Loki Log Aggregation Kubernetes
Deploy Grafana Loki for log aggregation on Kubernetes. Promtail DaemonSet, LogQL queries, structured logging, retention policies, and Grafana integration.
π‘ Quick Answer: Deploy Loki in
SimpleScalablemode with Promtail DaemonSet for log collection. Use LogQL for querying:{namespace="production"} |= "error" | json | status >= 500. Configure 30-day retention with S3/GCS backend storage.
The Problem
ELK stack (Elasticsearch, Logstash, Kibana) is resource-heavy β Elasticsearch alone needs 4-8GB RAM per node. Loki is 10x more resource-efficient because it only indexes labels, not full text. Combined with Grafana, it provides the same log exploration experience at a fraction of the cost.
The Solution
Deploy Loki Stack
helm repo add grafana https://grafana.github.io/helm-charts
helm install loki grafana/loki-stack \
--namespace monitoring --create-namespace \
--set promtail.enabled=true \
--set loki.persistence.enabled=true \
--set loki.persistence.size=50GiPromtail Configuration
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: promtail
spec:
template:
spec:
containers:
- name: promtail
image: grafana/promtail:3.2.0
args:
- -config.file=/etc/promtail/promtail.yaml
volumeMounts:
- name: logs
mountPath: /var/log/pods
readOnly: true
volumes:
- name: logs
hostPath:
path: /var/log/podsLogQL Queries
# All error logs in production
{namespace="production"} |= "error"
# JSON structured logs β filter by status code
{app="api-server"} | json | status >= 500
# Rate of errors per service
sum(rate({namespace="production"} |= "error" [5m])) by (app)
# Top 10 error messages
topk(10, sum(count_over_time({namespace="production"} |= "error" [1h])) by (msg))Retention Policy
# loki-config.yaml
limits_config:
retention_period: 720h # 30 days
compactor:
retention_enabled: true
retention_delete_delay: 2h
storage_config:
aws:
s3: s3://loki-logs-bucket/loki
region: us-east-1graph LR
PODS[Application Pods<br/>stdout/stderr] --> PROMTAIL[Promtail DaemonSet<br/>Tail log files]
PROMTAIL -->|Push| LOKI[Loki<br/>Index labels only]
LOKI --> S3[S3 / GCS<br/>Log chunks]
GRAFANA[Grafana] -->|LogQL queries| LOKICommon Issues
No logs appearing in Grafana: Check Promtail is running: kubectl get ds promtail -n monitoring. Verify Loki datasource is configured in Grafana with correct URL.
LogQL query timeout: Add label filters first ({namespace="prod"}), then string filters. Loki scans less data when labels narrow the search.
Best Practices
- Always filter by labels first in LogQL β
{namespace="prod"}before|= "error" - Structured logging (JSON) enables field extraction with
| json - 30-day retention β good balance of cost and usefulness
- S3 backend for production β local storage fills up quickly
- Alert on log patterns β Loki ruler can fire alerts from LogQL queries
Key Takeaways
- Loki is 10x more resource-efficient than Elasticsearch β indexes labels only
- Promtail DaemonSet collects logs from all pods automatically
- LogQL provides powerful querying: label filters, JSON parsing, regex, aggregations
- S3/GCS backend for cost-effective long-term retention
- Integrates natively with Grafana for log exploration alongside metrics
Recommended
Kubernetes Recipes β The Complete Book100+ production-ready patterns with detailed explanations, best practices, and copy-paste YAML. Everything in one place.
Get the Book βLearn by Doing
CopyPasteLearn β Hands-on Cloud & DevOps CoursesMaster Kubernetes, Ansible, Terraform, and MLOps with interactive, copy-paste-run lessons. Start free.
Browse Courses β
π Deepen Your Skills β Hands-on Courses
Courses by CopyPasteLearn.com β Learn IT by Doing
Want More Kubernetes Recipes?
This recipe is from Kubernetes Recipes, our 750-page practical guide with hundreds of production-ready patterns.