Saurabh Adhau's Blog

Promtail and Loki for Logging in Kubernetes

Saurabh Adhau's photo
Saurabh Adhau
·

4 min read

Table of contents

Introduction

In modern Kubernetes environments, efficient logging is crucial for monitoring, debugging, and troubleshooting applications and infrastructure. One of the most lightweight and scalable logging solutions available is the Loki Stack, which consists of Loki (Log Storage) and Promtail (Log Collector).

Unlike traditional logging stacks like EFK (Elasticsearch, Fluentd, Kibana) or ELK (Elasticsearch, Logstash, Kibana), the Loki Stack is designed to be cost-effective, scalable, and efficient in resource usage.

What is Loki?

Loki is an open-source, horizontally scalable, multi-tenant log aggregation system developed by Grafana Labs.

Key Features of Loki

  • Index-Free Log Storage: Unlike Elasticsearch, Loki does not index log contents, reducing storage costs significantly. Instead, it labels logs for easy filtering.

  • Highly Scalable: Loki can scale horizontally across multiple Kubernetes clusters.

  • Seamless Integration with Grafana: Allows powerful log visualization in Grafana Dashboards.

  • Efficient Querying via LogQL: Uses PromQL-like query language (LogQL) for searching logs.

  • Supports Various Log Sources: Collect logs from Kubernetes, Docker, Promtail, Fluentd, Syslog, etc.

How Loki Works in Kubernetes?

  1. Log Agents (Promtail, FluentBit, Vector, etc.) collect logs from Kubernetes pods, nodes, or applications.

  2. These logs are sent to Loki, where they are labeled and stored efficiently.

  3. Grafana connects to Loki and allows users to search, filter, and visualize logs via LogQL queries.

What is Promtail?

Promtail is an agent designed to collect logs from Kubernetes and push them to Loki.

Key Features of Promtail

  • Lightweight and Resource-Efficient: Uses minimal CPU and memory.

  • Auto-Discovers Kubernetes Pods: Dynamically collects logs from running Kubernetes pods.

  • Parses and Labels Logs: Extracts metadata such as Pod Name, Namespace, Labels, etc..

  • Integrates with Loki: Pushes logs efficiently to Loki for storage and querying.

How Loki and Promtail Work Together in Kubernetes?

Architecture of the Loki Stack

  1. Promtail collects logs from Kubernetes pods, using Kubernetes API for metadata.

  2. Logs are labeled (e.g., namespace, pod_name, container_name).

  3. Promtail pushes logs to Loki for storage and indexing.

  4. Loki stores logs efficiently with minimal indexing (only labels are indexed).

  5. Grafana queries logs from Loki and visualizes them using LogQL.

How to Set Up Loki and Promtail in Kubernetes?

Step 1: Install Loki in Kubernetes

Loki can be deployed using Helm.

1. Add the Loki Helm Repository

helm repo add grafana https://grafana.github.io/helm-charts
helm repo update

2. Install Loki in Kubernetes

helm install loki grafana/loki-stack --set loki.persistence.enabled=true --set loki.persistence.size=10Gi

3. Verify Loki Deployment

kubectl get pods -l app.kubernetes.io/name=loki

Loki should now be running in your Kubernetes cluster.

Step 2: Install Promtail in Kubernetes

Promtail runs as a DaemonSet to collect logs from all Kubernetes nodes.

1. Deploy Promtail using Helm

helm install promtail grafana/promtail \
  --set config.clients[0].url=http://loki:3100/loki/api/v1/push

2. Verify Promtail Deployment

kubectl get pods -l app.kubernetes.io/name=promtail

Step 3: Connect Loki with Grafana

Now that Loki and Promtail are running, let's configure Grafana to visualize logs.

1. Install Grafana using Helm

helm install grafana grafana/grafana \
  --set persistence.enabled=true \
  --set adminPassword='YourSecurePassword'

2. Access Grafana Dashboard

kubectl port-forward svc/grafana 3000:80

Now, visit localhost:3000 and log in with admin / YourSecurePassword.

3. Add Loki as a Data Source in Grafana

  1. Navigate to Configuration → Data Sources

  2. Click Add Data Source

  3. Select Loki and enter loki:3100

  4. Click Save & Test

How to Query Logs in Loki Using LogQL?

Once Grafana is connected to Loki, use LogQL to search logs.

1. Get All Logs for a Specific Pod

{namespace="default", pod="my-app"} | json

2. Filter Logs Containing Errors

{app="nginx"} |= "error"

3. Count the Number of Errors in Logs

{app="nginx"} |= "error" | count_over_time(5m)

Best Practices for Loki & Promtail in Kubernetes

1. Enable Log Retention Policies

Loki does not automatically delete logs. Use Helm to configure log retention.

--set loki.config.table_manager.retention_period=7d

2. Scale Loki for High Log Volume

For production workloads, use multiple replicas for Loki.

--set loki.replicas=3

3. Use Promtail Auto-Discovery for Kubernetes

Enable Kubernetes Service Discovery in Promtail.

scrape_configs:
  - job_name: kubernetes-pods
    pipeline_stages:
      - docker:
    static_configs:
      - targets:
          - localhost

4. Use LogQL Efficiently

  • Use labels for filtering instead of regex.

  • Avoid using |= operators frequently, as they are slow.

5. Secure Loki with Authentication

Enable basic authentication and integrate with Grafana Enterprise for RBAC security.

Why Choose Loki Over EFK/ELK?

FeatureLoki StackEFK/ELK Stack
Storage Cost✅ Low (No full indexing)❌ High (Full-text indexing)
Query Language✅ LogQL (Efficient)❌ Kibana Query DSL
Scalability✅ Horizontally scalable✅ Scalable but costly
Ease of Setup✅ Easy (Helm Charts)❌ Complex setup

Conclusion

Loki and Promtail provide a lightweight, scalable, and cost-effective logging solution for Kubernetes environments.

Benefits of Loki + Promtail:

  • Low-cost logging with minimal indexing overhead

  • Native Kubernetes integration for auto-discovery

  • Fast log querying with LogQL

  • Seamless integration with Grafana

If you’re looking for a lightweight alternative to EFK/ELK, Loki + Promtail is one of the best options for Kubernetes log management.

#promtaillokiKubernetesDevopsloggingmonitoringobservability