Documentation Grafana Alloy Access and permissions Windows

Access and permissions for Grafana Alloy on Windows

Alloy requires read access to Windows Event Logs, performance counters, application log files, and credentials for observability backends. The Windows installer registers the Alloy service to run as LOCAL SYSTEM. Set the service account, security group membership, and filesystem permissions to match the components in your configuration.

Run as a dedicated service account

Create a dedicated Windows service account and assign it to the Alloy service.

Required user rights

The service account needs the Log on as a service user right. Windows requires this right for any account that runs a service.

Assign the right in the Local Security Policy editor at secpol.msc under Security Settings > Local Policies > User Rights Assignment.

Assign the service account

Stop the service, assign the account, and start the service again.

Run these commands in an elevated Command Prompt or PowerShell session:

cmd powershell

Copy

cmd Copy

sc stop Alloy
sc config Alloy obj= "DOMAIN\username" password= "password"
sc start Alloy

powershell Copy

Stop-Service Alloy
sc.exe config Alloy obj= "DOMAIN\username" password= "password"
Start-Service Alloy

Replace DOMAIN\username and password with the service account credentials. For a local account, use COMPUTERNAME\username or .\username.

You can also open Services (services.msc), open Grafana Alloy properties, select the Log On tab, and choose This account.

If you haven’t installed Alloy yet, you can set the service account during a silent install with /USERNAME and /PASSWORD. Refer to Install Alloy on Windows for those options.

Windows security groups

Add the service account to Windows security groups based on what you collect:

• Event Log Readers: Read Application, System, Security, and custom event logs. Required for Windows Event Log collection.

• Performance Monitor Users: Read performance counter data for CPU, memory, disk I/O, and network usage. Required for Windows performance metrics.

• Performance Log Users: Manage Data Collector Sets and performance counter logs. Required for advanced or historical data collection.

File system and network permissions

Grant read, write, and modify permissions on %PROGRAMDATA%\GrafanaLabs\Alloy\data, where Alloy stores its write-ahead log and runtime data.

If Alloy reads application log files from disk, grant the service account read access to those files and their parent directories through Access Control Lists or a custom group.

Alloy needs outbound network access to its telemetry endpoints, for example Prometheus remote write, Loki, and OTLP. Allow outbound connections from the host on the ports your configuration uses.

The service account may need read access to HKEY_LOCAL_MACHINE\SOFTWARE\GrafanaLabs\Alloy to read environment variables and command-line arguments. Refer to Registry key security and access rights for details.

If you enable the Alloy UI, the service account needs permission to listen on the configured port. The default port is 12345.

Some components write temporary files in the system temp directories. If you use the process or service collectors in the integrated Windows Exporter, the service account also needs permission to enumerate processes and services.

Restrict the HTTP server

By default, Alloy binds its HTTP server to 127.0.0.1:12345. Expose the endpoint only when you need remote access to the UI or metrics, and add authentication or TLS when you do. Refer to the http block for configuration options.

Next steps

• Configure Alloy on Windows
• Monitor Windows with Alloy
• Collect and forward data