Rsyslog -> alloy -> loki

Grafana Alloy
1

I have several on prem hosts running rsyslog on ubuntu24 that are sending logs to alloy/loki/grafana on an ec2 instance. I can’t figure out how to get alloy/loki to find the hostname sending the log data. The logs are being received. I can see them coming in from grafana. Further I can see them leaving the on prem host(s) using tcpdump and I can see them arriving using tcpdump on the ec2 instance.

The rule I’m using to send them is in /etc/rsyslog.d/10-remotelog.conf:

action(
type=“omfwd”
target=“``loki.zainar.net``”
port=“50514”
protocol=“tcp”
Template=“RSYSLOG_SyslogProtocol23Format”
queue.type=“linkedList”
)

tcpdump on the onprem client send looks like:
16:44:32.104248 IP onprem1.example.com.39764 > ec2.example.com.50514: Flags [P.], seq 1:141, ack 0, win 502, options [nop,nop,TS val 3916655779 ecr 1918703091], length 140
E…@.@..N…4..J.T.R.8.->…
.sl.r]..<86>1 2025-08-31T23:44:32.037696+00:00 onprem1 sudo - - - pam_unix(sudo:session): session opened for user root(uid=0) by kjolley(uid=11002)

I verified with tcpdump on the ec2 server side this is the same, as expected. The only difference, as mentioned, is the incoming IP address is the IP address assigned by our ISP. When I query loki from grafana I can’t see which host is sending this. The ip address connecting to alloy is a single ip address for all of our on prem hosts, I need to figure out how to show that the log entry came from “onprem1”.

An example entry in grafana/loki looks like:
2025-08-31 16:47:34.994 [drm:qxl_alloc_bo_reserved [qxl]] ERROR failed to allocate VRAM BO
Fields:
component: loki.source.syslog
detected_level: error
protocol: tcp
service_name: loki.source.syslog

My alloy.config file look like:

config.alloy:

livedebugging {
enabled = true
}

// Listen for syslog messages:
loki.source.syslog “local” {
listener {
address = “0.0.0.0:50514”
labels = {
component = “loki.source.syslog”,
protocol = “tcp”
}
}

listener {
address = “0.0.0.0:50514”
protocol = “udp”
labels = {
component = “loki.source.syslog”,
protocol = “udp”
}
}
forward_to = [loki.write.local.receiver]
}

loki.write “local” {
endpoint {
url = “``http://loki:3100/loki/api/v1/push”
}
}

Any advice how to recover the metadata (hostname) that alloy seems to be dropping? And, bonus, how to add other metadata, such as, let’s say, processor type?