General availability (GA) Open source

loki.source.windowsevent

loki.source.windowsevent reads events from Windows Event Logs and forwards them to other loki.* components.

You can specify multiple loki.source.windowsevent components by giving them different labels.

Usage

alloy
loki.source.windowsevent "<LABEL>" {
  eventlog_name = "<EVENTLOG_NAME>"
  forward_to    = <RECEIVER_LIST>
}

Arguments

The component starts a reader and fans out log entries to the list of receivers passed in forward_to.

You can use the following arguments with loki.source.windowsevent:

NameTypeDescriptionDefaultRequired
forward_tolist(LogsReceiver)List of receivers to send log entries to.yes
eventlog_namestringEvent log to read from.See below
xpath_querystringXPath query to select events."*"See below
bookmark_pathstringKeeps position in event log."DATA_PATH/bookmark.xml"no
exclude_event_databoolExclude event data.falseno
exclude_event_messageboolExclude the human-friendly event message.falseno
exclude_user_databoolExclude user data.falseno
labelsmap(string)The labels to associate with incoming logs.{}no
localenumberLocale ID for event rendering. 0 default is Windows Locale.0no
poll_intervaldurationHow often to poll the event log."3s"no
use_incoming_timestampboolWhen false, assigns the current timestamp to the log.falseno

Note

eventlog_name is required if xpath_query doesn’t specify the event log. You can define xpath_query in short or XML form. When you use the XML form you can specify event_log in the xpath_query. If you use the short form, you must define eventlog_name.

Note

legacy_bookmark_path converts the legacy Grafana Agent Static bookmark to a Alloy bookmark, if bookmark_path doesn’t exist.

Blocks

The loki.source.windowsevent component doesn’t support any blocks. You can configure this component with arguments.

Component health

loki.source.windowsevent is only reported as unhealthy if given an invalid configuration.

Example

This example collects log entries from the Event Log specified in eventlog_name and forwards them to a loki.write component.

alloy
loki.source.windowsevent "application"  {
    eventlog_name = "Application"
    forward_to = [loki.write.endpoint.receiver]
}

loki.write "endpoint" {
    endpoint {
        url ="loki:3100/api/v1/push"
    }
}

Compatible components

loki.source.windowsevent can accept arguments from the following components:

Note

Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.