Promtail Tutorial
1️⃣ What is Promtail?¶
Promtail is a log collection agent for Grafana Loki.
👉 Think of it like:
-
Node Exporter → metrics
-
Promtail → logs
Promtail:
-
Reads logs from files / systemd / Docker
-
Adds labels
-
Pushes logs to Loki
2️⃣ What Promtail Is NOT¶
❌ Not a log storage system
❌ Not a UI
❌ Not a full log processor like Logstash
👉 Promtail = lightweight log shipper
3️⃣ Where Promtail Fits¶
4️⃣ What Logs Can Promtail Collect?¶
✅ System logs (/var/log/syslog, journalctl)
✅ Application logs (Node, Go, Java, etc.)
✅ Nginx / Apache logs
✅ Docker container logs
✅ Kubernetes pod logs
5️⃣ Installation (Linux – Recommended)¶
Step 1: Download Promtail¶
Step 2: Extract¶
unzip promtail-linux-amd64.zip
chmod +x promtail-linux-amd64
sudo mv promtail-linux-amd64 /usr/local/bin/promtail
6️⃣ Promtail Configuration File¶
Create Config Directory¶
Basic promtail.yml¶
server:
http_listen_port: 9080
grpc_listen_port: 0
positions:
filename: /var/lib/promtail/positions.yaml
clients:
- url: http://LOKI_SERVER_IP:3100/loki/api/v1/push
scrape_configs:
- job_name: system
static_configs:
- targets:
- localhost
labels:
job: syslog
__path__: /var/log/syslog
📌 positions.yaml ensures no duplicate logs
7️⃣ Create Systemd Service¶
[Unit]
Description=Promtail Log Collector
After=network.target
[Service]
User=root
ExecStart=/usr/local/bin/promtail \
-config.file=/etc/promtail/promtail.yml
[Install]
WantedBy=multi-user.target
Start Promtail¶
Check Status¶
8️⃣ Verify Promtail is Working¶
Check logs:
You should see:
9️⃣ Loki Setup (Quick Overview)¶
Loki runs on:
If not installed, basic Docker run:
10️⃣ View Logs in Grafana¶
Step 1: Add Loki Data Source¶
Step 2: Explore Logs¶
Example Query¶
11️⃣ Promtail for Application Logs (Node.js Example)¶
App Log Path¶
promtail.yml¶
scrape_configs:
- job_name: node_app
static_configs:
- targets:
- localhost
labels:
job: nodejs
env: prod
__path__: /var/www/app/logs/*.log
12️⃣ Parsing Logs (Pipeline Stages)¶
JSON Logs Example¶
Regex Parsing¶
13️⃣ Promtail with Docker Logs¶
scrape_configs:
- job_name: docker
static_configs:
- targets:
- localhost
labels:
job: docker
__path__: /var/lib/docker/containers/*/*.log
14️⃣ Promtail with systemd (journalctl)¶
15️⃣ Promtail in Docker¶
docker run -d \
-v /var/log:/var/log \
-v /etc/promtail:/etc/promtail \
grafana/promtail \
-config.file=/etc/promtail/promtail.yml
16️⃣ Promtail in Kubernetes (Overview)¶
-
Runs as DaemonSet
-
Collects logs from:
Standard setup via:
17️⃣ Labels – VERY IMPORTANT ⚠️¶
Bad labels ❌
Good labels ✅
👉 High-cardinality labels = Loki crash
18️⃣ Common Issues & Fixes¶
| Issue | Fix |
|---|---|
| No logs | Check __path__ |
| Duplicates | Check positions.yaml |
| Loki down | Promtail retries |
| High memory | Reduce labels |
19️⃣ Promtail vs Alternatives¶
| Tool | Type |
|---|---|
| Promtail | Loki log shipper |
| Fluent Bit | Logs + metrics |
| Logstash | Heavy processing |
| Filebeat | ELK stack |
20️⃣ Production Best Practices¶
✔ Use structured logs (JSON)
✔ Avoid high-cardinality labels
✔ Separate prod / staging
✔ Rotate logs
✔ Monitor Promtail itself
🏗️ Full Observability Stack (Best Practice)¶
✅ Final Summary¶
✔ Lightweight & fast
✔ Perfect match for Loki
✔ Easy to configure
✔ Scales well
✔ Ideal for DevOps & Cloud