Configuration with multiple IDs

hack3rcon · February 9, 2025, 6:09am

Hello,
I want Alloy to send me Windows Event Log with two Event IDs 4066 and 4057. Where is the problem in the configuration below?

loki.write "local" {
  endpoint {
    url = "http://YOUR_LOKI_SERVER_IP:3100/loki/api/v1/push"
  }
}

loki.relabel "windows_mapping" {
  forward_to = [loki.write.local.receiver]

  rule {
    source_labels = ["computer"]
    target_label  = "agent_hostname"
  }
}

loki.process "parse_eventlog" {
  forward_to = [
    loki.relabel.windows_mapping.receiver,
  ]
  
  # Stage to parse JSON
  stage.json {
    expressions = {
      "source"  = "source",
      "EventID" = "EventID",  # Extract the EventID field
    }
  }

  # Stage to filter events based on EventID
  stage.filter {
    expression = "EventID == 4066 || EventID == 4057"
  }

  # Stage to add labels
  stage.labels {
    values = {
      "source"  = "source",
    }
  }
}

loki.source.windowsevent "system" {
  forward_to = [
    loki.process.parse_eventlog.receiver,
  ]
  eventlog_name = "System"
}

loki.source.windowsevent "application" {
  forward_to = [
    loki.process.parse_eventlog.receiver,
  ]
  eventlog_name = "Application"
}

Thank you.

Topic		Replies	Views
Multiple Event IDs Ask AI	8	27	February 12, 2025
Which Event ID is sent? Grafana Alloy	0	10	February 11, 2025
Grafana Loki, Alloy and Windows Event Log Grafana Loki	0	54	February 9, 2025
Grafana Alloy for sending Windows Event Logs Ask AI	12	148	February 11, 2025
Writing a query to extract Event ID 4663 Grafana Loki	2	19	February 11, 2025

Configuration with multiple IDs

Related topics