I’ve been working through an implementation of Grafana Loki for a home logging setup (testing out, was using Graylog previously) and was trying to get my windows system logs to loki but have been having issues. Currently my setup includes pfSense and NAS systems sending to rsyslog on the loki host which then goes to promtail, then loki. After some research I saw there is a Grafana Agent that is supposed to allow for this to work (sending windows logs to loki) but I have been unable to get this to work. I’ve also been looking into sending the logs to rsyslog which then would get fed into promtail like the other systems are currently doing.
When I try to send to syslog with fluentbit I can see the logs but with no job/label that I’ve included in the config, only see them in the “loki” host label which is not what I want, would love to be able to separate them into a separate job or host. When I try the grafana agent route I’m not able to see any of the windows logs.
If someone could confirm this is actually possible that would be great, and if so…any pointers would be greatly appreciated.
Here is an example of the Grafana agent agent-config.yaml file:
I think you are missing __path__ in your log configuration if you are trying to scrape logs locally on your windows box with Grafana Agent. See full example configuration here: Create a configuration file | Grafana Agent documentation.
If you could share a bit of your overall infrastructure that would be helpful too. Generally I like to keep the logging pipeline as simple as possible. If you have the option to install Grafana Agent on each of your Windows box or appliances, I’d definitely do that, and then send the logs directly to Loki.
I’ve got the internet into my house into a pfSense appliance firewall, then a SynologyNAS, a raspberryPi running pi-hole, a small virtualization system running XCP-NG with various VMs (the loki host being one of them while testing it out), and two Windows systems. The plan is to install the agent on the windows systems but was testing it out on one first to ensure I could get it working first, then mirror its setup on the other system.
That very well could be it, I’ll give that a shot. Yes, trying to scrape the windows logs and send to loki and be able to use a label for them
added encoding: utf-16 to the config but now when querying against that job it takes forever to load anything - after clicking the blue “Run Query” button, it just stays in the red “Cancel” state and nothing loads. I was getting this problem before adding that line as well but it seemed to have resolved itself but is happening again now…I’m just full of problems over here…
It may be helpful to try and open one of the log files and confirm the text encoding used.
There is a loki.echo components that you can use to output logs to console instead of a Loki instance, which may help in terms of troubleshooging (see loki.echo | Grafana Agent documentation). This is the flow mode documentation, I am not sure what the equivalent is in the static mode.
If you have a small log file that are safe to share, please feel free to send it to me. I’ll be happy to poke at it.
1 - I opened one of the windows event viewer files in Notepad++ and the Encoding looks like its listed as ANSI (though even in notepad++, lots of strange characters…)
3 - I dont feel too comfortable sharing as its the windows event logs so think they may contain some sensitive information so I’d rather not unfortunately
