Cross-Platform Grafana Alloy Install & Configuration with Platform-Optimized Monitoring
✨ Features • 🚀 Install • 🛠️ Management • 🚨 Troubleshooting • 🖥️ Tested • 🔒 Security • 📚 More • 📄 License • 💜 Support • 👏 Credits
Automatic Detection: Installer automatically detects system type (Standalone, Proxmox Host, VM/Container) and configures Logs + Metrics or Logs-Only mode accordingly.
- Standalone/Host: Full logs + metrics monitoring
- Virtualized: Logs-only monitoring (kernel limitations)
- Optional override: Add
--forceto install full logs + metrics on virtual servers (for example, VPS instances)
- Physical/Host: Full logs + metrics monitoring
- Virtualized: Logs-only monitoring
- Automated, secure metrics exporter for Proxmox guests
- Zero-configuration setup with automatic API user/token management
- Exposes guest metrics at
http://localhost:9221/pve
⚠️ WARNING: Running installation scripts can overwrite existing Alloy configurations. Back up your configuration if you have made manual changes.
# One-liner installation (replace URLs with your endpoints)
sudo bash -c "$(curl -fsSL https://raw.githubusercontent.com/IT-BAER/alloy-aio/main/alloy_setup.sh)" -- --loki-url "https://loki.yourdomain.com/loki/api/v1/push" --prometheus-url "https://prometheus.yourdomain.com/api/v1/write"
# Force full install on virtual machines (VPS, cloud instances)
sudo bash -c "$(curl -fsSL https://raw.githubusercontent.com/IT-BAER/alloy-aio/main/alloy_setup.sh)" -- --force --loki-url "https://loki.yourdomain.com/loki/api/v1/push" --prometheus-url "https://prometheus.yourdomain.com/api/v1/write"# One-liner installation (replace Loki & Prom URLs)
powershell -ExecutionPolicy Bypass -Command "Set-ExecutionPolicy Bypass -Scope Process -Force; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://github.com/IT-BAER/alloy-aio/raw/main/alloy_setup_windows.ps1' -OutFile 'alloy_setup_windows.ps1'; .\alloy_setup_windows.ps1 -LokiUrl 'https://loki.yourdomain.com/loki/api/v1/push' -PrometheusUrl 'https://prometheus.yourdomain.com/api/v1/write'"# Deploy to all running containers (replace Loki URL)
bash -c "$(curl -fsSL https://raw.githubusercontent.com/IT-BAER/alloy-aio/main/proxmox_ct_deploy.sh)" -- --loki-url "https://loki.yourdomain.com/loki/api/v1/push"# Deploy to specific container (replace Loki URL & Container ID)
bash -c "$(curl -fsSL https://raw.githubusercontent.com/IT-BAER/alloy-aio/main/proxmox_ct_deploy.sh)" -- --loki-url "https://loki.yourdomain.com/loki/api/v1/push" --container 100📦 OCI Container Support: Proxmox OCI containers (Docker images converted to LXC) are automatically detected. System containers with systemd are supported; Alpine Linux and application containers (no init system) are auto-skipped with a warning. See OCI Container Logging for how to collect logs from these containers.
Note: Requires QEMU Guest Agent on target VMs.
# Deploy to all running VMs (replace Loki URL)
bash -c "$(curl -fsSL https://raw.githubusercontent.com/IT-BAER/alloy-aio/main/proxmox_vm_deploy.sh)" -- --loki-url "https://loki.yourdomain.com/loki/api/v1/push"# Deploy to specific VM (replace Loki URL & VM ID)
bash -c "$(curl -fsSL https://raw.githubusercontent.com/IT-BAER/alloy-aio/main/proxmox_vm_deploy.sh)" -- --loki-url "https://loki.yourdomain.com/loki/api/v1/push" --vm 100For Docker/OCI containers on Proxmox that cannot run Alloy directly (Alpine, nginx, Redis, etc.)
OCI containers (Docker images running on Proxmox LXC) don't have systemd, so Alloy cannot be installed inside them. Instead, logs are collected via the host's journald:
How it works:
- Container's stdout/stderr is redirected to syslog via a wrapper script
- Syslog socket is bind-mounted from host into container (
/dev/log) - Logs appear in host journald with custom tags (e.g.,
ct122_nginx) - Host Alloy collects logs via journald integration
Automatic setup during mass deployment:
# Deploy Alloy + setup OCI logging for incompatible containers
bash -c "$(curl -fsSL https://raw.githubusercontent.com/IT-BAER/alloy-aio/main/proxmox_ct_deploy.sh)" -- --loki-url "https://loki.yourdomain.com/loki/api/v1/push" --setup-ociManual setup for specific OCI container:
# Setup logging for a single OCI container
sudo bash proxmox_oci_logging_setup.sh --container 122
# Setup logging for all OCI containers
sudo bash proxmox_oci_logging_setup.sh --all
# List OCI containers that need logging setup
sudo bash proxmox_oci_logging_setup.sh --list
# Custom log tag (default: ct<ID>_<app>)
sudo bash proxmox_oci_logging_setup.sh --container 122 --tag "my-nginx"
# Revert changes (remove logging setup)
sudo bash proxmox_oci_logging_setup.sh --container 122 --revertAfter setup, logs appear in host journald:
# View logs from OCI container
journalctl -t ct122_nginx -f
# All OCI container logs
journalctl | grep "ct[0-9]*_"Note: The Proxmox host must have Alloy installed to forward these logs to Loki.
sudo systemctl status alloy # Check status
sudo journalctl -u alloy -f # View logs
sudo systemctl restart alloy # Restart serviceGet-Service "Alloy" # Check status
Restart-Service "Alloy" # Restart serviceService won't start:
# Linux
sudo systemctl status alloy
sudo journalctl -u alloy --no-pager
# Windows
Get-Service "Alloy"
Get-WinEvent -LogName Application -Source "Alloy" | Select-Object -First 10Prometheus is not showing metrics:
Make sure you add --web.enable-remote-write-receiver as ARG on your Prometheus instance.
Permission errors (Linux):
sudo usermod -aG adm,systemd-journal alloy
sudo setfacl -R -m u:alloy:rx /var/log/
sudo systemctl restart alloyPermission denied for NEW log files (after Alloy installation):
Note: As of the latest version, a permission fixer timer is installed by default during setup. This timer runs hourly and automatically fixes permissions for any new log files. If you're still seeing permission errors, run the fixer manually once:
sudo /usr/local/bin/alloy-fix-permissionsWhen you install new applications (like CrowdSec, fail2ban, etc.) after Alloy is already installed, their log files won't automatically have the correct permissions. You'll see errors like:
failed to tail the file: open /var/log/crowdsec-firewall-bouncer.log: permission denied
Quick fix for specific file:
sudo setfacl -m u:alloy:r /var/log/crowdsec-firewall-bouncer.log
sudo systemctl restart alloyFix all log files at once:
# Using the permission fixer (installed by default at /usr/local/bin)
sudo /usr/local/bin/alloy-fix-permissions
# Or using the script from the repo
sudo bash alloy_fix_permissions.sh
# Or manually fix all logs
sudo setfacl -R -m u:alloy:rx /var/log/
sudo setfacl -R -d -m u:alloy:rx /var/log/
sudo systemctl restart alloyCheck timer status:
# Verify the permission fixer timer is running
sudo systemctl status alloy-fix-permissions.timerValidate configuration:
# Linux
sudo alloy fmt --test /etc/alloy/aio-linux.alloy
# Windows (run as Administrator)
& "C:\Program Files\GrafanaLabs\Alloy\alloy-windows-amd64.exe" fmt "C:\Program Files\GrafanaLabs\Alloy\aio-windows.alloy" --test| OS Family | Distribution | Version | Logs | Metrics | Status |
|---|---|---|---|---|---|
| Proxmox | Proxmox VE (Host) | 8.4.1 | ✅ | ✅ | ✅ |
| Debian | Debian | 10+ | ✅ | ✅/❌¹ | ✅ |
| Debian | Ubuntu | 18.04+ | ✅ | ✅/❌¹ | ✅ |
| RHEL | RHEL/CentOS Stream | 8+ | ✅ | ✅/❌¹ | ✅ |
| RHEL | Rocky Linux | 8+ | ✅ | ✅/❌¹ | ✅ |
| RHEL | AlmaLinux | 8+ | ✅ | ✅/❌¹ | ✅ |
| RHEL | Fedora | 36+ | ✅ | ✅/❌¹ | ✅ |
| SUSE | openSUSE Leap | 15+ | ✅ | ✅/❌¹ | ✅ |
| SUSE | SLES | 15+ | ✅ | ✅/❌¹ | ✅ |
| Windows | Windows 10/11 | 10+ | ✅ | ✅/❌¹ | ✅ |
| Windows | Windows Server | 2016+ | ✅ | ✅/❌¹ | ✅ |
¹ Metrics disabled on virtualized systems (VMs/containers) due to kernel limitations. Use
--forceto override.
| System | Reason | Alternative |
|---|---|---|
| Alpine Linux | Uses OpenRC instead of systemd | Use OCI Container Logging |
| Docker/OCI App Containers | No init system (single-process) | Use OCI Container Logging |
| Devuan | Uses sysvinit/OpenRC instead of systemd | - |
| Gentoo (OpenRC) | OpenRC variant not supported | - |
Note: Proxmox mass deployment scripts automatically detect and skip unsupported containers. Use
--setup-ocito configure logging for OCI containers.
- 🛡️ Non-root operation: Alloy runs as Dedicated User
- 🔐 Minimal permissions: ACL-based log access only
- 📁 Secure configuration: 640 Permissions on Config Files
This project is licensed under the AGPL-3.0 license.
If you find this Project useful, consider supporting this and future Developments, which heavily relies on Coffee:
- Grafana Labs - For the amazing Grafana Alloy project
- Grafana Community - For continuous support and feedback