Hi,
I would like to secure the connection between an rsyslog server and Grafana Alloy - specifically loki.source.syslog listener - via TLS and whitelisting of specific clients.
In rsyslog, this is possible by configuring mTLS and using PermittedPeer/StreamDriverPermittedPeers options to limit access to specific peers. Like for server:
global(
DefaultNetstreamDriver="gtls"
DefaultNetstreamDriverCAFile="/path/to/client_ca.crt"
DefaultNetstreamDriverCertFile="/path/to/server.crt"
DefaultNetstreamDriverKeyFile="/path/to/server.key"
)
input(
type="imtcp"
port="6514"
name="syslog_input"
StreamDriver.Name="gtls"
StreamDriver.Mode="1"
StreamDriver.AuthMode="x509/name"
PermittedPeer=["some-client.lan"]
)
Alloy provides TLS as well: loki.source.syslog | Grafana Alloy documentation .
It seems, I can use mTLS via key_file/cert_file to allow peers to verify Alloy machine’s certificate and ca_file to allow Alloy machine to verify peer certificate.
So, this is roughly what I have:
loki.source.syslog "syslog" {
listener {
address = "0.0.0.0:6514"
protocol = "tcp"
labels = { component = "loki.source.syslog", protocol = "tcp" }
tls {
cert_file = "/etc/alloy/tls/server.crt"
key_file = "/etc/alloy/tls/server.key"
ca_file = "/etc/alloy/tls/client_ca.crt"
client_auth = "RequireAndVerifyClientCert"
}
}
forward_to = [loki.write.grafana_loki.receiver]
relabel_rules = loki.relabel.remote.rules
}
But how to grant only specific clients permission to connect to Alloy (in other words what is the equivalent to PermittedPeer) - is this possible with Alloy?
Kind regards
Related: Authentication for Alloy Proxy Setup