Exporting windows logs using Loki

Grafana Loki
1

Hi, I’ve been trying to learn Loki/Alloy so I can monitor AD group membership changes, but I am now encountering some weird issues I can’t seem to grasp my head over.

image
image686×484 43.4 KB

This label seems to be the only thing that ever shows up, I’m not even sure how to add new filters/services here.
My Alloy successfully sends logs to my Grafana using OTLP but I just can’t seem to filter this thing…
This is my current config.alloy that seems to work and filter ‘Alloy’ events:

// ####################################
// Windows Server Metrics Configuration
// ####################################

prometheus.exporter.windows "default" {
  enabled_collectors = ["cpu","cs","logical_disk","net","os","service","system", "memory", "scheduled_task", "tcp"]
}

// Configure a prometheus.scrape component to collect windows metrics.
prometheus.scrape "example" {
  targets    = prometheus.exporter.windows.default.targets
  forward_to = [otelcol.receiver.prometheus.endpoint.receiver]
}

// ####################################
// Windows Server Logs Configuration
// ####################################

loki.source.windowsevent "application"  {
    eventlog_name = "Application"
    use_incoming_timestamp = true
    exclude_event_data = true
    forward_to = [loki.process.windows_eventlog.receiver]
    labels = {
       job = "windows_eventlog",
       instance = constants.hostname,
    }
}

loki.source.windowsevent "security"  {
    eventlog_name = "Security"
    use_incoming_timestamp = true
    forward_to = [loki.process.windows_eventlog.receiver]
    labels = {
       job = "windows_eventlog",
       instance = constants.hostname,
    }
}

loki.source.windowsevent "system"  {
    eventlog_name = "System"
    use_incoming_timestamp = true
    forward_to = [loki.process.windows_eventlog.receiver]
    labels = {
       job = "windows_eventlog",
       instance = constants.hostname,
    }
}

loki.source.windowsevent "setup"  {
    eventlog_name = "Setup"
    use_incoming_timestamp = true
    forward_to = [loki.process.windows_eventlog.receiver]
    labels = {
       job = "windows_eventlog",
       instance = constants.hostname,
    }
}

loki.process "windows_eventlog" {
  stage.template {
      source   = "message"
      template = `{{- $message := .Value -}}
                  {{- if eq $message "" -}}empty_message
                  {{- else if eq $message nil -}}empty_message
                  {{- else -}}{{- $message -}}{{- end -}}`
  }

  stage.windowsevent {
      source = "message"
      overwrite_existing = true
  }

  stage.labels {
      values = {
          channel = "",
      }
  }

  stage.drop {
      source = "source"
      value  = "Alloy"
      drop_counter_reason = "source_alloy"
  }

  stage.timestamp {
      source      = "timeCreated"
      format      = "2025-02-27T17:45:00.0000000Z"
  }

  forward_to = [otelcol.receiver.loki.endpoint.receiver]
}

// Prometheus receiver for scraping metrics from the prometheus exporter
otelcol.receiver.prometheus "endpoint" {
	output {
		metrics = [otelcol.exporter.otlphttp.endpoint.input]
	}
}

// Loki receiver for scraping logs from the loki source
otelcol.receiver.loki "endpoint" {
	output {
		logs = [otelcol.exporter.otlphttp.endpoint.input]
	}
}

// OpenTelemetry Collector receiver for scraping logs from the loki source
otelcol.exporter.otlphttp "endpoint" {
	client {
		endpoint = "http://10.20.31.14:4318"
		tls {
			insecure = true
			insecure_skip_verify = true
		}
	}
}

I just want to monitor some specific event ids and have the ability to label them properly :frowning:

2

I don’t use Windows, so I can’t tell you exactly what’s wrong. But couple of suggestions:

  1. In each of your source you should add one more label to differentiate between the type of event logs, for example:
loki.source.windowsevent "system"  {
    eventlog_name = "System"
    use_incoming_timestamp = true
    forward_to = [loki.process.windows_eventlog.receiver]
    labels = {
       event_type = "System",    // something like this
       job = "windows_eventlog",
       instance = constants.hostname,
    }
}
  1. when troubleshooting, keep your process pipeline simple. Remove everything, and just forward from loki.process to your otelcol.receiver direclly, make sure logs are flowing, then start adding things.
5

Hi Tony, thanks for the reply and help.
I removed everything and it all seems fine.
My main issue is that I want to make custom labels for my Loki but it always puts service_name and unknown_source, I’ve read some documentation and posts about changing it but I can’t seem to figure it out.
Everything seems to talk about linux systems which is not the case here…

6

service_name is a required label (for compatibility with open telemetry). You can either set one yourself, or set app label (Loki will use app label to populate service_name), otherwise it’s set to unknown.

1 Like