This is documentation for the next version of Agent. For the latest stable release, go to the latest version.

Open source


loki.source.kubernetes_events tails events from the Kubernetes API and converts them into log lines to forward to other loki components.

Multiple loki.source.kubernetes_events components can be specified by giving them different labels.


loki.source.kubernetes_events "LABEL" {
  forward_to = RECEIVER_LIST


The component starts a new reader for each of the given targets and fans out log entries to the list of receivers passed in forward_to.

loki.source.kubernetes_events supports the following arguments:

job_namestringValue to use for job label for generated logs."loki.source.kubernetes_events"no
log_formatstringFormat of the log."logfmt"no
namespaceslist(string)Namespaces to watch for Events in.[]no
forward_tolist(LogsReceiver)List of receivers to send log entries to.yes

By default, loki.source.kubernetes_events will watch for events in all namespaces. A list of explicit namespaces to watch can be provided in the namespaces argument.

By default, the generated log lines will be in the logfmt format. Use the log_format argument to change it to json. These formats are also names of LogQL parsers, which can be used for processing the logs.

NOTE: When watching all namespaces, Grafana Agent Flow must have permissions to watch events at the cluster scope (such as using a ClusterRoleBinding). If an explicit list of namespaces is provided, Grafana Agent Flow only needs permissions to watch events for those namespaces.

Log lines generated by loki.source.kubernetes_events have the following labels:

  • namespace: Namespace of the Kubernetes object involved in the event.
  • job: Value specified by the job_name argument.
  • instance: Value matching the component ID.

If job_name argument is the empty string, the component will fail to load. To remove the job label, forward the output of loki.source.kubernetes_events to a loki.relabel component.

For compatibility with the eventhandler integration from static mode, job_name can be set to "integrations/kubernetes/eventhandler".


The following blocks are supported inside the definition of loki.source.kubernetes_events:

clientclientConfigures Kubernetes client used to tail
client > basic_authbasic_authConfigure basic_auth for authenticating to the
client > authorizationauthorizationConfigure generic authorization to the
client > oauth2oauth2Configure OAuth2 for authenticating to the
client > oauth2 > tls_configtls_configConfigure TLS settings for connecting to the
client > tls_configtls_configConfigure TLS settings for connecting to the

The > symbol indicates deeper levels of nesting. For example, client > basic_auth refers to a basic_auth block defined inside a client block.

client block

The client block configures the Kubernetes client used to tail logs from containers. If the client block isn’t provided, the default in-cluster configuration with the service account of the running Grafana Agent pod is used.

The following arguments are supported:

api_serverstringURL of the Kubernetes API
kubeconfig_filestringPath of the kubeconfig file to use for connecting to
bearer_tokensecretBearer token to authenticate
bearer_token_filestringFile containing a bearer token to authenticate
proxy_urlstringHTTP proxy to proxy requests
follow_redirectsboolWhether redirects returned by the server should be followed.trueno
enable_http2boolWhether HTTP2 is supported for requests.trueno

At most one of the following can be provided:

basic_auth block

password_filestringFile containing the basic auth
passwordsecretBasic auth
usernamestringBasic auth

password and password_file are mutually exclusive, and only one can be provided inside a basic_auth block.

authorization block

credentials_filestringFile containing the secret
typestringAuthorization type, for example, “Bearer”.no

credential and credentials_file are mutually exclusive, and only one can be provided inside an authorization block.

oauth2 block

client_idstringOAuth2 client
client_secret_filestringFile containing the OAuth2 client
client_secretsecretOAuth2 client
endpoint_paramsmap(string)Optional parameters to append to the token
proxy_urlstringOptional proxy URL for OAuth2
scopeslist(string)List of scopes to authenticate
token_urlstringURL to fetch the token

client_secret and client_secret_file are mutually exclusive, and only one can be provided inside an oauth2 block.

The oauth2 block may also contain a separate tls_config sub-block.

tls_config block

ca_pemstringCA PEM-encoded text to validate the server
ca_filestringCA certificate to validate the server
cert_pemstringCertificate PEM-encoded text for client
cert_filestringCertificate file for client
insecure_skip_verifyboolDisables validation of the server
key_filestringKey file for client
key_pemsecretKey PEM-encoded text for client
min_versionstringMinimum acceptable TLS
server_namestringServerName extension to indicate the name of the

The following pairs of arguments are mutually exclusive and can’t both be set simultaneously:

  • ca_pem and ca_file
  • cert_pem and cert_file
  • key_pem and key_file

When configuring client authentication, both the client certificate (using cert_pem or cert_file) and the client key (using key_pem or key_file) must be provided.

When min_version is not provided, the minimum acceptable TLS version is inherited from Go’s default minimum version, TLS 1.2. If min_version is provided, it must be set to one of the following strings:

  • "TLS10" (TLS 1.0)
  • "TLS11" (TLS 1.1)
  • "TLS12" (TLS 1.2)
  • "TLS13" (TLS 1.3)

Exported fields

loki.source.kubernetes_events does not export any fields.

Component health

loki.source.kubernetes_events is only reported as unhealthy if given an invalid configuration.

Debug information

loki.source.kubernetes_events exposes the most recently read timestamp for events in each watched namespace.

Debug metrics

loki.source.kubernetes_events does not expose any component-specific debug metrics.


This example collects watches events in the kube-system namespace and forwards them to a loki.write component so they are written to Loki.

loki.source.kubernetes_events "example" {
  // Only watch for events in the kube-system namespace.
  namespaces = ["kube-system"]

  forward_to = [loki.write.local.receiver]

loki.write "local" {
  endpoint {
    url = env("LOKI_URL")