Skip to main content
Version: Next

Loki

This module allows the Security Engine to acquire logs from loki query.

Configuration example

This will allow to read logs from loki, using the query {job="varlogs"}.

source: loki
log_level: info
url: http://localhost:3100/
limit: 1000
query: |
{job="varlogs"}
auth:
username: something
password: secret
labels:
type: apache2
info

The reader will always start at "now".

Look at the configuration parameters to view all supported options.

Parameters

url

The loki URL to connect to.

Required.

prefix

The loki prefix (present in http path, useful if loki is behind a reverse-proxy).

Defaults to /.

query

The loki query.

Required.

limit

The maximum number of messages to be retried from loki at once.

Defaults to 100 in stream mode and 5000 in one-shot mode.

headers

Allows you to specify headers to be sent to loki, in the format:

headers:
foo: bar

wait_for_ready

The retry interval at startup before giving on loki.

Defaults to 10 seconds.

auth

Login/password authentication for loki, in the format:

auth:
username: someone
password: something

max_failure_duration

The maximum duration loki is allowed to be unavailable (once startup is successful) before giving up on the data source.

Default to 30 seconds.

DSN and command-line

All the parameters above are available via DSN (one-shot mode), plus the following ones:

ssl

if present, scheme will be set to https

crowdsec -type foobar -dsn 'loki://login:password@localhost:3102/?query={server="demo"}&ssl=true'

since

Allows to set the "since" duration for loki query.

Expects a valid Go duration

crowdsec -type foobar -dsn 'loki://login:password@localhost:3102/?query={server="demo"}&since=1d'

log_level

Set the log_level for loki datasource.

crowdsec -type foobar -dsn 'loki://login:password@localhost:3102/?query={server="demo"}&log_level=debug'