Enabling Loki¶
Introduction¶
Loki is a log aggregation system designed for storing and querying logs efficiently. Unlike traditional log management systems, Loki indexes only metadata instead of the full log contents, making it highly scalable and cost-effective. Stores logs in a compressed format with minimal indexing, reducing storage and operational costs.
Process¶
- SSH into the instance where Privacera Manager is installed.
- Navigate to the
config
directory using the following command:Bash -
Copy
vars.monioring.yml
file fromsample-vars
folder tocustom-vars
folder.If this file already exists in
custom-vars
folder then you can skip this step.Bash -
Open
vars.monioring.yml
.Bash - Uncomment the below variables in the file and save it.
- Enable loki.
Bash
- Enable loki.
-
Once done, redeploy the monitoring components.
a. Go to
privacera-manager
directory.b. RunBash setup
to generate the required files.c. Install the monitoring components.Bash d. RunBash install
to update the Grafana.e. Once done, runBash post-install
.Bash
Storage Configuration
By default, Loki uses local storage, which is not recommended for production environments. For production deployments, configure a cloud storage such as AWS S3, Azure Blob Storage, or Google Cloud Storage (GCS), as detailed in the sections below.
Configure Cloud Storage for Loki¶
This guide outlines the steps to configure cloud-based object storage for Grafana Loki using AWS S3, Azure Blob Storage, or Google Cloud Storage (GCS) within a production-ready Privacera Monitoring stack.
Configure AWS S3 for Loki¶
Prerequisites¶
Ensure the following are in place:
- An S3 bucket to store Loki logs.
- An IAM role with the necessary permissions and trust relationship(of kubernetes service account).
Note
By default, Loki retaintion period is set to 30 days
.
Step 1: Ensure that an Identity Provider (IdP) is already created for your EKS cluster’s OIDC. If not, create a new Identity Provider before proceeding.¶
- Navigate to AWS EKS → Select your cluster.
- From the Overview tab, copy the OIDC (OpenID Connect) provider URL.
- Go to IAM → Identity Providers → Add provider.
- Select OpenID Connect.
- Paste the OIDC URL under Provider URL and click Get thumbprint.
- Set Audience as
sts.amazonaws.com
. - Add optional tags and click Add provider. ( we will need this ID to be added in the IAM role.)
Step 2: Create an IAM Policy¶
Go to IAM → Policies, and create a new policy with the following JSON definition:
JSON | |
---|---|
Tip
- Replace
<AWS_S3_BUCKET_NAME>
with your AWS S3 bucket name.
Step 3: Create an IAM Role and Trust Relationship¶
- Navigate to IAM → Roles → Create role.
- Select Web identity as the trusted entity type.
- Choose the OIDC provider created earlier, set Audience to
sts.amazonaws.com
, and proceed. - Attach the custom policy from the previous step.
- Name and create the role.
Once created, modify the trust relationship to limit role assumption to specific Kubernetes service accounts:
Tip
- Replace
<AWS_ACCOUNT_ID>
,<AWS_REGION>
&<OIDC_ID>
with your AWS account ID , aws region & OIDC_ID respectively. - Action
sts:AssumeRoleWithWebIdentity
allows a service (like a Kubernetes service account) to assume an IAM role using a web identity token (e.g.OIDC). - Default service account name is
loki
and namespace isprivacera-monitoring
.
Step 4: Configure Loki for S3¶
- SSH into the instance where Privacera Manager is installed.
- Navigate to the configuration directory:
Bash | |
---|---|
- Create the Loki custom values file:
Bash | |
---|---|
- Add the following configuration:
Tip
- Replace
<AWS_S3_BUCKET_NAME>
,<AWS_REGION>
&<AWS_IAM_ROLE_ARN>
with your S3 bucket name , AWS region & IAM role created above.
Step 5: Redeploy Monitoring Components¶
a. Go to privacera-manager
directory.
Bash | |
---|---|
setup
to generate the required files. Bash | |
---|---|
Bash | |
---|---|
install
to update the Grafana. Bash | |
---|---|
post-install
. Bash | |
---|---|
Configure Azure Blob Storage for Loki¶
Step 1: Create a Storage Account¶
- Go to Azure Portal → Storage Accounts → Create.
- Configure:
- Name: e.g.,
privaceramonitoringsa
(must be globally unique) - Region: Same as your AKS cluster
- Resource Group: Same as AKS
- Performance: Standard
- Replication: LRS
- Name: e.g.,
- Click Review + create, then Create.
Step 2: Create a Blob Container¶
- In your created storage account, go to Data storage → Containers.
- Click + Container and configure:
- Name: e.g.,
privacera-monitoring-container
- Public access level: Private (no anonymous access)
- Name: e.g.,
- Click Create.
Step 3: Create a Service Principal¶
- Go to Azure Portal → Azure Active Directory → App registrations.
- Click New registration.
- Configure:
- Name: e.g.,
privacera-monitoring-sp
- Supported account types: Accounts in this organizational directory only
- Redirect URI: Leave blank
- Name: e.g.,
- Click Register.
- After creation, note down:
- Application (client) ID
- Directory (tenant) ID
Step 4: Create a Client Secret¶
- In your app registration, go to Certificates & secrets.
- Click + New client secret.
- Configure:
- Description: e.g.,
privacera-monitoring-secret
- Expires: Choose an appropriate expiration (e.g., 24 months)
- Description: e.g.,
- Click Add.
- Copy the secret value immediately as it won't be shown again.
Step 5: Assign Permissions to the Service Principal¶
Note
"Make sure you have owner access to your storage account."
- Go to Storage Accounts → Your Storage Account → Access Control (IAM).
- Click + Add → Add role assignment.
- Configure:
- Role: Storage Blob Data Contributor
- Assign access to: Service principal
- Select member: Choose the
privacera-monitoring-sp
service principal
- Click Save.
Step 6: Configure Loki for Azure¶
- SSH into the Privacera Manager instance.
- Navigate to the config directory:
Bash | |
---|---|
- Create the custom values file:
Bash | |
---|---|
- Add the following content:
Tip
- Replace
<CONTAINER_NAME>
,<STORAGE_ACCOUNT_NAME>
,<TENANT_ID>
,<CLIENT_ID>
, and<CLIENT_SECRET>
with your Azure storage container name, storage account name, tenant ID, client ID, and client secret respectively.
Step 7: Redeploy Monitoring Components¶
a. Go to privacera-manager
directory.
Bash | |
---|---|
setup
to generate the required files. Bash | |
---|---|
Bash | |
---|---|
install
to update the Grafana. Bash | |
---|---|
post-install
. Bash | |
---|---|
Configure GCP Storage for Loki¶
Step 1: Create a GCS Bucket¶
- Go to GCP Console → Cloud Storage.
- Click Create Bucket.
- Configure:
- Name: Globally unique
- Region: As required
- Storage class: Standard
- Access control: Uniform
- Click Create.
Step 2: Create a Service Account¶
- Go to IAM & Admin → Service Accounts.
- Click Create Service Account.
- Provide a name and (optionally) a description.
- Skip assigning roles for now.
- Click Done.
Step 3: Grant Bucket Access to the Service Account¶
- Go back to your bucket → Permissions tab.
- Click Grant Access.
- Add your service account’s email.
- Assign the following roles:
- Storage Admin
- Storage Object Admin
- Click Save.
Step 4: Configure Workload Identity¶
- Open the service account details.
- Under Permissions, click + Grant Access.
- In New principals, add:
Text Only | |
---|---|
Tip
- Replace
<PROJECT_ID>
with your GCP project id . - Default value for privacera monitoring namespace is
privacera-monitoring
and default k8s service account name isloki
.
- Assign role:
Service Account Workload Identity User
- Save the configuration.
Step 5: Configure Loki for GCP¶
- SSH into the Privacera Manager instance.
- Navigate to the config directory:
Bash | |
---|---|
- Create the custom values file:
Bash | |
---|---|
- Add the configuration below:
Tip
- Replace
<GCP_BUCKET_NAME>
,<GCP_SERVICE_ACCOUNT>
& `with your GCP bucket name, service account name and project id respectively.
Step 6: Redeploy Monitoring Components¶
a. Go to privacera-manager
directory.
Bash | |
---|---|
setup
to generate the required files. Bash | |
---|---|
Bash | |
---|---|
install
to update the Grafana. Bash | |
---|---|
post-install
. Bash | |
---|---|