Migrate from Grafana Loki

Easy 4-6 hours

Migrate from Grafana Loki to LogWard for built-in alerting, SIEM capabilities, and richer full-text search without needing separate tools for visualization and alerting.

Why Migrate from Loki?

Built-in Alerting

Loki requires Prometheus AlertManager or Grafana Alerting for alerts. LogWard has native alert rules with email/webhook support.

True Full-text Search

Loki uses label-based indexing with limited search. LogWard indexes log content for fast full-text search.

All-in-One Solution

No need for Grafana, Prometheus, or AlertManager. LogWard includes UI, alerting, and SIEM in one package.

Security Detection

Loki is pure log aggregation. LogWard includes Sigma rules, incident management, and MITRE ATT&CK mapping.

Feature Comparison

Feature	Grafana Loki	LogWard
Log Ingestion	Promtail, Fluent Bit	HTTP API, SDKs, OTLP
Query Language	LogQL	REST API + Full-text
Full-text Search	Limited (regex only)	Indexed
Indexing Strategy	Labels only	Labels + Content
Built-in Alerting	Requires Grafana	Native
Built-in UI	Requires Grafana	Included
Sigma Rules	No	Built-in
Incident Management	No	Built-in
OpenTelemetry	Yes	Native OTLP
Real-time Streaming	Tail queries	SSE
Pricing	Open-source	Open-source

Step 1: Deploy LogWard

See the Deployment Guide for full instructions:

bash

# Clone LogWard
git clone https://github.com/logward-dev/logward.git
cd logward/docker

# Configure
cp .env.example .env
# Edit .env with your settings

# Start
docker compose up -d

# Verify
curl http://localhost:8080/health

Create your organization and project via the UI, then generate an API key.

Step 2: Replace Promtail with Fluent Bit

Promtail is Loki's log shipper. Replace it with Fluent Bit to send logs to LogWard:

Before (Promtail)

yaml

# promtail-config.yaml
server:
  http_listen_port: 9080

positions:
  filename: /tmp/positions.yaml

clients:
  - url: http://loki:3100/loki/api/v1/push

scrape_configs:
  - job_name: app
    static_configs:
      - targets:
          - localhost
        labels:
          job: app
          __path__: /var/log/app/*.log

After (Fluent Bit)

ini

# fluent-bit.conf
[SERVICE]
    Flush        1
    Log_Level    info

[INPUT]
    Name         tail
    Path         /var/log/app/*.log
    Tag          app

[OUTPUT]
    Name         http
    Match        *
    Host         logward.internal
    Port         8080
    URI          /api/v1/ingest
    Format       json
    Header       X-API-Key lp_xxx

Docker Compose Example

yaml

# docker-compose.yml
services:
  fluent-bit:
    image: fluent/fluent-bit:latest
    volumes:
      - ./fluent-bit.conf:/fluent-bit/etc/fluent-bit.conf
      - /var/log:/var/log:ro
    environment:
      - LOGWARD_API_KEY=lp_your_api_key
    depends_on:
      - logward

Step 3: Query Migration (LogQL to LogWard)

LogQL queries translate to LogWard REST API parameters:

LogQL	LogWard API
`{job="api"}`	GET /api/v1/logs?service=api
`{job="api"} \|= "error"`	GET /api/v1/logs?service=api&level=error
`{job="api"} \|~ "timeout\|connection"`	GET /api/v1/logs?service=api&q=timeout
`{job="api"} \| json`	Auto (metadata is JSON)
`count_over_time({job="api"}[5m])`	GET /api/v1/logs/aggregated?interval=5m

Key Difference: Full-text Search

Loki requires regex patterns (|~) to search log content because it doesn't index log bodies. LogWard indexes everything, so you can search any text with the q parameter without regex overhead.

Step 4: Create Alert Rules

Loki alerting requires Grafana or Prometheus AlertManager. LogWard has native alerts:

Loki (via Grafana)

yaml

# Grafana alert rule
groups:
  - name: app-alerts
    rules:
      - alert: HighErrorRate
        expr: |
          sum(rate({job="api"}
            |= "error" [5m])) > 10
        for: 5m
        labels:
          severity: critical
        annotations:
          summary: High error rate

LogWard Alert Rule

json

{
  "name": "High Error Rate",
  "enabled": true,
  "service": "api",
  "level": ["error"],
  "threshold": 50,
  "timeWindow": 5,
  "emailRecipients": [
    "team@example.com"
  ],
  "webhookUrl": "https://hooks.slack.com/..."
}

Create alerts via the LogWard UI at /dashboard/alerts or via the API.

Step 5: Enable SIEM Features

LogWard includes SIEM capabilities that Loki doesn't have:

Security Features in LogWard

Sigma Rules: Import threat detection rules from SigmaHQ
Incident Management: Track, assign, and resolve security incidents
MITRE ATT&CK: Map detections to attack techniques
SIEM Dashboard: Security-focused visualizations

Access the SIEM dashboard at /dashboard/security.

Concept Mapping

Loki Term	LogWard Equivalent	Notes
Tenant	Organization / Project	Multi-tenancy via projects
Labels	service + metadata	service is indexed, extra fields in metadata
Stream	Service	One label set = one service
Promtail	Fluent Bit / SDK	Use Fluent Bit or application SDK
LogQL	REST API params	Simpler query syntax
Grafana	LogWard UI	Built-in web interface
Grafana Alerting	Alert Rules	Native alerting, no external tools
N/A	Sigma Rules + SIEM	LogWard exclusive

Common Issues

High cardinality labels

Loki has strict label cardinality limits. LogWard is more flexible - use the service field for core identity and put variable data in metadata JSON (not indexed, no cardinality issues).

Missing Grafana dashboards

LogWard doesn't have Grafana-style custom dashboards yet. Use the SIEM dashboard for security metrics. For custom visualizations, you can query the LogWard API from external tools.

Log parsing differences

Loki uses pipeline stages (| json, | logfmt). LogWard expects JSON logs - structure your logs in your application or use Fluent Bit parsers before sending.

Next Steps

API Reference

OpenTelemetry Integration

SDK Documentation