Monitor TCP logs with Grafana Alloy
Documentationbreadcrumb arrow Grafana Cloudbreadcrumb arrow Instrument and send databreadcrumb arrow Grafana Alloybreadcrumb arrow Monitor metrics and logsbreadcrumb arrow Monitor TCP logs
Grafana Cloud

Monitor TCP logs with Grafana Alloy

Writing logs over a network using raw TCP is a widely used method for transmitting log data between systems. This method provides a direct, connection-oriented way to send logs from a client, such as an application or logging agent, to a remote server, such as a log aggregator or central logging system. With Alloy, you can collect your logs, forward them to a Grafana stack, and create dashboards to monitor your system behavior.

The alloy-scenarios repository contains complete working examples of Alloy deployments. Clone the repository and use the example deployments to understand how Alloy collects, processes, and exports telemetry signals.

In this example scenario, Alloy uses a TCP endpoint to collect logs written by an application as a JSON payload and forwards them to a Loki destination.

Before you begin

Ensure you have the following:

Note

You need administrator privileges to run docker commands.

Clone and deploy the example

Follow these steps to clone the scenarios repository and deploy the monitoring example:

  1. Clone the Alloy scenarios repository:

    shell 
    git clone https://github.com/grafana/alloy-scenarios.git

  2. Start Docker to deploy the Grafana stack:

    shell 
    cd alloy-scenarios/logs-tcp
docker compose up -d

    Verify the status of the Docker containers:

    shell 
    docker ps

  3. (Optional) Stop Docker to shut down the Grafana stack when you finish exploring this example:

    shell 
    docker compose down

Monitor and visualize your data

Use Grafana to monitor your deployment’s health and visualize your data.

Monitor Alloy

To monitor the health of your Alloy deployment, open your browser and go to http://localhost:12345.

For more information about the Alloy UI, refer to Debug Grafana Alloy.

Visualize your data

To use the Grafana Logs Drilldown, open your browser and go to http://localhost:3000/a/grafana-lokiexplore-app.

To create a dashboard to visualize your metrics and logs, open your browser and go to http://localhost:3000/dashboards.

Understand the Alloy configuration

This example uses a config.alloy file to configure the Alloy components for logging. You can find the config.alloy file in the cloned repository at alloy-scenarios/logs-tcp/.

The configuration includes livedebugging to stream real-time data to the Alloy UI.

Configure livedebugging

livedebugging streams real-time data from your components directly to the Alloy UI. Refer to the Troubleshooting documentation for more details about this feature.

livedebugging

livedebugging is disabled by default. Enable it explicitly through the livedebugging configuration block to make debugging data visible in the Alloy UI.

alloy 
livedebugging {
  enabled = true
}

Configure logging

The logging configuration in this example requires three components:

  • loki.source.api
  • loki.process
  • loki-write

loki.source.api

The loki.source.api component receives log entries over HTTP and forwards them to other Loki components. In this example, the component requires the following arguments:

  • listen_address: The network address the server listens to for new connections. Setting this argument to 0.0.0.0 tells the server to listen on all IP addresses.
  • listen_port: The port the server listens to for new connections.
  • forward_to: The list of receivers to send log entries to.
alloy 
loki.source.api "loki_push_api" {
    http {
        listen_address = "0.0.0.0"
        listen_port = 9999
    }
    forward_to = [
        loki.process.labels.receiver,
    ]
}

loki.process

The loki.process component receives log entries from other Loki components, applies processing stages, and forwards the results to the list of receivers. In this example, the component requires the following arguments:

  • expressions: Key-value pairs defining the name of the data extracted and the value it’s populated with.
  • values: Key-value pairs defining the label to set and how to look them up.
  • forward_to: The list of receivers to send log entries to.
alloy 
loki.process "labels" {
    stage.json {
      expressions = { "extracted_service" = "service_name", 
                      "extracted_code_line" = "code_line", 
                      "extracted_server" = "server_id", 
                    }
    }

  stage.labels {
    values = {
      "service_name" = "extracted_service",
    }
  }

  stage.structured_metadata {
    values = {
      "code_line" = "extracted_code_line",
      "server" = "extracted_server",
      }
    }

  forward_to = [loki.write.local.receiver]
}

loki-write

The loki.write component writes the logs to a Loki destination. In this example, the component requires the following argument:

  • url: Defines the full URL endpoint in Loki to send logs to.
alloy 
loki.write "local" {
  endpoint {
    url = "http://loki:3100/loki/api/v1/push"
  }
}