Caution
Grafana Alloy is the new name for our distribution of the OTel collector. Grafana Agent has been deprecated and is in Long-Term Support (LTS) through October 31, 2025. Grafana Agent will reach an End-of-Life (EOL) on November 1, 2025. Read more about why we recommend migrating to Grafana Alloy.
Important: This documentation is about an older version. It's relevant only to the release noted, many of the features and functions have been updated or replaced. Please view the current version.
loki.source.windowsevent
loki.source.windowsevent
reads events from Windows Event Logs and forwards them to other
loki.*
components.
Multiple loki.source.windowsevent
components can be specified by giving them
different labels.
Usage
loki.source.windowsevent "LABEL" {
eventlog_name = EVENTLOG_NAME
forward_to = RECEIVER_LIST
}
Arguments
The component starts a new reader and fans out
log entries to the list of receivers passed in forward_to
.
loki.source.windowsevent
supports the following arguments:
Name | Type | Description | Default | Required |
---|---|---|---|---|
locale | number | Locale ID for event rendering. 0 default is Windows Locale. | 0 | no |
eventlog_name | string | Event log to read from. | See below. | |
xpath_query | string | Event log to read from. | "*" | See below. |
bookmark_path | string | Keeps position in event log. | "DATA_PATH/bookmark.xml" | no |
poll_interval | duration | How often to poll the event log. | "3s" | no |
exclude_event_data | bool | Exclude event data. | false | no |
exclude_user_data | bool | Exclude user data. | false | no |
user_incoming_timestamp | bool | When false, assigns the current timestamp to the log when it was processed. | false | no |
forward_to | list(LogsReceiver) | List of receivers to send log entries to. | yes |
NOTE:
eventlog_name
is required ifxpath_query
does not specify the event log. You can definexpath_query
in short or xml form. When using the XML form you can specifyevent_log
in thexpath_query
. If using short form, you must defineeventlog_name
.
Component health
loki.source.windowsevent
is only reported as unhealthy if given an invalid
configuration.
Example
This example collects log entries from the Event Log specified in eventlog_name
and
forwards them to a loki.write
component so they are written to Loki.
loki.source.windowsevent "application" {
eventlog_name = "Application"
forward_to = [loki.write.endpoint.receiver]
}
loki.write "endpoint" {
endpoint {
url ="loki:3100/api/v1/push"
}
}