Configure Grafana Enterprise Logs on Grafana Labs

GEL Configuration Reference

Mon, 14 Apr 2025 21:05:47 +0000

GEL Configuration reference

Grafana Enterprise Logs can be configured using a YAML file - specified using the -config.file flag - or CLI flags. In case you combine both, CLI flags take precedence over the YAML config file.

The current configuration of any GEL component can be seen by visiting the /config HTTP path. Passwords are filtered out of this endpoint.

Reference

To specify which configuration file to load, pass the -config.file flag at the command line. The file is written in YAML format, defined by the scheme below. Brackets indicate that a parameter is optional. For Loki general configurations (ex: compactor, ingester configuration docs), see the Loki Configuration Reference.

Generic placeholders

<boolean>: a boolean that can take the values true or false
<int>: any integer matching the regular expression [1-9]+[0-9]*
<duration>: a duration matching the regular expression [0-9]+(ns|us|µs|ms|s|m|h|d|w|y) where y = 365 days
<string>: a regular string
<url>: a URL
<prefix>: a CLI flag prefix based on the context (look at the parent configuration block to see which CLI flags prefix should be used)
<time>: a timestamp, with available formats: 2006-01-20 (midnight, local timezone), 2006-01-20T15:04 (local timezone), and RFC 3339 formats: 2006-01-20T15:04:05Z (UTC) or 2006-01-20T15:04:05+07:00 (explicit timezone)

Use environment variables in the configuration

You can use environment variable references in the config file to set values that need to be configurable during deployment by using the -config.expand-env flag. To do this, use:

${VAR}

Where VAR is the name of the environment variable.

Each variable reference is replaced at startup by the value of the environment variable. The replacement is case-sensitive and occurs before the YAML file is parsed. References to undefined variables are replaced by empty strings unless you specify a default value or custom error text.

To specify a default value, use:

${VAR:default_value}

Where default_value is the value to use if the environment variable is undefined.

GEL specific supported contents and default values of the config file

# The admin_api_config configures the admin API.
[admin_api: <admin_api_config>]

# The admin_client_config configures how the Admin API service connects to the
# storage backend.
[admin_client: <admin_client_config>]

# The auth_config configures the authentication type to use.
[auth: <auth_config>]

# Unique ID of this GEL cluster.
# CLI flag: -cluster-name
[cluster_name: <string> | default = ""]

# The gateway_config configures the gateway proxy.
[gateway: <gateway_config>]

# The license_config configures the license validation module.
[license: <license_config>]

# The tokengen_config configures the tokengen target.
[tokengen: <tokengen_config>]

admin_api_config

The admin_api_config configures the admin API.

# Designated header to parse when searching for the grafana user ID of the user
# accessing the API.
# CLI flag: -admin.api.user-header-name
[user_header_name: <string> | default = "X-WEBAUTH-USER"]

leader_election:
  # This flag enables leader election for the admin api.
  # CLI flag: -admin-api.leader-election.enabled
  [enabled: <boolean> | default = true]

  ring:
    kvstore:
      # Backend storage to use for the ring. Supported values are: consul, etcd,
      # inmemory, memberlist, multi.
      # CLI flag: -admin-api.leader-election.ring.store
      [store: <string> | default = "consul"]

      # The prefix for the keys in the store. Should end with a /.
      # CLI flag: -admin-api.leader-election.ring.prefix
      [prefix: <string> | default = "leader-election/"]

      consul:
        # Hostname and port of Consul.
        # CLI flag: -admin-api.leader-election.ring.consul.hostname
        [host: <string> | default = "localhost:8500"]

        # ACL Token used to interact with Consul.
        # CLI flag: -admin-api.leader-election.ring.consul.acl-token
        [acl_token: <string> | default = ""]

        # HTTP timeout when talking to Consul
        # CLI flag: -admin-api.leader-election.ring.consul.client-timeout
        [http_client_timeout: <duration> | default = 20s]

        # Enable consistent reads to Consul.
        # CLI flag: -admin-api.leader-election.ring.consul.consistent-reads
        [consistent_reads: <boolean> | default = false]

        # Rate limit when watching key or prefix in Consul, in requests per
        # second. 0 disables the rate limit.
        # CLI flag: -admin-api.leader-election.ring.consul.watch-rate-limit
        [watch_rate_limit: <float> | default = 1]

        # Burst size used in rate limit. Values less than 1 are treated as 1.
        # CLI flag: -admin-api.leader-election.ring.consul.watch-burst-size
        [watch_burst_size: <int> | default = 1]

        # Maximum duration to wait before retrying a Compare And Swap (CAS)
        # operation.
        # CLI flag: -admin-api.leader-election.ring.consul.cas-retry-delay
        [cas_retry_delay: <duration> | default = 1s]

      etcd:
        # The etcd endpoints to connect to.
        # CLI flag: -admin-api.leader-election.ring.etcd.endpoints
        [endpoints: <list of string> | default = []]

        # The dial timeout for the etcd connection.
        # CLI flag: -admin-api.leader-election.ring.etcd.dial-timeout
        [dial_timeout: <duration> | default = 10s]

        # The maximum number of retries to do for failed ops.
        # CLI flag: -admin-api.leader-election.ring.etcd.max-retries
        [max_retries: <int> | default = 10]

        # Enable TLS.
        # CLI flag: -admin-api.leader-election.ring.etcd.tls-enabled
        [tls_enabled: <boolean> | default = false]

        # Path to the client certificate, which will be used for authenticating
        # with the server. Also requires the key path to be configured.
        # CLI flag: -admin-api.leader-election.ring.etcd.tls-cert-path
        [tls_cert_path: <string> | default = ""]

        # Path to the key for the client certificate. Also requires the client
        # certificate to be configured.
        # CLI flag: -admin-api.leader-election.ring.etcd.tls-key-path
        [tls_key_path: <string> | default = ""]

        # Path to the CA certificates to validate server certificate against. If
        # not set, the host's root CA certificates are used.
        # CLI flag: -admin-api.leader-election.ring.etcd.tls-ca-path
        [tls_ca_path: <string> | default = ""]

        # Override the expected name on the server certificate.
        # CLI flag: -admin-api.leader-election.ring.etcd.tls-server-name
        [tls_server_name: <string> | default = ""]

        # Skip validating server certificate.
        # CLI flag: -admin-api.leader-election.ring.etcd.tls-insecure-skip-verify
        [tls_insecure_skip_verify: <boolean> | default = false]

        # Override the default cipher suite list (separated by commas).
        # CLI flag: -admin-api.leader-election.ring.etcd.tls-cipher-suites
        [tls_cipher_suites: <string> | default = ""]

        # Override the default minimum TLS version. Allowed values:
        # VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
        # CLI flag: -admin-api.leader-election.ring.etcd.tls-min-version
        [tls_min_version: <string> | default = ""]

        # Etcd username.
        # CLI flag: -admin-api.leader-election.ring.etcd.username
        [username: <string> | default = ""]

        # Etcd password.
        # CLI flag: -admin-api.leader-election.ring.etcd.password
        [password: <string> | default = ""]

      multi:
        # Primary backend storage used by multi-client.
        # CLI flag: -admin-api.leader-election.ring.multi.primary
        [primary: <string> | default = ""]

        # Secondary backend storage used by multi-client.
        # CLI flag: -admin-api.leader-election.ring.multi.secondary
        [secondary: <string> | default = ""]

        # Mirror writes to secondary store.
        # CLI flag: -admin-api.leader-election.ring.multi.mirror-enabled
        [mirror_enabled: <boolean> | default = false]

        # Timeout for storing value to secondary store.
        # CLI flag: -admin-api.leader-election.ring.multi.mirror-timeout
        [mirror_timeout: <duration> | default = 2s]

    # Period at which to heartbeat to the ring.
    # CLI flag: -admin-api.leader-election.ring.heartbeat-period
    [heartbeat_period: <duration> | default = 15s]

    # The heartbeat timeout after which admin-api instances are considered
    # unhealthy within the ring.
    # CLI flag: -admin-api.leader-election.ring.heartbeat-timeout
    [heartbeat_timeout: <duration> | default = 1m]

    # Period to wait after generating tokens to resolve collisions. Required
    # when using a gossip ring KV store.
    # CLI flag: -admin-api.leader-election.ring.tokens-observe-period
    [tokens_observe_period: <duration> | default = 1m]

    # Name of network interface to read address from.
    # CLI flag: -admin-api.leader-election.ring.instance-interface-names
    [instance_interface_names: <list of string> | default = [eth0]]

    # Port to advertize in the ring (defaults to server.grpc-listen-port).
    # CLI flag: -admin-api.leader-election.ring.instance-port
    [instance_port: <int> | default = 0]

    # IP address to advertize in the ring.
    # CLI flag: -admin-api.leader-election.ring.instance-addr
    [instance_addr: <string> | default = ""]

    # Enable using a IPv6 instance address.
    # CLI flag: -admin-api.leader-election.ring.instance-enable-ipv6
    [instance_enable_ipv6: <boolean> | default = false]

  client_config:
    # gRPC client max receive message size (bytes).
    # CLI flag: -admin-api.leader-election.client.grpc-max-recv-msg-size
    [max_recv_msg_size: <int> | default = 104857600]

    # gRPC client max send message size (bytes).
    # CLI flag: -admin-api.leader-election.client.grpc-max-send-msg-size
    [max_send_msg_size: <int> | default = 104857600]

    # Use compression when sending messages. Supported values are: 'gzip',
    # 'snappy' and '' (disable compression)
    # CLI flag: -admin-api.leader-election.client.grpc-compression
    [grpc_compression: <string> | default = ""]

    # Rate limit for gRPC client; 0 means disabled.
    # CLI flag: -admin-api.leader-election.client.grpc-client-rate-limit
    [rate_limit: <float> | default = 0]

    # Rate limit burst for gRPC client.
    # CLI flag: -admin-api.leader-election.client.grpc-client-rate-limit-burst
    [rate_limit_burst: <int> | default = 0]

    # Enable backoff and retry when we hit rate limits.
    # CLI flag: -admin-api.leader-election.client.backoff-on-ratelimits
    [backoff_on_ratelimits: <boolean> | default = false]

    backoff_config:
      # Minimum delay when backing off.
      # CLI flag: -admin-api.leader-election.client.backoff-min-period
      [min_period: <duration> | default = 100ms]

      # Maximum delay when backing off.
      # CLI flag: -admin-api.leader-election.client.backoff-max-period
      [max_period: <duration> | default = 10s]

      # Number of times to backoff and retry before failing.
      # CLI flag: -admin-api.leader-election.client.backoff-retries
      [max_retries: <int> | default = 10]

    # Initial stream window size. Values less than the default are not supported
    # and are ignored. Setting this to a value other than the default disables
    # the BDP estimator.
    # CLI flag: -admin-api.leader-election.client.initial-stream-window-size
    [initial_stream_window_size: <int> | default = 63KiB1023B]

    # Initial connection window size. Values less than the default are not
    # supported and are ignored. Setting this to a value other than the default
    # disables the BDP estimator.
    # CLI flag: -admin-api.leader-election.client.initial-connection-window-size
    [initial_connection_window_size: <int> | default = 63KiB1023B]

    # Enable TLS in the gRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -admin-api.leader-election.client.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Path to the client certificate, which will be used for authenticating with
    # the server. Also requires the key path to be configured.
    # CLI flag: -admin-api.leader-election.client.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -admin-api.leader-election.client.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates to validate server certificate against. If not
    # set, the host's root CA certificates are used.
    # CLI flag: -admin-api.leader-election.client.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -admin-api.leader-election.client.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -admin-api.leader-election.client.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Override the default cipher suite list (separated by commas).
    # CLI flag: -admin-api.leader-election.client.tls-cipher-suites
    [tls_cipher_suites: <string> | default = ""]

    # Override the default minimum TLS version. Allowed values: VersionTLS10,
    # VersionTLS11, VersionTLS12, VersionTLS13
    # CLI flag: -admin-api.leader-election.client.tls-min-version
    [tls_min_version: <string> | default = ""]

    # The maximum amount of time to establish a connection. A value of 0 means
    # default gRPC client connect timeout and backoff.
    # CLI flag: -admin-api.leader-election.client.connect-timeout
    [connect_timeout: <duration> | default = 5s]

    # Initial backoff delay after first connection failure. Only relevant if
    # ConnectTimeout > 0.
    # CLI flag: -admin-api.leader-election.client.connect-backoff-base-delay
    [connect_backoff_base_delay: <duration> | default = 1s]

    # Maximum backoff delay when establishing a connection. Only relevant if
    # ConnectTimeout > 0.
    # CLI flag: -admin-api.leader-election.client.connect-backoff-max-delay
    [connect_backoff_max_delay: <duration> | default = 5s]

limits:
  # Enable API based limits per-tenant.
  # CLI flag: -admin-api.limits.enabled
  [enabled: <boolean> | default = true]

  # Period with which to refresh per-tenant limits.
  # CLI flag: -admin-api.limits.refresh-period
  [refresh_period: <duration> | default = 1m]

admin_client_config

The admin_client_config configures how the Admin API service connects to the storage backend.

storage:
  # Enable caching on the versioned client.
  # CLI flag: -admin.client.cache.enabled
  [enable_cache: <boolean> | default = true]

  cache:
    # Cache backend type. Supported values are: memcached, redis, inmemory.
    # CLI flag: -admin.client.cache.backend
    [backend: <string> | default = "inmemory"]

    memcached:
      # Comma-separated list of memcached addresses. Each address can be an IP
      # address, hostname, or an entry specified in the DNS Service Discovery
      # format.
      # CLI flag: -admin.client.cache.memcached.addresses
      [addresses: <string> | default = ""]

      # The socket read/write timeout.
      # CLI flag: -admin.client.cache.memcached.timeout
      [timeout: <duration> | default = 200ms]

      # The connection timeout.
      # CLI flag: -admin.client.cache.memcached.connect-timeout
      [connect_timeout: <duration> | default = 200ms]

      # The minimum number of idle connections to keep open as a percentage
      # (0-100) of the number of recently used idle connections. If negative,
      # idle connections are kept open indefinitely.
      # CLI flag: -admin.client.cache.memcached.min-idle-connections-headroom-percentage
      [min_idle_connections_headroom_percentage: <float> | default = -1]

      # The maximum number of idle connections that will be maintained per
      # address.
      # CLI flag: -admin.client.cache.memcached.max-idle-connections
      [max_idle_connections: <int> | default = 100]

      # The maximum number of concurrent asynchronous operations can occur.
      # CLI flag: -admin.client.cache.memcached.max-async-concurrency
      [max_async_concurrency: <int> | default = 50]

      # The maximum number of enqueued asynchronous operations allowed.
      # CLI flag: -admin.client.cache.memcached.max-async-buffer-size
      [max_async_buffer_size: <int> | default = 25000]

      # The maximum number of concurrent connections running get operations. If
      # set to 0, concurrency is unlimited.
      # CLI flag: -admin.client.cache.memcached.max-get-multi-concurrency
      [max_get_multi_concurrency: <int> | default = 100]

      # The maximum number of keys a single underlying get operation should run.
      # If more keys are specified, internally keys are split into multiple
      # batches and fetched concurrently, honoring the max concurrency. If set
      # to 0, the max batch size is unlimited.
      # CLI flag: -admin.client.cache.memcached.max-get-multi-batch-size
      [max_get_multi_batch_size: <int> | default = 100]

      # The maximum size of an item stored in memcached, in bytes. Bigger items
      # are not stored. If set to 0, no maximum size is enforced.
      # CLI flag: -admin.client.cache.memcached.max-item-size
      [max_item_size: <int> | default = 1048576]

      # Enable connecting to Memcached with TLS.
      # CLI flag: -admin.client.cache.memcached.tls-enabled
      [tls_enabled: <boolean> | default = false]

      # Path to the client certificate, which will be used for authenticating
      # with the server. Also requires the key path to be configured.
      # CLI flag: -admin.client.cache.memcached.tls-cert-path
      [tls_cert_path: <string> | default = ""]

      # Path to the key for the client certificate. Also requires the client
      # certificate to be configured.
      # CLI flag: -admin.client.cache.memcached.tls-key-path
      [tls_key_path: <string> | default = ""]

      # Path to the CA certificates to validate server certificate against. If
      # not set, the host's root CA certificates are used.
      # CLI flag: -admin.client.cache.memcached.tls-ca-path
      [tls_ca_path: <string> | default = ""]

      # Override the expected name on the server certificate.
      # CLI flag: -admin.client.cache.memcached.tls-server-name
      [tls_server_name: <string> | default = ""]

      # Skip validating server certificate.
      # CLI flag: -admin.client.cache.memcached.tls-insecure-skip-verify
      [tls_insecure_skip_verify: <boolean> | default = false]

      # Override the default cipher suite list (separated by commas).
      # CLI flag: -admin.client.cache.memcached.tls-cipher-suites
      [tls_cipher_suites: <string> | default = ""]

      # Override the default minimum TLS version. Allowed values: VersionTLS10,
      # VersionTLS11, VersionTLS12, VersionTLS13
      # CLI flag: -admin.client.cache.memcached.tls-min-version
      [tls_min_version: <string> | default = ""]

    redis:
      # Redis Server or Cluster configuration endpoint to use for caching. A
      # comma-separated list of endpoints for Redis Cluster or Redis Sentinel.
      # CLI flag: -admin.client.cache.redis.endpoint
      [endpoint: <string> | default = ""]

      # Username to use when connecting to Redis.
      # CLI flag: -admin.client.cache.redis.username
      [username: <string> | default = ""]

      # Password to use when connecting to Redis.
      # CLI flag: -admin.client.cache.redis.password
      [password: <string> | default = ""]

      # Database index.
      # CLI flag: -admin.client.cache.redis.db
      [db: <int> | default = 0]

      # Redis Sentinel master name. An empty string for Redis Server or Redis
      # Cluster.
      # CLI flag: -admin.client.cache.redis.master-name
      [master_name: <string> | default = ""]

      # Client dial timeout.
      # CLI flag: -admin.client.cache.redis.dial-timeout
      [dial_timeout: <duration> | default = 5s]

      # Client read timeout.
      # CLI flag: -admin.client.cache.redis.read-timeout
      [read_timeout: <duration> | default = 3s]

      # Client write timeout.
      # CLI flag: -admin.client.cache.redis.write-timeout
      [write_timeout: <duration> | default = 3s]

      # Maximum number of connections in the pool.
      # CLI flag: -admin.client.cache.redis.connection-pool-size
      [connection_pool_size: <int> | default = 100]

      # Maximum duration to wait to get a connection from pool.
      # CLI flag: -admin.client.cache.redis.connection-pool-timeout
      [connection_pool_timeout: <duration> | default = 4s]

      # Minimum number of idle connections.
      # CLI flag: -admin.client.cache.redis.min-idle-connections
      [min_idle_connections: <int> | default = 10]

      # Amount of time after which client closes idle connections.
      # CLI flag: -admin.client.cache.redis.idle-timeout
      [idle_timeout: <duration> | default = 5m]

      # Close connections older than this duration. If the value is zero, then
      # the pool does not close connections based on age.
      # CLI flag: -admin.client.cache.redis.max-connection-age
      [max_connection_age: <duration> | default = 0s]

      # The maximum size of an item stored in Redis. Bigger items are not
      # stored. If set to 0, no maximum size is enforced.
      # CLI flag: -admin.client.cache.redis.max-item-size
      [max_item_size: <int> | default = 16777216]

      # The maximum number of concurrent asynchronous operations can occur.
      # CLI flag: -admin.client.cache.redis.max-async-concurrency
      [max_async_concurrency: <int> | default = 50]

      # The maximum number of enqueued asynchronous operations allowed.
      # CLI flag: -admin.client.cache.redis.max-async-buffer-size
      [max_async_buffer_size: <int> | default = 25000]

      # The maximum number of concurrent connections running get operations. If
      # set to 0, concurrency is unlimited.
      # CLI flag: -admin.client.cache.redis.max-get-multi-concurrency
      [max_get_multi_concurrency: <int> | default = 100]

      # The maximum size per batch for mget operations.
      # CLI flag: -admin.client.cache.redis.max-get-multi-batch-size
      [max_get_multi_batch_size: <int> | default = 100]

      # Enable connecting to Redis with TLS.
      # CLI flag: -admin.client.cache.redis.tls-enabled
      [tls_enabled: <boolean> | default = false]

      # Path to the client certificate, which will be used for authenticating
      # with the server. Also requires the key path to be configured.
      # CLI flag: -admin.client.cache.redis.tls-cert-path
      [tls_cert_path: <string> | default = ""]

      # Path to the key for the client certificate. Also requires the client
      # certificate to be configured.
      # CLI flag: -admin.client.cache.redis.tls-key-path
      [tls_key_path: <string> | default = ""]

      # Path to the CA certificates to validate server certificate against. If
      # not set, the host's root CA certificates are used.
      # CLI flag: -admin.client.cache.redis.tls-ca-path
      [tls_ca_path: <string> | default = ""]

      # Override the expected name on the server certificate.
      # CLI flag: -admin.client.cache.redis.tls-server-name
      [tls_server_name: <string> | default = ""]

      # Skip validating server certificate.
      # CLI flag: -admin.client.cache.redis.tls-insecure-skip-verify
      [tls_insecure_skip_verify: <boolean> | default = false]

      # Override the default cipher suite list (separated by commas).
      # CLI flag: -admin.client.cache.redis.tls-cipher-suites
      [tls_cipher_suites: <string> | default = ""]

      # Override the default minimum TLS version. Allowed values: VersionTLS10,
      # VersionTLS11, VersionTLS12, VersionTLS13
      # CLI flag: -admin.client.cache.redis.tls-min-version
      [tls_min_version: <string> | default = ""]

    # How long an item should be cached before being evicted. Only available for
    # remote cache types (memcached, redis).
    # CLI flag: -admin.client.cache.expiration
    [expiration: <duration> | default = 24h]

    # How frequently to reload tokens from storage to keep the cache warm.
    # Default disabled.
    # CLI flag: -admin.client.cache.refresh-interval
    [refresh_interval: <duration> | default = 0s]

  # Backend storage to use. Supported backends are: s3, gcs, azure, swift,
  # filesystem.
  # CLI flag: -admin.client.backend
  [backend: <string> | default = "s3"]

  s3:
    # The S3 bucket endpoint. It could be an AWS S3 endpoint listed at
    # https://docs.aws.amazon.com/general/latest/gr/s3.html or the address of an
    # S3-compatible service in hostname:port format.
    # CLI flag: -admin.client.s3.endpoint
    [endpoint: <string> | default = ""]

    # S3 region. If unset, the client will issue a S3 GetBucketLocation API call
    # to autodetect it.
    # CLI flag: -admin.client.s3.region
    [region: <string> | default = ""]

    # S3 bucket name
    # CLI flag: -admin.client.s3.bucket-name
    [bucket_name: <string> | default = ""]

    # S3 secret access key
    # CLI flag: -admin.client.s3.secret-access-key
    [secret_access_key: <string> | default = ""]

    # S3 session token
    # CLI flag: -admin.client.s3.session-token
    [session_token: <string> | default = ""]

    # S3 access key ID
    # CLI flag: -admin.client.s3.access-key-id
    [access_key_id: <string> | default = ""]

    # If enabled, use http:// for the S3 endpoint instead of https://. This
    # could be useful in local dev/test environments while using an
    # S3-compatible backend storage, like Minio.
    # CLI flag: -admin.client.s3.insecure
    [insecure: <boolean> | default = false]

    # The signature version to use for authenticating against S3. Supported
    # values are: v4, v2.
    # CLI flag: -admin.client.s3.signature-version
    [signature_version: <string> | default = "v4"]

    # The S3 storage class to use. Details can be found at
    # https://aws.amazon.com/s3/storage-classes/.
    # CLI flag: -admin.client.s3.storage-class
    [storage_class: <string> | default = "STANDARD"]

    sse:
      # Enable AWS Server Side Encryption. Supported values: SSE-KMS, SSE-S3.
      # CLI flag: -admin.client.s3.sse.type
      [type: <string> | default = ""]

      # KMS Key ID used to encrypt objects in S3
      # CLI flag: -admin.client.s3.sse.kms-key-id
      [kms_key_id: <string> | default = ""]

      # KMS Encryption Context used for object encryption. It expects JSON
      # formatted string.
      # CLI flag: -admin.client.s3.sse.kms-encryption-context
      [kms_encryption_context: <string> | default = ""]

    http:
      # The time an idle connection will remain idle before closing.
      # CLI flag: -admin.client.s3.http.idle-conn-timeout
      [idle_conn_timeout: <duration> | default = 1m30s]

      # The amount of time the client will wait for a servers response headers.
      # CLI flag: -admin.client.s3.http.response-header-timeout
      [response_header_timeout: <duration> | default = 2m]

      # If the client connects via HTTPS and this option is enabled, the client
      # will accept any certificate and hostname.
      # CLI flag: -admin.client.s3.http.insecure-skip-verify
      [insecure_skip_verify: <boolean> | default = false]

      # Maximum time to wait for a TLS handshake. 0 means no limit.
      # CLI flag: -admin.client.s3.tls-handshake-timeout
      [tls_handshake_timeout: <duration> | default = 10s]

      # The time to wait for a server's first response headers after fully
      # writing the request headers if the request has an Expect header. 0 to
      # send the request body immediately.
      # CLI flag: -admin.client.s3.expect-continue-timeout
      [expect_continue_timeout: <duration> | default = 1s]

      # Maximum number of idle (keep-alive) connections across all hosts. 0
      # means no limit.
      # CLI flag: -admin.client.s3.max-idle-connections
      [max_idle_connections: <int> | default = 100]

      # Maximum number of idle (keep-alive) connections to keep per-host. If 0,
      # a built-in default value is used.
      # CLI flag: -admin.client.s3.max-idle-connections-per-host
      [max_idle_connections_per_host: <int> | default = 100]

      # Maximum number of connections per host. 0 means no limit.
      # CLI flag: -admin.client.s3.max-connections-per-host
      [max_connections_per_host: <int> | default = 0]

  gcs:
    # GCS bucket name
    # CLI flag: -admin.client.gcs.bucket-name
    [bucket_name: <string> | default = ""]

    # JSON representing either a Google Developers Console
    # client_credentials.json file or a Google Developers service account key
    # file. If empty, fallback to Google default logic.
    # CLI flag: -admin.client.gcs.service-account
    [service_account: <string> | default = ""]

  azure:
    # Azure storage account name
    # CLI flag: -admin.client.azure.account-name
    [account_name: <string> | default = ""]

    # Azure storage account key
    # CLI flag: -admin.client.azure.account-key
    [account_key: <string> | default = ""]

    # Azure storage container name
    # CLI flag: -admin.client.azure.container-name
    [container_name: <string> | default = "loki"]

    # Azure storage endpoint suffix without schema. The account name will be
    # prefixed to this value to create the FQDN
    # CLI flag: -admin.client.azure.endpoint-suffix
    [endpoint_suffix: <string> | default = ""]

    # Number of retries for recoverable errors
    # CLI flag: -admin.client.azure.max-retries
    [max_retries: <int> | default = 20]

    http:
      # The time an idle connection will remain idle before closing.
      # CLI flag: -admin.client.azure.http.idle-conn-timeout
      [idle_conn_timeout: <duration> | default = 1m30s]

      # The amount of time the client will wait for a servers response headers.
      # CLI flag: -admin.client.azure.http.response-header-timeout
      [response_header_timeout: <duration> | default = 2m]

      # If the client connects via HTTPS and this option is enabled, the client
      # will accept any certificate and hostname.
      # CLI flag: -admin.client.azure.http.insecure-skip-verify
      [insecure_skip_verify: <boolean> | default = false]

      # Maximum time to wait for a TLS handshake. 0 means no limit.
      # CLI flag: -admin.client.azure.tls-handshake-timeout
      [tls_handshake_timeout: <duration> | default = 10s]

      # The time to wait for a server's first response headers after fully
      # writing the request headers if the request has an Expect header. 0 to
      # send the request body immediately.
      # CLI flag: -admin.client.azure.expect-continue-timeout
      [expect_continue_timeout: <duration> | default = 1s]

      # Maximum number of idle (keep-alive) connections across all hosts. 0
      # means no limit.
      # CLI flag: -admin.client.azure.max-idle-connections
      [max_idle_connections: <int> | default = 100]

      # Maximum number of idle (keep-alive) connections to keep per-host. If 0,
      # a built-in default value is used.
      # CLI flag: -admin.client.azure.max-idle-connections-per-host
      [max_idle_connections_per_host: <int> | default = 100]

      # Maximum number of connections per host. 0 means no limit.
      # CLI flag: -admin.client.azure.max-connections-per-host
      [max_connections_per_host: <int> | default = 0]

  swift:
    # OpenStack Swift authentication API version. 0 to autodetect.
    # CLI flag: -admin.client.swift.auth-version
    [auth_version: <int> | default = 0]

    # OpenStack Swift authentication URL
    # CLI flag: -admin.client.swift.auth-url
    [auth_url: <string> | default = ""]

    # Set this to true to use the internal OpenStack Swift endpoint URL
    # CLI flag: -admin.client.swift.internal
    [internal: <boolean> | default = false]

    # OpenStack Swift username.
    # CLI flag: -admin.client.swift.username
    [username: <string> | default = ""]

    # OpenStack Swift user's domain name.
    # CLI flag: -admin.client.swift.user-domain-name
    [user_domain_name: <string> | default = ""]

    # OpenStack Swift user's domain ID.
    # CLI flag: -admin.client.swift.user-domain-id
    [user_domain_id: <string> | default = ""]

    # OpenStack Swift user ID.
    # CLI flag: -admin.client.swift.user-id
    [user_id: <string> | default = ""]

    # OpenStack Swift API key.
    # CLI flag: -admin.client.swift.password
    [password: <string> | default = ""]

    # OpenStack Swift user's domain ID.
    # CLI flag: -admin.client.swift.domain-id
    [domain_id: <string> | default = ""]

    # OpenStack Swift user's domain name.
    # CLI flag: -admin.client.swift.domain-name
    [domain_name: <string> | default = ""]

    # OpenStack Swift project ID (v2,v3 auth only).
    # CLI flag: -admin.client.swift.project-id
    [project_id: <string> | default = ""]

    # OpenStack Swift project name (v2,v3 auth only).
    # CLI flag: -admin.client.swift.project-name
    [project_name: <string> | default = ""]

    # ID of the OpenStack Swift project's domain (v3 auth only), only needed if
    # it differs the from user domain.
    # CLI flag: -admin.client.swift.project-domain-id
    [project_domain_id: <string> | default = ""]

    # Name of the OpenStack Swift project's domain (v3 auth only), only needed
    # if it differs from the user domain.
    # CLI flag: -admin.client.swift.project-domain-name
    [project_domain_name: <string> | default = ""]

    # OpenStack Swift Region to use (v2,v3 auth only).
    # CLI flag: -admin.client.swift.region-name
    [region_name: <string> | default = ""]

    # Name of the OpenStack Swift container to put chunks in.
    # CLI flag: -admin.client.swift.container-name
    [container_name: <string> | default = ""]

    # Max retries on requests error.
    # CLI flag: -admin.client.swift.max-retries
    [max_retries: <int> | default = 3]

    # Time after which a connection attempt is aborted.
    # CLI flag: -admin.client.swift.connect-timeout
    [connect_timeout: <duration> | default = 10s]

    # Time after which an idle request is aborted. The timeout watchdog is reset
    # each time some data is received, so the timeout triggers after X time no
    # data is received on a request.
    # CLI flag: -admin.client.swift.request-timeout
    [request_timeout: <duration> | default = 5s]

  filesystem:
    # Local filesystem storage directory.
    # CLI flag: -admin.client.filesystem.dir
    [dir: <string> | default = ""]

  # Set a backend to use, (gcs, s3, azure). Deprecated, please use
  # '-admin.client.backend' instead.
  # CLI flag: -admin.client.backend-type
  [type: <string> | default = ""]

# If set to true, the built-in __admin__ access policy will not be active.
# CLI flag: -admin.client.disable-default-admin-policy
[disable_default_admin_policy: <boolean> | default = false]

auth_config

The auth_config configures the authentication type to use.

# method for authenticating incoming HTTP requests, (trust, enterprise).
# CLI flag: -auth.type
[type: <string> | default = "enterprise"]

# requires admin level auth for the /metrics endpoint.
# CLI flag: -auth.required-for-metrics
[required_for_metrics: <boolean> | default = false]

override:
  # Override admin token. If set, this string will always be accepted as a token
  # with admin level scope.
  # CLI flag: -auth.override.token
  [token: <string> | default = ""]

  # If set, this file will be read at startup and the string from that file will
  # be used as a admin scoped token.
  # CLI flag: -auth.override.token-file
  [token_file: <string> | default = ""]

admin:
  # how long auth responses should be cached
  # CLI flag: -auth.cache.ttl
  [cache_ttl: <duration> | default = 10m]

  cache_refresh:
    # Whether asynchronous background refreshes are enabled.
    # CLI flag: -auth.cache.refresh.enabled
    [enabled: <boolean> | default = false]

    # Number of workers for background asynchronous refresh.
    # CLI flag: -auth.cache.refresh.concurrency
    [concurrency: <int> | default = 2]

    # Maximum number of pending background refreshes.
    # CLI flag: -auth.cache.refresh.buffer
    [buffer: <int> | default = 256]

    # Remaining time to live of an item when background refreshes may begin to
    # occur.
    # CLI flag: -auth.cache.refresh.refresh-ttl
    [refresh_ttl: <duration> | default = 3m]

    # Minimum time distance between retries if a refresh attempt fails, 0 means
    # that every sub-sequent get operation will result in a retry.
    # CLI flag: -auth.cache.refresh.retry-interval
    [retry_interval: <duration> | default = 30s]

  oidc:
    # JWT token issuer URL (example "https://accounts.google.com")
    # CLI flag: -auth.admin.oidc.issuer-url
    [issuer_url: <string> | default = ""]

    # claim in the JWT token containing the access policy
    # CLI flag: -auth.admin.oidc.access-policy-claim
    [access_policy_claim: <string> | default = ""]

    # regex to extract the access policy from the JWT token. The first submatch
    # of the provided regex expression will be used.
    # CLI flag: -auth.admin.oidc.access-policy-regex
    [access_policy_regex: <string> | default = ""]

    # optional audience to check in JWT token
    # CLI flag: -auth.admin.oidc.audience
    [audience: <string> | default = ""]

    # name of the access policy to use when the token doesn't contain an access
    # policy
    # CLI flag: -auth.admin.oidc.default-access-policy
    [default_access_policy: <string> | default = ""]

    # enable ADFS compatibility
    # CLI flag: -auth.admin.oidc.adfs-compatibility
    [adfs_compatibility: <boolean> | default = false]

gateway_config

The gateway_config configures the gateway proxy.

proxy:
  default:
    # URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.default.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.default.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.default.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Timeout when dialing backend. For proxying over GRPC, this will be used
    # only during the initial dial at startup. For proxying over HTTP this is
    # the connection timeout. Set to 0 to disable.
    # CLI flag: -gateway.proxy.default.dial-timeout
    [dial_timeout: <duration> | default = 5s]

    # Path to the client certificate, which will be used for authenticating with
    # the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.default.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.default.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates to validate server certificate against. If not
    # set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.default.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.default.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.default.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Override the default cipher suite list (separated by commas).
    # CLI flag: -gateway.proxy.default.tls-cipher-suites
    [tls_cipher_suites: <string> | default = ""]

    # Override the default minimum TLS version. Allowed values: VersionTLS10,
    # VersionTLS11, VersionTLS12, VersionTLS13
    # CLI flag: -gateway.proxy.default.tls-min-version
    [tls_min_version: <string> | default = ""]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.default.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.default.read-timeout
    [read_timeout: <duration> | default = 2m]

  admin_api:
    # URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.admin-api.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.admin-api.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.admin-api.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Timeout when dialing backend. For proxying over GRPC, this will be used
    # only during the initial dial at startup. For proxying over HTTP this is
    # the connection timeout. Set to 0 to disable.
    # CLI flag: -gateway.proxy.admin-api.dial-timeout
    [dial_timeout: <duration> | default = 5s]

    # Path to the client certificate, which will be used for authenticating with
    # the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.admin-api.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.admin-api.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates to validate server certificate against. If not
    # set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.admin-api.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.admin-api.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.admin-api.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Override the default cipher suite list (separated by commas).
    # CLI flag: -gateway.proxy.admin-api.tls-cipher-suites
    [tls_cipher_suites: <string> | default = ""]

    # Override the default minimum TLS version. Allowed values: VersionTLS10,
    # VersionTLS11, VersionTLS12, VersionTLS13
    # CLI flag: -gateway.proxy.admin-api.tls-min-version
    [tls_min_version: <string> | default = ""]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.admin-api.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.admin-api.read-timeout
    [read_timeout: <duration> | default = 2m]

  compactor:
    # URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.compactor.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.compactor.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.compactor.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Timeout when dialing backend. For proxying over GRPC, this will be used
    # only during the initial dial at startup. For proxying over HTTP this is
    # the connection timeout. Set to 0 to disable.
    # CLI flag: -gateway.proxy.compactor.dial-timeout
    [dial_timeout: <duration> | default = 5s]

    # Path to the client certificate, which will be used for authenticating with
    # the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.compactor.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.compactor.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates to validate server certificate against. If not
    # set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.compactor.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.compactor.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.compactor.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Override the default cipher suite list (separated by commas).
    # CLI flag: -gateway.proxy.compactor.tls-cipher-suites
    [tls_cipher_suites: <string> | default = ""]

    # Override the default minimum TLS version. Allowed values: VersionTLS10,
    # VersionTLS11, VersionTLS12, VersionTLS13
    # CLI flag: -gateway.proxy.compactor.tls-min-version
    [tls_min_version: <string> | default = ""]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.compactor.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.compactor.read-timeout
    [read_timeout: <duration> | default = 2m]

  distributor:
    # URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.distributor.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.distributor.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.distributor.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Timeout when dialing backend. For proxying over GRPC, this will be used
    # only during the initial dial at startup. For proxying over HTTP this is
    # the connection timeout. Set to 0 to disable.
    # CLI flag: -gateway.proxy.distributor.dial-timeout
    [dial_timeout: <duration> | default = 5s]

    # Path to the client certificate, which will be used for authenticating with
    # the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.distributor.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.distributor.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates to validate server certificate against. If not
    # set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.distributor.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.distributor.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.distributor.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Override the default cipher suite list (separated by commas).
    # CLI flag: -gateway.proxy.distributor.tls-cipher-suites
    [tls_cipher_suites: <string> | default = ""]

    # Override the default minimum TLS version. Allowed values: VersionTLS10,
    # VersionTLS11, VersionTLS12, VersionTLS13
    # CLI flag: -gateway.proxy.distributor.tls-min-version
    [tls_min_version: <string> | default = ""]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.distributor.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.distributor.read-timeout
    [read_timeout: <duration> | default = 2m]

  ingester:
    # URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.ingester.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.ingester.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.ingester.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Timeout when dialing backend. For proxying over GRPC, this will be used
    # only during the initial dial at startup. For proxying over HTTP this is
    # the connection timeout. Set to 0 to disable.
    # CLI flag: -gateway.proxy.ingester.dial-timeout
    [dial_timeout: <duration> | default = 5s]

    # Path to the client certificate, which will be used for authenticating with
    # the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.ingester.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.ingester.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates to validate server certificate against. If not
    # set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.ingester.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.ingester.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.ingester.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Override the default cipher suite list (separated by commas).
    # CLI flag: -gateway.proxy.ingester.tls-cipher-suites
    [tls_cipher_suites: <string> | default = ""]

    # Override the default minimum TLS version. Allowed values: VersionTLS10,
    # VersionTLS11, VersionTLS12, VersionTLS13
    # CLI flag: -gateway.proxy.ingester.tls-min-version
    [tls_min_version: <string> | default = ""]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.ingester.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.ingester.read-timeout
    [read_timeout: <duration> | default = 2m]

  query_frontend:
    # URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.query-frontend.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.query-frontend.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.query-frontend.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Timeout when dialing backend. For proxying over GRPC, this will be used
    # only during the initial dial at startup. For proxying over HTTP this is
    # the connection timeout. Set to 0 to disable.
    # CLI flag: -gateway.proxy.query-frontend.dial-timeout
    [dial_timeout: <duration> | default = 5s]

    # Path to the client certificate, which will be used for authenticating with
    # the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.query-frontend.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.query-frontend.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates to validate server certificate against. If not
    # set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.query-frontend.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.query-frontend.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.query-frontend.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Override the default cipher suite list (separated by commas).
    # CLI flag: -gateway.proxy.query-frontend.tls-cipher-suites
    [tls_cipher_suites: <string> | default = ""]

    # Override the default minimum TLS version. Allowed values: VersionTLS10,
    # VersionTLS11, VersionTLS12, VersionTLS13
    # CLI flag: -gateway.proxy.query-frontend.tls-min-version
    [tls_min_version: <string> | default = ""]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.query-frontend.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.query-frontend.read-timeout
    [read_timeout: <duration> | default = 2m]

  ruler:
    # URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.ruler.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.ruler.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.ruler.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Timeout when dialing backend. For proxying over GRPC, this will be used
    # only during the initial dial at startup. For proxying over HTTP this is
    # the connection timeout. Set to 0 to disable.
    # CLI flag: -gateway.proxy.ruler.dial-timeout
    [dial_timeout: <duration> | default = 5s]

    # Path to the client certificate, which will be used for authenticating with
    # the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.ruler.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.ruler.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates to validate server certificate against. If not
    # set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.ruler.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.ruler.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.ruler.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Override the default cipher suite list (separated by commas).
    # CLI flag: -gateway.proxy.ruler.tls-cipher-suites
    [tls_cipher_suites: <string> | default = ""]

    # Override the default minimum TLS version. Allowed values: VersionTLS10,
    # VersionTLS11, VersionTLS12, VersionTLS13
    # CLI flag: -gateway.proxy.ruler.tls-min-version
    [tls_min_version: <string> | default = ""]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.ruler.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.ruler.read-timeout
    [read_timeout: <duration> | default = 2m]

  query_scheduler:
    # URL for the backend. Use the scheme dns:// for HTTP over GPRC and the
    # scheme h2c:// for HTTP2 proxying.
    # CLI flag: -gateway.proxy.query-scheduler.url
    [url: <string> | default = ""]

    # Enable keep alive for the backend.
    # CLI flag: -gateway.proxy.query-scheduler.enable-keepalive
    [enable_keepalive: <boolean> | default = true]

    # Enable TLS in the GRPC client. This flag needs to be enabled when any
    # other TLS flag is set. If set to false, insecure connection to gRPC server
    # will be used.
    # CLI flag: -gateway.proxy.query-scheduler.tls-enabled
    [tls_enabled: <boolean> | default = false]

    # Timeout when dialing backend. For proxying over GRPC, this will be used
    # only during the initial dial at startup. For proxying over HTTP this is
    # the connection timeout. Set to 0 to disable.
    # CLI flag: -gateway.proxy.query-scheduler.dial-timeout
    [dial_timeout: <duration> | default = 5s]

    # Path to the client certificate, which will be used for authenticating with
    # the server. Also requires the key path to be configured.
    # CLI flag: -gateway.proxy.query-scheduler.tls-cert-path
    [tls_cert_path: <string> | default = ""]

    # Path to the key for the client certificate. Also requires the client
    # certificate to be configured.
    # CLI flag: -gateway.proxy.query-scheduler.tls-key-path
    [tls_key_path: <string> | default = ""]

    # Path to the CA certificates to validate server certificate against. If not
    # set, the host's root CA certificates are used.
    # CLI flag: -gateway.proxy.query-scheduler.tls-ca-path
    [tls_ca_path: <string> | default = ""]

    # Override the expected name on the server certificate.
    # CLI flag: -gateway.proxy.query-scheduler.tls-server-name
    [tls_server_name: <string> | default = ""]

    # Skip validating server certificate.
    # CLI flag: -gateway.proxy.query-scheduler.tls-insecure-skip-verify
    [tls_insecure_skip_verify: <boolean> | default = false]

    # Override the default cipher suite list (separated by commas).
    # CLI flag: -gateway.proxy.query-scheduler.tls-cipher-suites
    [tls_cipher_suites: <string> | default = ""]

    # Override the default minimum TLS version. Allowed values: VersionTLS10,
    # VersionTLS11, VersionTLS12, VersionTLS13
    # CLI flag: -gateway.proxy.query-scheduler.tls-min-version
    [tls_min_version: <string> | default = ""]

    # Timeout for write requests to the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.query-scheduler.write-timeout
    [write_timeout: <duration> | default = 30s]

    # Timeout for read requests the backend, set to <=0 to disable.
    # CLI flag: -gateway.proxy.query-scheduler.read-timeout
    [read_timeout: <duration> | default = 2m]

license_config

The license_config configures the license validation module.

# Filepath to license jwt file.
# CLI flag: -license.path
[path: <string> | default = "./license.jwt"]

# Interval to check for new or existing licenses.
# CLI flag: -license.sync-interval
[sync_interval: <duration> | default = 1h]

tokengen_config

The tokengen_config configures the tokengen target.

# The name of the access policy to generate a token for. It defaults to the
# built-in admin policy.
# CLI flag: -tokengen.access-policy
[access_policy: <string> | default = "__admin__"]

# If set, the generated token will be written to a file at the provided path in
# addition to being logged. Note that if the file already exists, it will not be
# overwritten, and tokengen will fail with an error.
# CLI flag: -tokengen.token-file
[token_file: <string> | default = ""]

Integrate Grafana Enterprise Logs with an existing OAuth

Tue, 16 Jul 2024 15:42:20 +0000

Integrate Grafana Enterprise Logs with an existing OAuth

Grafana Enterprise Logs (GEL) supports the OpenID Connect (OIDC) core standard to validate tokens. This allows you to integrate GEL with an existing OAuth token provider at your organization.

To support OIDC, provide a URL in the auth.admin.oidc.url setting. This corresponds to the jwks_uri field in the JSON object found at the OpenID Connect Discovery endpoints such as https://<example.com>/.well-known/openid-configuration.

A JSON web token (JWT) is included as the password in HTTP basic authentication or as part of a bearer token in bearer authentication. The bearer token should have two parts separated by a :. The first part is the tenant ID. The second part is the JWT.

The JWT is validated against the URL specified above. If it is valid then an access policy name is extracted. The regular expression in auth.admin.oidc.access_policy_regex is run against the JWT claim field specified in auth.admin.oidc.access_policy_claim.

A sub-match has to be present to extract the access policy. Only the first sub-match is used. You can use the regular expression (.*) for the whole claim field.

The regular expression syntax is RE2.

Example OAuth configuration

To use OIDC specify the auth.type as enterprise. Here is an example auth section:

auth:
  type: enterprise
  admin:
    oidc:
      url: http://127.0.0.1:5556/dex/keys
      access_policy_claim: "sub"
      access_policy_regex: "pref-([0-9]+)-.*"

Here is an example payload section of a valid JWT:

{
  "sub": "pref-1234567890-abc",
  "name": "John Doe",
  "admin": true
}

The extracted access policy is 1234567890.

Configure the Grafana Enterprise Logs gateway

Mon, 14 Apr 2025 21:05:47 +0000

Configure the Grafana Enterprise Logs gateway

Note: This feature is only available in v1.1.0 release candidates. For the latest release candidates, refer to Download Grafana Enterprise Logs.

The Grafana Enterprise Logs (GEL) gateway is a service target. It can proxy requests to other GEL microservices. You can also use it for client-side load balancing of requests proxied to the distributors.

Configuration

There is more than one way to configure the gateway: you can configure it via a code block in the YAML configuration file for GEL, or you can use command-line flags.

Configuration code block

The gateway has its own configuration block in the GEL configuration files:

gateway:
  proxy:
    default: <backend_proxy_config>
    [ admin_api: <backend_proxy_config> ]
    [ compactor: <backend_proxy_config> ]
    [ distributor: <backend_proxy_config> ]
    [ ingester: <backend_proxy_config> ]
    [ query_frontend: <backend_proxy_config> ]
    [ ruler: <backend_proxy_config> ]

Configuration flags

To configure the gateway via command-line flags, make sure that each flag contains the path to the equivalent configuration field.

To configure the distributor backend proxy URL, use the flag -gateway.proxy.distributor.url=<distributor URL>.

Likewise, given a configuration file field path of gateway.proxy.query_frontend.url, the flag is gateway.proxy.query-frontend.url.

Note
A path is joined by a period (.) and dashes (-). Underscores (_) are invalid within these command-line flags.

Configure the backend proxy

A backend_proxy section specifies the URL and configuration of the backend that you want proxied. A URL is only required for the default proxy configuration. All other proxy configurations use the default URL if it is not explicitly configured. Other proxy configurations do not inherit any other configuration from the default proxy configuration.

url: <url> | default = <gateway.proxy.default.url>
[ enable_keepalive: <boolean> | default = true ]
[ tls_enabled: <boolean> | default = false ]
[ tls_ca_path: <string> | default = "" ]
[ tls_cert_path: <string> | default = "" ]
[ tls_key_path: <string> | default = "" ]
[ tls_insecure_skip_verify: <boolean> | default = false ]
[ read_timeout: <duration> | default = "120s" ]
[ write_timeout: <duration> | default = "30s" ]

Client-side load balancing

If you use a backend proxy URL that beings with dns:///, the gateway creates a gRPC proxy with client-side round-robin load balancing instead of the default HTTP reverse proxy. To configure client-side load balancing for requests to the distributors only, set the gateway.proxy.distributor.url to dns:///<distributor service>.

Note
There are three / characters in the preceding DNS URL, which means that you are using the default DNS authority. For details about DNS URLs, refer to RFC 4501.

Client-side load balancing is useful in ensuring that distributors are evenly loaded with requests. Prometheus remote-write clients use HTTP persistent connections, also known as HTTP keep-alive, the clients re-use a single TCP connection for multiple requests and responses, which results in reduced latency for subsequent requests.

Kubernetes Services are not load balancers; initial TCP connections are made using a random endpoint. After the connection is established, the same remote-write client talks to the same distributor server for its lifetime. This can mean an uneven load for your distributors and worse cluster performance overall.

The GEL gateway solves this problem by exposing an HTTP server for receiving the client requests while using gRPC to talk to the distributors. The gRPC proxy maintains a list of endpoints that are returned from the DNS lookup, and keeps persistent connections to each endpoint. The proxies are also configured to perform per-request, client-side load balancing across the endpoints.

Ring endpoints

The Gateway exposes the ring endpoints for the rulers, distributors, ingesters and compactors. These endpoints require admin scope permissions.

/ring for the ingesters
/ruler/ring for the rulers
/compactor/ring for the compactors
/distributor/ring for the distributors