admin-api.leader-election.client.grpc-max-send-msg-size
    [max_send_msg_size: <int> | default = 16777216]

    # Use compression when sending messages. Supported values are: 'gzip',
    # 'snappy' and '' (disable compression)
    # CLI flag: -admin-api.leader-election.client.grpc-compression
    [grpc_compression: <string> | default = ""]

    # Rate limit for gRPC client; 0 means disabled.
    # CLI flag: -admin-api.leader-election.client.grpc-client-rate-limit
    [rate_limit: <float> | default = 0]

    # Rate limit burst for gRPC client.
    # CLI flag: -admin-api.leader-election.client.grpc-client-rate-limit-burst
    [rate_limit_burst: <int> | default = 0]

    # Enable backoff and retry when we hit ratelimits.
    # CLI flag: -admin-api.leader-election.client.backoff-on-ratelimits
    [backoff_on_ratelimits: <boolean> | default = false]

    backoff_config:
      # Minimum delay when backing off.
      # CLI flag: -admin-api.leader-election.client.backoff-min-period
      [min_period: <duration> | default = 100ms]

      # Maximum delay when backing off.
      # CLI flag: -admin-api.leader-election.client.backoff-max-period
      [max_period: <duration> | default = 10s]

      # Number of times to backoff and retry before failing.
      # CLI flag: -admin-api.leader-election.client.backoff-retries
      [max_retries: <int> | default = 10]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -admin-api.leader-election.client.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Path to the client certificate file, which will be used for authenticating
    # with the server. Also requires the key path to be configured.
    # CLI flag: -admin-api.leader-election.client.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key file for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -admin-api.leader-election.client.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates file to validate server certificate against.
    # If not set, the host's root CA certificates are used.
    # CLI flag: -admin-api.leader-election.client.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -admin-api.leader-election.client.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -admin-api.leader-election.client.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

limits:
  # Enable API based limits per-tenant.
  # CLI flag: -admin-api.limits.enabled
  [enabled: <boolean> | default = true]

  # Period with which to refresh per-tenant limits.
  # CLI flag: -admin-api.limits.refresh-period
  [refresh_period: <duration> | default = 1m]

admin_client_config

The admin_client_config configures how the Admin API service connects to the storage backend.

storage:
  # Set a backend to use, (gcs, s3)
  # CLI flag: -admin.client.backend-type
  [type: <string> | default = ""]

  # Enable caching on the versioned client
  # CLI flag: -admin.client.cache.enabled
  [enable_cache: <boolean> | default = true]

  s3:
    # The S3 bucket endpoint. It could be an AWS S3 endpoint listed at
    # https://docs.aws.amazon.com/general/latest/gr/s3.html or the address of an
    # S3-compatible service in hostname:port format.
    # CLI flag: -admin.client.s3.endpoint
    [endpoint: <string> | default = ""]

    # S3 region. If unset, the client will issue a S3 GetBucketLocation API call
    # to autodetect it.
    # CLI flag: -admin.client.s3.region
    [region: <string> | default = ""]

    # S3 bucket name
    # CLI flag: -admin.client.s3.bucket-name
    [bucket_name: <string> | default = ""]

    # S3 secret access key
    # CLI flag: -admin.client.s3.secret-access-key
    [secret_access_key: <string> | default = ""]

    # S3 access key ID
    # CLI flag: -admin.client.s3.access-key-id
    [access_key_id: <string> | default = ""]

    # If enabled, use http:// for the S3 endpoint instead of https://. This
    # could be useful in local dev/test environments while using an
    # S3-compatible backend storage, like Minio.
    # CLI flag: -admin.client.s3.insecure
    [insecure: <boolean> | default = false]

    # The signature version to use for authenticating against S3. Supported
    # values are: v4, v2.
    # CLI flag: -admin.client.s3.signature-version
    [signature_version: <string> | default = "v4"]

    sse:
      # Enable AWS Server Side Encryption. Supported values: SSE-KMS, SSE-S3.
      # CLI flag: -admin.client.s3.sse.type
      [type: <string> | default = ""]

      # KMS Key ID used to encrypt objects in S3
      # CLI flag: -admin.client.s3.sse.kms-key-id
      [kms_key_id: <string> | default = ""]

      # KMS Encryption Context used for object encryption. It expects JSON
      # formatted string.
      # CLI flag: -admin.client.s3.sse.kms-encryption-context
      [kms_encryption_context: <string> | default = ""]

    http:
      # The time an idle connection will remain idle before closing.
      # CLI flag: -admin.client.s3.http.idle-conn-timeout
      [idle_conn_timeout: <duration> | default = 1m30s]

      # The amount of time the client will wait for a servers response headers.
      # CLI flag: -admin.client.s3.http.response-header-timeout
      [response_header_timeout: <duration> | default = 2m]

      # If the client connects to S3 via HTTPS and this option is enabled, the
      # client will accept any certificate and hostname.
      # CLI flag: -admin.client.s3.http.insecure-skip-verify
      [insecure_skip_verify: <boolean> | default = false]

      # Maximum time to wait for a TLS handshake. 0 means no limit.
      # CLI flag: -admin.client.s3.tls-handshake-timeout
      [tls_handshake_timeout: <duration> | default = 10s]

      # The time to wait for a server's first response headers after fully
      # writing the request headers if the request has an Expect header. 0 to
      # send the request body immediately.
      # CLI flag: -admin.client.s3.expect-continue-timeout
      [expect_continue_timeout: <duration> | default = 1s]

      # Maximum number of idle (keep-alive) connections across all hosts. 0
      # means no limit.
      # CLI flag: -admin.client.s3.max-idle-connections
      [max_idle_connections: <int> | default = 100]

      # Maximum number of idle (keep-alive) connections to keep per-host. If 0,
      # a built-in default value is used.
      # CLI flag: -admin.client.s3.max-idle-connections-per-host
      [max_idle_connections_per_host: <int> | default = 100]

      # Maximum number of connections per host. 0 means no limit.
      # CLI flag: -admin.client.s3.max-connections-per-host
      [max_connections_per_host: <int> | default = 0]

  gcs:
    # GCS bucket name
    # CLI flag: -admin.client.gcs.bucket-name
    [bucket_name: <string> | default = ""]

    # JSON representing either a Google Developers Console
    # client_credentials.json file or a Google Developers service account key
    # file. If empty, fallback to Google default logic.
    # CLI flag: -admin.client.gcs.service-account
    [service_account: <string> | default = ""]

  azure:
    # Azure storage account name
    # CLI flag: -admin.client.azure.account-name
    [account_name: <string> | default = ""]

    # Azure storage account key
    # CLI flag: -admin.client.azure.account-key
    [account_key: <string> | default = ""]

    # Azure storage container name
    # CLI flag: -admin.client.azure.container-name
    [container_name: <string> | default = ""]

    # Azure storage endpoint suffix without schema. The account name will be
    # prefixed to this value to create the FQDN
    # CLI flag: -admin.client.azure.endpoint-suffix
    [endpoint_suffix: <string> | default = ""]

    # Number of retries for recoverable errors
    # CLI flag: -admin.client.azure.max-retries
    [max_retries: <int> | default = 20]

# If set to true, the built-in __admin__ access policy will not be active.
# CLI flag: -admin.client.disable-default-admin-policy
[disable_default_admin_policy: <boolean> | default = false]

auth_config

The auth_config configures the authentication type to use.

# method for authenticating incoming HTTP requests, (trust, enterprise).
# CLI flag: -auth.type
[type: <string> | default = "trust"]

# requires admin level auth for the /metrics endpoint.
# CLI flag: -auth.required-for-metrics
[required_for_metrics: <boolean> | default = false]

override:
  # Override admin token. If set, this string will always be accepted as a token
  # with admin level scope.
  # CLI flag: -auth.override.token
  [token: <string> | default = ""]

  # If set, this file will be read at startup and the string from that file will
  # be used as a admin scoped token.
  # CLI flag: -auth.override.token-file
  [token_file: <string> | default = ""]

admin:
  # how long auth responses should be cached
  # CLI flag: -auth.cache.ttl
  [cache_ttl: <duration> | default = 10m]

  oidc:
    # JWT token issuer URL (example "https://accounts.google.com")
    # CLI flag: -auth.admin.oidc.issuer-url
    [issuer_url: <string> | default = ""]

    # claim in the JWT token containing the access policy
    # CLI flag: -auth.admin.oidc.access-policy-claim
    [access_policy_claim: <string> | default = ""]

    # regex to extract the access policy from the JWT token. The first submatch
    # of the provided regex expression will be used.
    # CLI flag: -auth.admin.oidc.access-policy-regex
    [access_policy_regex: <string> | default = ""]

    # optional audience to check in JWT token
    # CLI flag: -auth.admin.oidc.audience
    [audience: <string> | default = ""]

    # name of the access policy to use when the token doesn't contain an access
    # policy
    # CLI flag: -auth.admin.oidc.default-access-policy
    [default_access_policy: <string> | default = ""]

    # enable ADFS compatibility
    # CLI flag: -auth.admin.oidc.adfs-compatibility
    [adfs_compatibility: <boolean> | default = false]

gateway_config

The gateway_config configures the gateway proxy.

proxy:
  default:
    # URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.default.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.default.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.default.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Path to the client certificate file, which will be used for authenticating
    # with the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.default.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key file for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.default.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates file to validate server certificate against.
    # If not set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.default.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.default.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.default.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.default.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.default.read-timeout
    [read_timeout: <duration> | default = 2m]

  admin_api:
    # URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.admin-api.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.admin-api.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.admin-api.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Path to the client certificate file, which will be used for authenticating
    # with the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.admin-api.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key file for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.admin-api.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates file to validate server certificate against.
    # If not set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.admin-api.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.admin-api.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.admin-api.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.admin-api.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.admin-api.read-timeout
    [read_timeout: <duration> | default = 2m]

  compactor:
    # URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.compactor.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.compactor.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.compactor.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Path to the client certificate file, which will be used for authenticating
    # with the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.compactor.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key file for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.compactor.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates file to validate server certificate against.
    # If not set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.compactor.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.compactor.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.compactor.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.compactor.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.compactor.read-timeout
    [read_timeout: <duration> | default = 2m]

  distributor:
    # URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.distributor.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.distributor.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.distributor.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Path to the client certificate file, which will be used for authenticating
    # with the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.distributor.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key file for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.distributor.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates file to validate server certificate against.
    # If not set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.distributor.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.distributor.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.distributor.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.distributor.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.distributor.read-timeout
    [read_timeout: <duration> | default = 2m]

  ingester:
    # URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.ingester.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.ingester.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.ingester.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Path to the client certificate file, which will be used for authenticating
    # with the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.ingester.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key file for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.ingester.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates file to validate server certificate against.
    # If not set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.ingester.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.ingester.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.ingester.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.ingester.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.ingester.read-timeout
    [read_timeout: <duration> | default = 2m]

  query_frontend:
    # URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.query-frontend.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.query-frontend.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.query-frontend.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Path to the client certificate file, which will be used for authenticating
    # with the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.query-frontend.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key file for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.query-frontend.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates file to validate server certificate against.
    # If not set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.query-frontend.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.query-frontend.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.query-frontend.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.query-frontend.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.query-frontend.read-timeout
    [read_timeout: <duration> | default = 2m]

  ruler:
    # URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.ruler.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.ruler.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.ruler.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Path to the client certificate file, which will be used for authenticating
    # with the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.ruler.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key file for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.ruler.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates file to validate server certificate against.
    # If not set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.ruler.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.ruler.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.ruler.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.ruler.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.ruler.read-timeout
    [read_timeout: <duration> | default = 2m]

license_config

The license_config configures the license validation module.

# Filepath to license jwt file.
# CLI flag: -license.path
[path: <string> | default = "./license.jwt"]

# Interval to check for new or existing licenses.
# CLI flag: -license.sync-interval
[sync_interval: <duration> | default = 1h]

tokengen_config

The tokengen_config configures the tokengen target.

# The name of the access policy to generate a token for. It defaults to the
# built-in admin policy.
# CLI flag: -tokengen.access-policy
[access_policy: <string> | default = "__admin__"]

# If set, the generated token will be printed to a file at the provided path
# instead of stdout.
# CLI flag: -tokengen.token-file
[token_file: <string> | default = ""]