How to Install and Configure Loki, Promtail, and Grafana for Log Aggregation on Rocky Linux

Overview

Loki is an open‑source, horizontally scalable, highly available, multi‑tenant log aggregation system from Grafana Labs that indexes only log metadata (labels) instead of full log content, making it cost‑effective and easy to operate. It follows the Prometheus model, so its query language (LogQL) feels familiar to Prometheus users.

Install Loki

Download the RPM package from the official GitHub releases page and install it on Rocky Linux: # rpm -ivh loki-3.2.0.x86_64.rpm Verify the OS version (optional):

# cat /etc/redhat-release
Rocky Linux release 9.3 (Blue Onyx)

Configure Loki

Edit /etc/loki/config.yml with the essential settings:

auth_enabled: false
server:
  http_listen_port: 3100
  grpc_listen_port: 9096
log_level: debug
grpc_server_max_concurrent_streams: 1000
common:
  instance_addr: 192.168.3.82
  path_prefix: /tmp/loki
storage:
  filesystem:
    chunks_directory: /tmp/loki/chunks
    rules_directory: /tmp/loki/rules
replication_factor: 1
ring:
  kvstore:
    store: inmemory
ingester_rf1:
  enabled: false
results_cache:
  embedded_cache:
    enabled: true
    max_size_mb: 100
schema_config:
  configs:
    - from: 2020-10-24
      store: tsdb
      object_store: filesystem
      schema: v13
      index:
        prefix: index_
        period: 24h
pattern_ingester:
  enabled: true
metric_aggregation:
  enabled: true
loki_address: localhost:3100
ruler:
  alertmanager_url: http://localhost:9093
frontend:
  encoding: protobuf

Start Loki

# systemctl restart loki
# systemctl enable loki
# systemctl status loki

Install Promtail

Download and install the Promtail RPM:

# rpm -ivh promtail-3.2.0.x86_64.rpm

Configure Promtail

Create /etc/promtail/config.yml (minimal example for system logs):

server:
  http_listen_port: 9080
  grpc_listen_port: 0
positions:
  filename: /tmp/positions.yaml
clients:
  - url: http://192.168.3.82:3100/loki/api/v1/push
scrape_configs:
  - job_name: system
    static_configs:
      - targets: ["localhost"]
        labels:
          job: varlogs
    __path__: /var/log/messages

Grant Promtail read permission on the log file:

# setfacl -m u:promtail:r /var/log/messages

Start Promtail

# systemctl start promtail
# systemctl enable promtail
# systemctl status promtail

Install Grafana

# sudo yum install -y https://dl.grafana.com/oss/release/grafana-11.2.0-1.x86_64.rpm

Enable and start the Grafana service, then open http://<em>your‑ip</em>:3000 (default credentials: admin / admin).

# systemctl daemon-reload
# systemctl enable grafana-server
# systemctl start grafana-server

Add Loki Data Source in Grafana

In Grafana UI, navigate to *Configuration → Data Sources → Add data source*, select Loki, and set the URL to http://192.168.3.82:3100. Save the data source.

LogQL Basics

LogQL selectors are written inside curly braces. Example: {app="mysql",name="mysql-backup"} Supported operators: = – exact match != – not equal =~ – regex match !~ – regex not match

Filter expressions can further narrow results:

{job="mysql"} |= "error"
{job="mysql"} |= "error" != "timeout"
{instance=~"kafka-[23]",name="kafka"} != kafka.server:type=ReplicaManager

Operators: |= – line contains string != – line does not contain string |~ – line matches regex !~ – line does not match regex

Collect Nginx Logs with Loki

Modify nginx.conf to output logs in JSON format:

log_format json escape=json '{
  "remote_addr":"$remote_addr",
  "request_uri":"$request_uri",
  "request_length":"$request_length",
  "request_time":"$request_time",
  "request_method":"$request_method",
  "status":"$status",
  "body_bytes_sent":"$body_bytes_sent",
  "http_referer":"$http_referer",
  "http_user_agent":"$http_user_agent",
  "http_x_forwarded_for":"$http_x_forwarded_for",
  "http_host":"$http_host",
  "server_name":"$server_name",
  "upstream":"$upstream_addr",
  "upstream_response_time":"$upstream_response_time",
  "upstream_status":"$upstream_status"
}';
access_log  logs/json_access.log  json;

If HTTPS is enabled, place the access_log directive inside the HTTPS server block.

Configure Promtail on the Nginx Host

Use a similar Promtail config, but point __path__ to the JSON log file:

server:
  http_listen_port: 9080
  grpc_listen_port: 0
positions:
  filename: /tmp/positions.yaml
clients:
  - url: http://192.168.3.82:3100/loki/api/v1/push
scrape_configs:
  - job_name: nginx
    static_configs:
      - targets: ["localhost"]
        labels:
          job: nginxlogs
          host: 192.168.3.218
    __path__: /usr/local/nginx/logs/json_access.log

Grant Promtail read access to the Nginx log directory:

# setfacl -R -m u:promtail:rx /var/log/nginx/

Create a Grafana Dashboard

Import the pre‑built dashboard (ID 16101) in Grafana to visualize Loki logs. The dashboard provides panels for log streams, error rates, and query results.