Grafana Alloy is the OpenTelemetry-compatible collector that replaced Grafana Agent. It handles metrics, logs, and traces in a single binary with a programmable pipeline configuration. This guide covers installing Alloy on Rocky Linux 10 and AlmaLinux 10 from the official Grafana RPM repository, then configuring it to collect system metrics, journal logs, file-based logs, and receive OTLP traces.
Alloy uses a River-based configuration language that lets you wire components together – exporters feed into processors, processors feed into remote write endpoints. It is the recommended collector for the full Grafana LGTM stack (Loki, Grafana, Tempo, Mimir).
Prerequisites
Before starting, make sure you have the following in place:
- Rocky Linux 10 or AlmaLinux 10 server with root or sudo access
- A running Grafana instance for visualization – see Install Prometheus and Grafana on Rocky Linux / AlmaLinux
- Downstream endpoints ready (Prometheus remote_write, Loki, or Tempo) depending on what you want to collect
- SELinux in enforcing mode (default on RHEL-family systems)
For the Ubuntu/Debian version of this guide, see Install Grafana Alloy on Ubuntu / Debian.
Step 1: Add the Grafana RPM Repository
Grafana publishes RPM packages for Alloy in their official repository. Add it to your system:
sudo tee /etc/yum.repos.d/grafana.repo <<'REPO'
[grafana]
name=grafana
baseurl=https://rpm.grafana.com
repo_gpgcheck=1
enabled=1
gpgcheck=1
gpgkey=https://rpm.grafana.com/gpg.key
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
REPOVerify the repository was added correctly:
sudo dnf repolist | grep grafanaYou should see the grafana repository listed:
grafana grafanaStep 2: Install Grafana Alloy
Install the Alloy package from the repository:
sudo dnf install -y alloyConfirm the installed version:
alloy --versionThe output confirms the installed version:
alloy, version v1.14.1 (branch: HEAD, revision: 4c4e2fc1a)
build user:
build date:
go version: go1.23.8
platform: linux/amd64
tags: builtinassets,promtail_journal_enabledStep 3: Configure SELinux for Alloy
Alloy needs to read the systemd journal for log collection. The alloy user must be added to the systemd-journal group:
sudo usermod -aG systemd-journal alloyAlloy also reads log files under /var/log/. On Rocky and AlmaLinux with SELinux enforcing, the alloy process runs under its own context and needs read access to log files. Add the alloy user to the adm group:
sudo usermod -aG adm alloyVerify group membership looks correct:
id alloyThe output should show both groups:
uid=996(alloy) gid=993(alloy) groups=993(alloy),4(adm),190(systemd-journal)Step 4: Configure Alloy
The main configuration file is /etc/alloy/config.alloy. Back up the default config first:
sudo cp /etc/alloy/config.alloy /etc/alloy/config.alloy.bakOpen the configuration file:
sudo vi /etc/alloy/config.alloyReplace the contents with the following configuration. This sets up system metrics collection, journal log collection, file-based log collection for /var/log/messages and /var/log/secure, and an OTLP trace receiver:
// ============================================================
// System Metrics - prometheus.exporter.unix
// ============================================================
prometheus.exporter.unix "system" {
enable_collectors = ["cpu", "disk", "filesystem", "loadavg", "meminfo", "netdev", "uname", "systemd"]
}
prometheus.scrape "system_metrics" {
targets = prometheus.exporter.unix.system.targets
forward_to = [prometheus.remote_write.default.receiver]
scrape_interval = "15s"
}
prometheus.remote_write "default" {
endpoint {
url = "http://localhost:9009/api/v1/push"
}
}
// ============================================================
// Journal Logs - loki.source.journal
// ============================================================
loki.source.journal "systemd" {
forward_to = [loki.write.default.receiver]
labels = {
job = "journal",
instance = constants.hostname,
}
}
// ============================================================
// File Logs - /var/log/messages and /var/log/secure
// ============================================================
local.file_match "system_logs" {
path_targets = [
{ __path__ = "/var/log/messages", job = "varlogs", log_type = "messages" },
{ __path__ = "/var/log/secure", job = "varlogs", log_type = "secure" },
]
}
loki.source.file "system_logs" {
targets = local.file_match.system_logs.targets
forward_to = [loki.write.default.receiver]
}
loki.write "default" {
endpoint {
url = "http://localhost:3100/loki/api/v1/push"
}
}
// ============================================================
// OTLP Trace Receiver
// ============================================================
otelcol.receiver.otlp "default" {
grpc {
endpoint = "0.0.0.0:4320"
}
http {
endpoint = "0.0.0.0:4321"
}
output {
traces = [otelcol.exporter.otlp.tempo.input]
}
}
otelcol.exporter.otlp "tempo" {
client {
endpoint = "localhost:4317"
tls {
insecure = true
}
}
}Adjust the remote_write URL, Loki URL, and Tempo endpoint to match your environment. If those services run on a different host, replace localhost with the appropriate IP address or hostname.
Configure Alloy Environment File
The systemd service reads environment variables from /etc/sysconfig/alloy. The default settings are fine for most deployments, but you can adjust them if needed:
sudo vi /etc/sysconfig/alloyThe key settings in this file:
## Path: /etc/alloy
## Description: Grafana Alloy settings
## Type: string
## Default: ""
## ServiceRestart: alloy
#
# Command line options for alloy
#
# The configuration file holding the Alloy config.
CONFIG_FILE="/etc/alloy/config.alloy"
# User-defined arguments to pass to the run command.
CUSTOM_ARGS=""
# Restart on system upgrade. Default to true
RESTART_ON_UPGRADE=trueStep 5: Configure Firewall Rules
Alloy exposes its UI on port 12345 and the OTLP receivers on ports 4320 (gRPC) and 4321 (HTTP). Open these ports in firewalld:
sudo firewall-cmd --permanent --add-port=12345/tcp
sudo firewall-cmd --permanent --add-port=4320/tcp
sudo firewall-cmd --permanent --add-port=4321/tcp
sudo firewall-cmd --reloadVerify the ports are open:
sudo firewall-cmd --list-portsYou should see all three ports listed:
4320/tcp 4321/tcp 12345/tcpStep 6: Start and Enable Alloy
Start the Alloy service and enable it to start on boot:
sudo systemctl enable --now alloyCheck that the service is running:
sudo systemctl status alloyThe service should show active (running):
● alloy.service - Grafana Alloy
Loaded: loaded (/usr/lib/systemd/system/alloy.service; enabled; preset: disabled)
Active: active (running) since Mon 2026-03-24 10:15:32 UTC; 5s ago
Docs: https://grafana.com/docs/alloy/
Main PID: 12345 (alloy)
Tasks: 8 (limit: 23102)
Memory: 45.2M
CPU: 1.234s
CGroup: /system.slice/alloy.service
└─12345 /usr/bin/alloy run --storage.path=/var/lib/alloy/data /etc/alloy/config.alloyStep 7: Verify the Alloy UI
Alloy provides a built-in web UI for inspecting its pipeline components. Open your browser and navigate to:
http://your-server-ip:12345The UI shows a live graph of all configured components and their health status. You can click on individual components to inspect their targets, metrics, and any errors.
You can also verify the configuration is valid from the command line:
alloy fmt /etc/alloy/config.alloyThis command reformats and validates the config. If there are syntax errors, they will be printed to stderr.
Step 8: Verify Data Flow
Check that Alloy is scraping system metrics by querying its internal metrics endpoint:
curl -s http://localhost:12345/metrics | grep alloy_component_controller_running_componentsThis returns the number of running pipeline components:
alloy_component_controller_running_components{health_type="healthy"} 8To verify log collection is working, check the Alloy logs for any errors:
sudo journalctl -u alloy --no-pager -n 20Healthy output shows component initialization without error lines. If you see permission denied errors for log files, double-check the group memberships from Step 3.
Troubleshooting
Permission denied reading /var/log/messages or /var/log/secure
This happens when the alloy user is not in the adm group or the group change has not taken effect. After adding group membership, restart the service:
sudo usermod -aG adm alloy
sudo systemctl restart alloyIf SELinux is blocking access, check the audit log:
sudo ausearch -m avc -ts recent | grep alloyJournal logs not appearing in Loki
Confirm the alloy user is in the systemd-journal group. Also check that the Loki endpoint is reachable:
curl -s http://localhost:3100/readyIf Loki is not ready, Alloy will buffer and retry, but extended downtime causes log loss.
OTLP receiver not accepting traces
Verify the OTLP ports are listening:
sudo ss -tlnp | grep -E '4320|4321'Both ports should show alloy listening:
LISTEN 0 4096 *:4320 *:* users:(("alloy",pid=12345,fd=10))
LISTEN 0 4096 *:4321 *:* users:(("alloy",pid=12345,fd=12))If the ports are not listening, check the Alloy logs for binding errors. A common cause is another process already using the port.
Alloy crashes on startup
Check the journal for the full error:
sudo journalctl -u alloy --no-pager -n 50The most common cause is a syntax error in /etc/alloy/config.alloy. Validate the config before restarting:
alloy fmt /etc/alloy/config.alloyConclusion
Grafana Alloy is now running on Rocky Linux 10 / AlmaLinux 10, collecting system metrics via prometheus.exporter.unix, reading journal and file logs, and accepting OTLP traces. The next step is setting up the backend services – Loki for logs, Mimir for metrics, and Tempo for traces – so Alloy has somewhere to send the collected data.
