In our previous post, we explored how Grafana Alloy acts as a unified agent for both metrics and logs. A key part of that setup involved loki.source.syslog listening for incoming syslog messages on 127.0.0.1:1601. But how do those messages get there?
That’s where your local syslog daemon comes in! On most Linux distributions, this is handled by rsyslog. For Grafana Alloy to receive your system logs, you need to configure rsyslog to forward its messages to Alloy’s listening address and port.
This blog post will guide you through configuring rsyslog to reliably send its logs to your Grafana Alloy instance.
Environment: Ubuntu 24.04.2 LTS
rsyslog Configuration:
rsyslog is a powerful and highly configurable logging daemon. Its configuration is typically found in /etc/rsyslog.conf and modular configuration files in /etc/rsyslog.d/.
Edit /etc/rsyslog.conf, by adding the following line at the end of the file to forward all local logs (recommended for simplicity):
*.* action(type="omfwd" Target="127.0.0.1" Port="1601" Protocol="tcp" StreamDriverMode="0" ResendLastMessageOnReconnect="on")Validate again:
# cat /etc/rsyslog.conf|grep StreamDriverMode
*.* action(type="omfwd" Target="127.0.0.1" Port="1601" Protocol="tcp" StreamDriverMode="0" ResendLastMessageOnReconnect="on")Note: port=”1601″: This is the destination port, matching what we configured in loki.source.syslog in Grafana Alloy.
Save and exit: Save the file and close your editor.
Restart rsyslog: For the new configuration to take effect, you must restart the rsyslog service.
# sudo systemctl restart rsyslogopen network ports to allow incoming connection and reload
# sudo ufw allow 1601/tcp
# sudo ufw reload
Telemetry Compass 
Leave a comment