Customize Grafana Alloy

Last update: October 16 2025

Grafana Alloy — An agent for collecting and transferring metrics, logs and traces.Grafana Alloy is a flexible and high-performance distribution OpenTelemetry Collector.The agent is compatible with OpenTelemetry and Prometheus, the most common formats for observability standards.

Grafana Alloy uses the otel-colector/awscloudwatchreceiver component, which receives logs from the FilterLogEvents method of the Amazon CloudWatch API.For a list of all Grafana Alloy components, see the Choose a Grafana Alloy component instructions in the official Grafana documentation.

1. Create a service user.
2. Issue an S3 key to the user.
3. Configure the receipt of events.

1. Create a service user

Create a service user In the permission, select the role member or reader and access area Projects.Create users can Account Owner or users with the role iam_admin.

2. Issue an S3 key to the user

Users with access to the control panel can issue themselves S3 keys but we recommend to create service users and issue S3 keys to them.

S3 keys can only be issued to other users by the Account Owner or a user with the role iam_admin. Service user can't get S3-key by himself, because he doesn't have access to the control panel — he must be issued a key by Account Owner or iam_admin.

A separate key must be created for each project.Multiple keys can be issued for one project.

1. In the control panel, on the top menu, click Account.

2. Go to the section with the desired user type:

   • Users — for users with access to the control panel;
   • Service users — for service users.

3. Open the user page → Access tab.

4. In the S3 keys block, click Add Key.

5. Enter the name of the key.

6. Select the project for which the key will work.

7. Click Generate. Two values will be generated:

   • Access key — Access Key ID, key identifier;
   • Secret key — Secret Access Key, secret key.

8. Click Copy and save the key — it cannot be viewed after the window is closed.

3. Configure the receipt of events

1. Open the CLI.

2. Create a config .alloy configuration file:

   nano /etc/alloy/config.alloy

3. Specify in the config .alloy configuration file to receive logs using the otelcol.receiver.awscloudwatch component . Example configuration:

   logging {
     level  = "info"
     format = "logfmt"
   }
   
   otelcol.receiver.awscloudwatch "logs" {
     region = "<pool>"
   
     logs {
       groups {
         named {
           group_name = "<log_group_name>"
           names = "<log_stream_names>"
         }
       }
     }
   
     output {
       logs = [otelcol.exporter.loki.default.input]
     }
   }
   
   otelcol.exporter.loki "default" {
     forward_to = [loki.process.parse_json.receiver]
   }
   
   loki.process "parse_json" {
   
     stage.json {
       expressions = {
         source = "<key>",
       }
     }
   
     stage.output {
         source = "<key>"
     }
   
     forward_to = [loki.echo.default.receiver]
   
   }
   
   loki.echo "default" {}

Specify:

• otelcol.receiver.awscloudwatch component arguments:

  • <pool> — pool for example ru-9;
  • <log_group_name> — log group name, e.g. s/lbaas/Loabalancer-1;
  • optional: <log_stream_names> — list of streams from which you want to get logs, for example [http-c48d78e2-6f49-43b5-80b7-2f2b8e5f669d].

• loki.process component arguments:

  • <key> — log field, e.g. body. Field in parameter stage.json will be added for further processing. In the stage.output parameter, the value of the specified field will be reflected in the output.

2. Start Alloy:

   docker run \
       -v /etc/alloy/config.alloy:/etc/alloy/config.alloy \
       -p 12345:12345 \
       -e AWS_ENDPOINT_URL=<log_endpoint> \
       -e AWS_ACCESS_KEY=<access_key> \
       -e AWS_SECRET_KEY=<secret_key> \
            grafana/alloy:latest \
         run --server.http.listen-addr=0.0.0.0:12345 \
         --storage.path=/var/lib/alloy/data \
         --stability.level experimental \
         /etc/alloy/config.alloy

   Specify:

   • <log_endpoint> — URL for accessing the logs API. The list of URLs can be found in the instructions List of URLs;
   • <access_key> — field value Access key from S3 key;
   • <secret_key> — field value Secret key from S3 key.

   You can add <log_endpoint>, <access_key> and <secret_key> to the container in any way you want:

   • via environment variables, see the Using environment variables to globally configure AWS SDKs and tools documentation from Amazon for more information;
   • or via config and credentials files, see Using shared config and credentials files to globally configure AWS SDKs and tools documentation from Amazon.

   Example of output in stdout:

   ...
   ts=2025-10-14T06:07:03.637492043Z level=info component_path=/ component_id=loki.echo.default receiver=loki.echo.default entry="{\"client\":\"204.76.203.219:41942\" ... }" entry_timestamp=2025-10-14T05:50:35.549Z labels="{exporter=\"OTLP\"}" structured_metadata={}
   ts=2025-10-14T06:07:03.637503251Z level=info component_path=/ component_id=loki.echo.default receiver=loki.echo.default entry="{\"client\":\"204.76.203.18:45864\" ... }" entry_timestamp=2025-10-14T05:54:58.753Z labels="{exporter=\"OTLP\"}" structured_metadata={}
   ...