Deploy Loki on Ubuntu for lightweight, label-based log aggregation that pairs natively with Grafana and Prometheus for a complete observability stack.
Grab the automated bash script from GitHub to follow along with the video.
wget https://raw.githubusercontent.com/mhmdali94/Docker/main/monitoring/loki/loki-ubuntu.sh
chmod +x loki-ubuntu.sh
sudo bash loki-ubuntu.shwget https://raw.githubusercontent.com/mhmdali94/Docker/main/monitoring/loki/loki-ubuntu.shchmod +x loki-ubuntu.shThe script installs Docker if needed, then deploys Loki alongside Promtail — the log collection agent that ships local logs to Loki.
sudo bash loki-ubuntu.shIn Grafana, go to Connections → Data Sources → Add Loki with URL http://loki:3100.
http://loki:3100Use Grafana Explore to write LogQL queries and explore your log streams by label.
| Port | Purpose |
|---|---|
| 3100 | Loki API (internal, accessed via Grafana) |
Loki is Grafana Labs' log aggregation system designed to be cost-effective and operationally simple. Unlike Elasticsearch, Loki does not full-text index log content — it indexes only labels (key-value metadata). This makes it dramatically cheaper to operate at scale. Log content is searched at query time using LogQL, a language similar to PromQL.
Loki is the natural companion to Prometheus and Grafana. If you already have that stack, adding Loki gives you a complete observability solution (metrics + logs) with no new technology to learn. Its label-based model and low storage cost make it the most practical log aggregation choice for self-hosted infrastructure.
Loki listens on port 3100 for its HTTP API — this is an internal port only, accessed by Promtail and Grafana within the Docker network. Do not open this port externally. All user access to logs should go through Grafana, which handles authentication.
Graylog (full-text search, easier for ops teams), OpenObserve (unified logs+metrics+traces, cheaper), Elasticsearch + Kibana (richest queries, highest cost), Seq (Windows/.NET focused). Loki is the best choice if you're already in the Grafana ecosystem and want low-cost log storage.
If you need full-text search across log content (searching for arbitrary strings without knowing the label), Graylog or OpenObserve is a better fit. Loki is optimized for label-filtered queries — ad hoc text search is possible but slower. Also avoid Loki if you have no Grafana setup, as it has no standalone UI.
PrismaTechWork provides end-to-end infrastructure services — from initial deployment and security hardening to ongoing monitoring, automated backups, and dedicated support. Whether you need a single-server setup or a multi-site network, our team ensures your infrastructure is built right, secured properly, and maintained reliably.
Elasticsearch indexes every word in every log line (full-text index), enabling fast free-text search but at high storage and memory cost. Loki only indexes labels (key-value pairs like `app=nginx`), storing log content compressed. Loki is far cheaper but requires you to know your label structure — ad hoc text search is slower.
Promtail is the log shipping agent made by Grafana Labs for Loki. It tails log files and Docker container logs, attaches labels, and pushes batches to Loki. You can also use Fluent Bit or Vector instead. For Docker setups, Promtail with Docker service discovery is the easiest path.
Technically yes — Loki has an HTTP API and LogCLI command-line tool. But Loki has no built-in web UI. Grafana is the standard UI and is nearly always used alongside Loki. Without Grafana, querying Loki requires CLI tools.
Loki's storage cost is dramatically lower than Elasticsearch — compressed log chunks are typically 3–10× smaller. A setup ingesting 1 GB of raw logs per day might use only 50–150 MB of Loki storage after compression. RAM requirements are also modest: a single-node Loki handles most homelab workloads on 512 MB–1 GB.
LogQL is Loki's query language, inspired by PromQL. It has two parts: log queries (filter and display log lines) and metric queries (count, rate, or aggregate over log streams). Example: `rate({app="nginx"}[5m])` gives you the log ingestion rate for nginx containers over 5 minutes.
Deploy Promtail as a DaemonSet using the official Helm chart (`helm install promtail grafana/promtail`). Configure it to point to your Loki endpoint. Promtail will auto-discover pods and attach namespace, pod name, and container name as labels.
Yes. Set `retention_period: 30d` in the compactor section of your loki-config.yaml and enable `retention_enabled: true`. Loki will automatically delete chunks older than the retention period during compaction runs.
Run `docker compose pull && docker compose up -d`. Check the Loki changelog for schema migration notices before major version upgrades — some versions require a schema update step before the new version can start.