Menu

Caution

Grafana Alloy is the new name for our distribution of the OTel collector. Grafana Agent has been deprecated and is in Long-Term Support (LTS) through October 31, 2025. Grafana Agent will reach an End-of-Life (EOL) on November 1, 2025. Read more about why we recommend migrating to Grafana Alloy.

Important: This documentation is about an older version. It's relevant only to the release noted, many of the features and functions have been updated or replaced. Please view the current version.

Open source

loki.source.windowsevent

loki.source.windowsevent reads events from Windows Event Logs and forwards them to other loki.* components.

Multiple loki.source.windowsevent components can be specified by giving them different labels.

Usage

river
loki.source.windowsevent "LABEL" {
  eventlog_name = EVENTLOG_NAME
  forward_to    = RECEIVER_LIST
}

Arguments

The component starts a new reader and fans out log entries to the list of receivers passed in forward_to.

loki.source.windowsevent supports the following arguments:

NameTypeDescriptionDefaultRequired
localenumberLocale ID for event rendering. 0 default is Windows Locale.0no
eventlog_namestringEvent log to read from.See below.
xpath_querystringEvent log to read from."*"See below.
bookmark_pathstringKeeps position in event log."DATA_PATH/bookmark.xml"no
poll_intervaldurationHow often to poll the event log."3s"no
exclude_event_databoolExclude event data.falseno
exclude_user_databoolExclude user data.falseno
use_incoming_timestampboolWhen false, assigns the current timestamp to the log when it was processed.falseno
forward_tolist(LogsReceiver)List of receivers to send log entries to.yes

NOTE: eventlog_name is required if xpath_query does not specify the event log. You can define xpath_query in short or xml form. When using the XML form you can specify event_log in the xpath_query. If using short form, you must define eventlog_name.

Component health

loki.source.windowsevent is only reported as unhealthy if given an invalid configuration.

Example

This example collects log entries from the Event Log specified in eventlog_name and forwards them to a loki.write component so they are written to Loki.

river
loki.source.windowsevent "application"  {
    eventlog_name = "Application"
    forward_to = [loki.write.endpoint.receiver]
}

loki.write "endpoint" {
    endpoint {
        url ="loki:3100/api/v1/push"
    }
}