Documentationbreadcrumb arrow Grafana Enterprise Logsbreadcrumb arrow Set up
Enterprise RSS

Set up a Grafana Enterprise Logs cluster

Grafana Enterprise Logs (GEL) is available as a pre-compiled binary, a Docker image, as well as via common OS-specific packaging. For a list of available download options, refer to the Releases page.

Note

You can use Grafana Cloud to avoid installing, maintaining, and scaling your own instance of GEL. The free forever plan includes 50GB of free logs. Create an account to get started.

Get a GEL license

A valid Grafana Enterprise Logs license token is required to run GEL’s many added features. Without a valid license token, not all of GEL’s added features will run. However, GEL will still run with all of the functionality of an open-source Loki binary.

If you already have a license for GEL, download it:

  1. From https://grafana.com, select Login.
  2. From the left-hand menu, select Licenses to download the license token.

If you do not yet have a license token to run GEL, contact a Grafana Labs representative.

Choose a name for your GEL cluster

GEL licenses are issued on a per-cluster basis. Each cluster of GEL that you plan to deploy requires a unique license. When we issue a GEL license, we must have a unique cluster name with which to associate the license.

A cluster name must meet the following criteria:

  • is 3 to 63 characters long
  • contains lowercase letters, numbers, underscores (_), or hyphens (-)
  • begins with a letter or number
  • ends with a letter or number

Create admin token secret (Required for Provisioner)

If you are using the enterprise provisioner to automatically create tenant tokens, you must first create an admin token secret. Create this secret before deploying the Helm chart so your overrides file can reference it during installation.

  1. Generate an admin token using the Loki CLI:

    Bash 
    docker run grafana/enterprise-logs:latest -target=tokengen -tokengen.token-file=/tmp/token

  2. Copy the generated token from the container

    Bash 
    docker cp <container-id>:/tmp/token ./admin-token

  3. Create the admin token secret:

    Bash 
    kubectl create secret generic loki-admin-token \
  --from-file=token=./admin-token \
  --namespace {KUBERNETES_NAMESPACE}

  4. Update your overrides file to reference this secret and enable the provisioner. For example, the following configuration creates a tenant named loki-a:

    YAML 
    enterprise:
  adminToken:
    secret: loki-admin-token
  provisioner:
    enabled: true
    additionalTenants:
      - name: loki-a
        secretNamespace: loki

    An additional tenant for monitoring is also created based on the value of .Values.monitoring.selfMonitoring.tenant.

Deploy your GEL cluster

After you have a Grafana GEL license with an associated cluster name, choose a deployment method. Our recommended approach is to run GEL on Kubernetes and deploy it via our Helm chart, as described in Deploy on Kubernetes using Helm.

For GEL installations, use the chart maintained in the Loki repository by Grafana Labs (not the OSS community chart).

Note

Monitoring with Grafana Cloud is required for all GEL installations. Refer to Monitor GEL and Deploy GEL meta-monitoring for more information. Professional services will assist you in configuring monitoring for your GEL installation.

Get tenant tokens from the provisioner

If you enabled the provisioner, after you have installed the Helm chart, retrieve the generated tenant tokens from the provisioner logs:

Bash 
# Get provisioner job logs
kubectl logs -l job-name=loki-provisioner --namespace {KUBERNETES_NAMESPACE}

The provisioner outputs tokens for each configured tenant. You must manually create Kubernetes secrets for each tenant using these tokens:

Bash 
# Example for creating a tenant secret
kubectl create secret generic <tenant-name> \
  --from-literal=token-write=<write-token-from-logs> \
  --from-literal=token-read=<read-token-from-logs> \
  --namespace <tenant-namespace>

Manual token generation (without provisioner)

If you’re not using the provisioner, you can manually generate tokens:

  1. Port-forward to the Loki service:

    Bash 
    kubectl port-forward svc/loki-gateway 3100:80 --namespace {KUBERNETES_NAMESPACE}

  2. Use the admin token to create tenant tokens via the Admin API:

    Bash 
    # Example: Create a token for a tenant
curl -X POST http://localhost:3100/admin/api/v1/tokens \
  -H "Authorization: Bearer <admin-token>" \
  -H "Content-Type: application/json" \
  -d '{"name": "my-tenant", "displayName": "My Tenant", "access_policy": "logs:write,logs:read"}'

Take note of these tokens, you will need them when connecting Grafana Enterprise Logs to Grafana.