IT Get in touch

Loki: log aggregation "like Prometheus, but for logs"

Loki (December 2018) by Grafana Labs (Tom Wilkie, David Kaltschmidt): cloud-native log aggregation system, labels-based (no full-text index), storage on object storage (S3, GCS). LogQL query language. Economic alternative to Elasticsearch.

Open Source
Open Source LokiGrafana LabsLoggingLogQLObservabilityPrometheusOpen Source
Linux Services & Systems

Linux Services & Systems

Domains, hosting, PEC, email infrastructure, network services and Linux systems. Assistance and management of Open Source infrastructure.

Discover →

Low-cost logs

Elasticsearch is powerful but expensive: indexes every word of every log → fast disks, high RAM, complex licensing from 2021 (SSPL). Many teams just want to search by labels (namespace, pod, app) and filter text with grep, not full-text search.

The release

Loki is released on 14 December 2018 by Grafana Labs at KubeCon Seattle 2018. Lead engineers: Tom Wilkie (ex-Weaveworks, Prometheus maintainer) and David Kaltschmidt. Written in Go, AGPLv3 licence (since 2021, Apache 2.0 before).

Philosophy

“Like Prometheus, but for logs”:

  • Index only on labels (not content)
  • Compressed log content archived on object storage
  • Economic storage — S3, GCS, Azure Blob, MinIO
  • LogQL query language similar to PromQL
{app="webapp", env="prod"} |= "error" | json | status_code >= 500

Architecture

  • Distributor — receives logs, distributes to writers
  • Ingester — in-memory batches, flushes to storage
  • Querier — executes LogQL, aggregates from ingester + storage
  • Compactor — index compaction
  • Storage — object storage (S3-compatible) + boltdb-shipper/TSDB index
  • Query frontend — query parallelisation

Deploy patterns: Single binary (monolith), Simple Scalable, Microservices (1000+ pods).

Promtail and Alloy

Companion log collectors:

  • Promtail — Grafana agent for collecting logs (path, journald, K8s)
  • Grafana Alloy (2024, Agent successor) — unified logs+metrics+traces collector
  • Fluent Bit, Fluentd, Vector — all support Loki output

Integration

  • Grafana — built-in UI, Explore tab for LogQL
  • Alerting — Grafana alerts based on log counts/patterns
  • Recording rules — metrics derived from logs
  • Tempo + Loki — trace ↔ log correlation

Versions

  • 1.0 (November 2019) — GA
  • 2.0 (October 2020) — TSDB index, LogQL v2
  • 2.4 (2022) — simpler single-binary
  • 3.0 (April 2024) — storage-agnostic compactor, Bloom filters

Competitors

  • Elasticsearch (via Filebeat/Logstash) — powerful full-text index but expensive
  • OpenSearch — AWS open fork
  • Splunk — commercial, enterprise
  • Datadog Logs, New Relic Logs — SaaS
  • VictoriaLogs (2023) — similar philosophy, lighter
  • SigNoz — full-stack OSS
  • ClickHouse — storage alternative for analytical logs

In the Italian context

Loki is very widespread for cost-contained log aggregation:

  • Italian MSPs and hosting providers
  • Banks for infrastructure logs (not full-text transactional)
  • Digital PA — PSN projects, multi-tenant clusters
  • Italian B2B SaaS
  • Development teams for application logs
  • Home-lab and local dev environments

Typical stack: Grafana + Prometheus + Loki + Tempo (LGTM) for unified observability at affordable costs compared to Datadog/Splunk.

References: Loki (14 December 2018, KubeCon Seattle). Grafana Labs. Tom Wilkie, David Kaltschmidt. AGPLv3 licence (since 2021). Written in Go. LogQL query language. S3/GCS/Azure Blob storage + object-storage index.

Need support? Under attack? Service Status
Need support? Under attack? Service Status