Caution

Grafana Agent has reached End-of-Life (EOL) on November 1, 2025. Agent is no longer receiving vendor support and will no longer receive security or bug fixes. Current users of Agent Static mode, Agent Flow mode, and Agent Operator should proceed with migrating to Grafana Alloy. If you have already migrated to Alloy, no further action is required. Read more about why we recommend migrating to Grafana Alloy.

Documentationbreadcrumb arrow Grafana Agentbreadcrumb arrow Flow modebreadcrumb arrow Referencebreadcrumb arrow Components referencebreadcrumb arrow loki.source.windowsevent
Open source

loki.source.windowsevent

loki.source.windowsevent reads events from Windows Event Logs and forwards them to other loki.* components.

Multiple loki.source.windowsevent components can be specified by giving them different labels.

Usage

Alloy 
loki.source.windowsevent "LABEL" {
  eventlog_name = EVENTLOG_NAME
  forward_to    = RECEIVER_LIST
}

Arguments

The component starts a new reader and fans out log entries to the list of receivers passed in forward_to.

loki.source.windowsevent supports the following arguments:

NameTypeDescriptionDefaultRequired
localenumberLocale ID for event rendering. 0 default is Windows Locale.0no
eventlog_namestringEvent log to read from.See below.
xpath_querystringEvent log to read from."*"See below.
bookmark_pathstringKeeps position in event log."DATA_PATH/bookmark.xml"no
poll_intervaldurationHow often to poll the event log."3s"no
exclude_event_databoolExclude event data.falseno
exclude_user_databoolExclude user data.falseno
exclude_event_messageboolExclude the human-friendly event message.falseno
use_incoming_timestampboolWhen false, assigns the current timestamp to the log when it was processed.falseno
forward_tolist(LogsReceiver)List of receivers to send log entries to.yes
labelsmap(string)The labels to associate with incoming logs.no
legacy_bookmark_pathstringThe location of the Grafana Agent Static bookmark path.``no

NOTE: eventlog_name is required if xpath_query does not specify the event log. You can define xpath_query in short or xml form. When using the XML form you can specify event_log in the xpath_query. If using short form, you must define eventlog_name.

Note

legacy_bookmark_path is used to convert the Grafana Agent Static to a Grafana Agent Flow bookmark, if bookmark_path does not exist.

Component health

loki.source.windowsevent is only reported as unhealthy if given an invalid configuration.

Example

This example collects log entries from the Event Log specified in eventlog_name and forwards them to a loki.write component so they are written to Loki.

Alloy 
loki.source.windowsevent "application"  {
    eventlog_name = "Application"
    forward_to = [loki.write.endpoint.receiver]
}

loki.write "endpoint" {
    endpoint {
        url ="loki:3100/api/v1/push"
    }
}

Compatible components

loki.source.windowsevent can accept arguments from the following components:

Note

Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.