https:\/\/grafana.com\/docs\/loki\/latest\/send-data\/alloy\/<\/a><\/figcaption><\/figure>\n\n\n\n1) Set up Grafana Cloud Logs (Managed Loki)<\/h2>\n\n\n\n Grafana Cloud Logs is a fully managed Loki <\/strong>service, a log aggregation system powered by Grafana<\/strong>\u2014an open-source, Prometheus-inspired tool optimized for efficiency and scalability in log management. Unlike traditional log systems that index full-text content, Loki indexes only metadata (labels) for each log stream – such as service names, environments, or Kubernetes metadata. This minimalist approach keeps indexing lean and cost-effective.<\/p>\n\n\n\nTo setup Loki in Grafana Cloud:<\/p>\n\n\n\n
\nIn your Grafana Cloud stack, go to Administration \u2192 Users and access \u2192 Cloud access policies<\/strong>.logs:write<\/code><\/strong>.<\/li>\n\n\n\nCreate an access-policy token and add it to the newly created policy<\/li>\n\n\n\n To get the endpoint for pushing logs to Loki, go to Loki \u2192 Details \/ Send logs<\/strong>:\n\nURL<\/strong>: https:\/\/<cluster>\/loki\/api\/v1\/push<\/code><\/li>\n\n\n\nUser<\/strong> (the basic_auth username<\/strong>)<\/li>\n\n\n\nPassword <\/strong>(your access-policy token<\/strong>)<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n2) Install Grafana Alloy<\/h2>\n\n\n\n Grafana Alloy<\/strong> is Grafana’s open-source distribution of the OpenTelemetry Collector<\/strong>, enhanced with built-in support for Prometheus pipelines. It unifies collection, processing, and export of logs, metrics, traces, and profiles\u2014all through a single agent.<\/p>\n\n\n\nIf you\u2019ve worked with observability tools like Dynatrace OneAgent<\/strong>, you\u2019ll notice the contrast: OneAgent is almost zero-touch, automatically discovering workloads and wiring telemetry with little to no configuration. Alloy, by comparison, gives you flexibility and openness, but you do need to roll up your sleeves to manage its pipelines and config.<\/p>\n\n\n\nTo install Alloy, from Grafana Cloud \u2192 Connections \u2192<\/strong><\/strong> Collector<\/strong> \u2192 Install Grafana Alloy<\/strong>, generate the install command for your distro\/arch. Disable Remote Configuration<\/strong> so you can manage a local config.alloy<\/code>.<\/p>\n\n\n\nCopy and Run the generated alloy install command on your host, then start Alloy (example):<\/p>\n\n\n\n
nohup sudo .\/alloy-linux-amd64 run .\/config.alloy > alloy.log 2>&1 &<\/code><\/pre>\n\n\n\n3) Configure Alloy: ship and enrich Apache logs to Loki<\/h2>\n\n\n\nThere are 4 major components to configure Alloy to ship logs to Loki:<\/p>\n\n\n\n
\nlocal.file_match<\/strong><\/code> discovers files on the local filesystem using glob patternsloki.source.file<\/strong><\/code> reads log entries from files and forwards them to other loki.process<\/code>loki.process<\/strong><\/code> enrich the log lines (e.g. parsing, adding context, mapping ip address to their originated countries, etc.) and forwards the results to loki.write<\/code>loki.write<\/strong><\/code> sends the log lines to the Loki endpoint over the network using the Loki logproto<\/code> format<\/li>\n<\/ol>\n\n\n\nconfig.alloy<\/code> (redacted, minimal example)<\/strong><\/p>\n\n\n\n\/\/ 1) Which files to watch\nlocal.file_match \"local_files\" {\n path_targets = [\n { \"__path__\" = \"\/opt\/xxx\/apache\/logs\/access_log\", job = \"apache_access\" },\n { \"__path__\" = \"\/opt\/xxx\/apache\/logs\/error_log\", job = \"apache_error\" },\n ]\n sync_period = \"5s\"\n}\n\n\/\/ 2) where to read logs from\nloki.source.file \"log_scrape\" {\n targets = local.file_match.local_files.targets\n forward_to = [loki.process.enrich.receiver]\n tail_from_end = true\n}\n\n\/\/ 3) Parse and enrich access logs\nloki.process \"enrich\" {\n stage.match {\n selector = \"{job=\\\"apache_access\\\"}\"\n\n stage.regex {\n expression = \"^(?P<ip>\\\\S+) \\\\S+ \\\\S+ \\\\[(?P<time>[^\\\\]]+)\\\\] \\\\\\\"(?P<method>\\\\S+) (?P<path>[^ ]+) (?P<proto>[^\\\\\\\"]+)\\\\\\\" (?P<status>\\\\d{3}) (?P<bytes_sent>\\\\d+|-)\"\n }\n\n stage.timestamp {\n source = \"time\"\n format = \"02\/Jan\/2006:15:04:05 -0700\"\n }\n\n \/\/ Enable Geoip using GeoLite Country Database\n stage.geoip {\n source = \"ip\"\n db = \"\/usr\/share\/GeoIP\/GeoLite2-Country.mmdb\"\n db_type = \"country\"\n }\n\n stage.labels {\n values = {\n ip = \"\",\n method = \"\",\n status = \"\",\n path = \"\",\n bytes_sent = \"\",\n geoip_country_code = \"\",\n }\n }\n }\n\n forward_to = [loki.write.grafana_cloud_loki.receiver]\n}\n\n\/\/ 4) Push to Grafana Cloud Loki\nloki.write \"grafana_cloud_loki\" {\n endpoint {\n url = \"https:\/\/<your-loki-cluster>\/loki\/api\/v1\/push\"\n basic_auth {\n username = \"<LOKI_INSTANCE_ID>\"\n password = \"<ACCESS_POLICY_TOKEN>\"\n }\n }\n}\n<\/code><\/pre>\n\n\n\n4) Enable GeoIP for the geomap<\/h2>\n\n\n\n Apache logs only know visitor IPs<\/strong>. To draw a world map and a \u201cTop countries\u201d table, I need a country code<\/strong> on each log line. Country-level GeoIP is a sweet spot: it\u2019s useful for trends and anomaly spotting (e.g., sudden traffic from a new region) without getting too granular or privacy-heavy.<\/p>\n\n\n\nI use the free MaxMind GeoLite2-Country<\/strong> database. Country (not city) keeps label cardinality low and avoids PII while still powering the Geomap and country panels.<\/p>\n\n\n\n\nCreate a free MaxMind<\/strong> account and download GeoLite2-Country<\/strong> (.mmdb<\/code>).<\/li>\n\n\n\nPlace the file on the server, e.g. \/usr\/share\/GeoIP\/GeoLite2-Country.mmdb<\/code>.<\/li>\n\n\n\n(Optional) sanity check: mmdblookup --file \/usr\/share\/GeoIP\/GeoLite2-Country.mmdb --ip <some_ip> country iso_code<\/code><\/li>\n\n\n\nIn the above Alloy config, enable the stage.geoip<\/code> step so each access log line gets a geoip_country_code<\/code><\/strong> label.<\/li>\n<\/ul>\n\n\n\n5) Dashboard Panels<\/h1>\n\n\n\n Below are the panels I have added to my dashboard, what each is for, how to read it during an incident, and the query I used.<\/p>\n\n\n\n
a) Website Uptime (Stat) + Synthetic Monitoring<\/h2>\n\n\n\n To watch real user reachability\u2014not just server CPU\u2014I stood up three Synthetic Monitoring browser checks<\/strong> in Grafana across AMER, EMAC, and APAC<\/strong> regions. Each check probes my website every 15 minutes<\/strong>. <\/p>\n\n\n\nWhy this matters:<\/strong><\/p>\n\n\n\n\nIf all three<\/strong> fail together, I likely broke the site or origin.<\/li>\n\n\n\nIf one region<\/strong> fails while the others pass, it\u2019s routing, DNS, CDN, or a regional outage.<\/li>\n\n\n\nI add a table showing how many checks succeeded<\/em> per probe in the last window.<\/li>\n<\/ul>\n\n\n\nHow I read it:<\/strong><\/p>\n\n\n\nThe table<\/strong> shows each probe\u2019s recent success (green light) or fail (red light).<\/p>\n\n\n\nAn Uptime panel showing the current status in the last 15 minutes base on all three probes’ results:<\/p>\n\n\n\nQuery for this panel:<\/p>\n\n\n\n
max by () (max_over_time(probe_success{job=\"Blog Browser Check\", instance=\"test\", probe=~\"Calgary|London|Singapore\"}[900s]))<\/code><\/pre>\n\n\n\nb) Unique Visitors & Realtime Visitors (Stat)<\/h2>\n\n\n\n These two tiles tell two stories:<\/p>\n\n\n\n
\nRange uniques:<\/strong> \u201cHow many distinct visitors over the current dashboard window?\u201d<\/li>\n\n\n\nReal-time uniques:<\/strong> \u201cWho\u2019s on the site in the last 5 minutes<\/strong>?\u201d<\/li>\n<\/ul>\n\n\n\nWhy it\u2019s here:<\/strong> perfect for campaign days and sanity checks during incidents.How I read it:<\/strong> if range uniques look normal but real-time drops to near zero, it\u2019s likely an availability<\/strong> or routing<\/strong> issue right now.Panel tips:<\/strong> The 5-minute tile uses a Relative time override<\/strong> so it always reflects \u201cright now,\u201d no matter what the main range is.<\/p>\n\n\n\nThe queries for the above tiles are:<\/p>\n\n\n\n
\/\/Unique Visitors\ncount(sum by (ip) (count_over_time({job=\"apache_access\"}[$__range])))\n\n\/\/Realtime Visitors\ncount(sum by (ip) (count_over_time({job=\"apache_access\"}[5m])))<\/code><\/pre>\n\n\n\nc) Top Requested Pages (Table)<\/h2>\n\n\n\n What do people actually read on my blog? This table shows the top 10 requested pages<\/strong>, with a small gauge to show relative weight.<\/p>\n\n\n\nWhy it\u2019s here:<\/strong> helps prioritize performance work and content decisions.How I read it:<\/strong> While I’m curious how popular my pages are, I\u2019m also looking for unusual new paths jumping into the top 10. And I exclude static assets<\/strong> and noisy bot paths so this stays actionable. I also keep the path<\/strong> column as plain text so gauges only color the count, not the URL.<\/p>\n\n\n\nThe query for the above table:<\/p>\n\n\n\n
topk(\n 10,\n sum by (path) (\n count_over_time(\n {job=\"apache_access\",\n status=\"200\",\n path!=\"\/\",\n path!~\".*\\\\.(ico|svg|css|png|jpg|jpeg|webp|avif|js|xml|txt|woff2|ttf)(\\\\?.*)?$\"}\n [$__range]\n )\n )\n)<\/code><\/pre>\n\n\n\nd) Visitors by Countries (Geomap)<\/h2>\n\n\n\n I use a world map to spot where traffic is coming from at a glance. Bigger bubbles mean more hits; if a new country suddenly lights up, that\u2019s a clue -maybe a campaign landed, or a bot net woke up.<\/p>\n\n\n\n
Why it\u2019s here:<\/strong> quick reality check on audience reach and anomalies by region.How I read it:<\/strong> I keep this locked to last 24 hours<\/strong> so it doesn\u2019t swing wildly. If one country balloons, I click it to drill into just those logs.Since I already enriched the log lines with geocode, showing the bubble on the map can be easily done by adding a Markers layer to the Geomap with the Lookup mode on geoip_country_code<\/strong>. <\/p>\n\n\n\nThe query I use is:<\/p>\n\n\n\n
sum by (geoip_country_code) (\n count_over_time({job=\"apache_access\", geoip_country_code!=\"\"} | __error__=`` [24h])\n)<\/code><\/pre>\n\n\n\ne) Top 10 Countries (Table)<\/h2>\n\n\n\n This is the map\u2019s sidekick. Same story, but with numbers you can quote.<\/p>\n\n\n\n
Why it\u2019s here:<\/strong> to answer \u201cWhich countries topped the list this period?\u201d without eyeballing bubbles.How I read it:<\/strong> sorted descending; if a country jumps from #7 to #2, I open Explore on that country code and look for a pattern (referrer spike, bot user-agents, etc.). I also use Value mappings to show cute flag labels (\ud83c\udde8\ud83c\udde6CA, \ud83c\uddf8\ud83c\uddecSG) so it\u2019s readable at a glance.<\/p>\n\n\n\nf) Performance: p95 & max request time (Time series)<\/h2>\n\n\n\n Two lines; two jobs. p95<\/strong> is what most users feel. Max<\/strong> catches outliers and ugly spikes.<\/p>\n\n\n\nWhy it\u2019s here:<\/strong> when p95 creeps up, I check the top pages; when max<\/strong> spikes, I look for a single heavy request or backend hiccup.How I read it:<\/strong> I set soft thresholds (e.g., 1 sec warning<\/strong>, 1 sec critical<\/strong>) to color the background. I keep p95 in a solid blue shade and max in a lighter blue light so it\u2019s obvious which is which.<\/p>\n\n\n\nThe queries for the performance tile are:<\/p>\n\n\n\n
\/\/p95 percentile performance\nmax by (host) (quantile_over_time(\n 0.95,\n {job=\"apache_access\"}\n | regexp \" (?P<request_time>\\\\d+)$\"\n | unwrap request_time\n [$__interval]\n) \/ 1000)\n\n\/\/max latency\nmax by (host) (max_over_time(\n {job=\"apache_access\"}\n | regexp \" (?P<request_time>\\\\d+)$\"\n | unwrap request_time\n [$__interval]\n) \/ 1000)<\/code><\/pre>\n\n\n\ng) Security watch: Error paths & Noisy IPs<\/h2>\n\n\n\n A pair of short lists to surface probing and scanning behavior:<\/p>\n\n\n\n
\nTop error paths<\/strong> (4xx\/5xx)<\/li>\n\n\n\nTop IPs causing errors<\/strong><\/li>\n<\/ul>\n\n\n\nWhy it\u2019s here:<\/strong> early warning for things like \/xmlrpc.php<\/code>, \/.env<\/code>, or \/.git\/config<\/code> hits\u2014classic probing.How I read it:<\/strong> if a single IP dominates, I open Explore on that IP for status codes and user agents, then decide whether to block or rate-limit upstream.<\/p>\n\n\n\nFinal Thoughts<\/h2>\n\n\n\n In the end, this project was about turning raw Apache logs into a living, trustworthy picture of my site. Grafana Cloud gave me the hosted plumbing; Alloy and Loki kept it OSS-friendly; and a handful of well-chosen panels (status codes, p95\/max, countries, bytes, synthetics, and security) turned noise into signal. The result is a dashboard I actually use: it tells me if I\u2019m up, who I\u2019m serving, how it feels, and whether anyone\u2019s poking the wrong doors. Next steps for me are light alerts on error rate and p95, and maybe a small RUM script to capture real client timing. If this write-up helps you ship your first version faster, even better\u2014steal the ideas, adapt them to your stack, and make the dashboard yours.<\/p>\n\n\n\nScreenshot<\/figcaption><\/figure>\n\n\n\nYou can find a snapshot of my dashboard here<\/a><\/em><\/p>\n\n\n\n<\/p>\n","protected":false},"excerpt":{"rendered":"
Introduction I wrote this article to turn my own notes into something useful, for me and for anyone who is trying to stand up a real, no-nonsense dashboard. I wanted one place to see if my blog is up, how fast it feels, where visitors come from, and whether anyone\u2019s rattling the doors. So I […]<\/p>\n","protected":false},"author":1,"featured_media":1201,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[77],"tags":[74,76,73,75],"class_list":["post-1163","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-grafana","tag-alloy","tag-dashboard","tag-grafana","tag-loki"],"_links":{"self":[{"href":"https:\/\/www.wallacel.com\/index.php\/wp-json\/wp\/v2\/posts\/1163","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.wallacel.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.wallacel.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.wallacel.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.wallacel.com\/index.php\/wp-json\/wp\/v2\/comments?post=1163"}],"version-history":[{"count":28,"href":"https:\/\/www.wallacel.com\/index.php\/wp-json\/wp\/v2\/posts\/1163\/revisions"}],"predecessor-version":[{"id":1331,"href":"https:\/\/www.wallacel.com\/index.php\/wp-json\/wp\/v2\/posts\/1163\/revisions\/1331"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.wallacel.com\/index.php\/wp-json\/wp\/v2\/media\/1201"}],"wp:attachment":[{"href":"https:\/\/www.wallacel.com\/index.php\/wp-json\/wp\/v2\/media?parent=1163"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.wallacel.com\/index.php\/wp-json\/wp\/v2\/categories?post=1163"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.wallacel.com\/index.php\/wp-json\/wp\/v2\/tags?post=1163"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"\"](\"http:\/\/184.72.63.26\/wp-content\/uploads\/2025\/08\/dashboard-1024x824.jpg\")
![\"\"](\"http:\/\/184.72.63.26\/wp-content\/uploads\/2025\/08\/alloy.png\")
![\"\"](\"http:\/\/184.72.63.26\/wp-content\/uploads\/2025\/08\/install-alloy.png\")
<\/figure>\n\n\n\n![\"\"](\"http:\/\/184.72.63.26\/wp-content\/uploads\/2025\/08\/alloy-components-1024x403.jpg\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.wallacel.com\/wp-content\/uploads\/2025\/08\/probe.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.wallacel.com\/wp-content\/uploads\/2025\/08\/probe_results.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.wallacel.com\/wp-content\/uploads\/2025\/08\/uptime.png\")
<\/figure>\n\n\n\n![\"\"](\"http:\/\/184.72.63.26\/wp-content\/uploads\/2025\/08\/unique-visitors.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.wallacel.com\/wp-content\/uploads\/2025\/08\/top-paths.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.wallacel.com\/wp-content\/uploads\/2025\/08\/visitor-countries.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.wallacel.com\/wp-content\/uploads\/2025\/08\/geomap.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.wallacel.com\/wp-content\/uploads\/2025\/08\/top-countries.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.wallacel.com\/wp-content\/uploads\/2025\/08\/top-errors-1.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.wallacel.com\/wp-content\/uploads\/2025\/08\/dashboard-1024x824.jpg\")