Grafana Alloy logs for Windows / Loki / Grafana

Hello everyone,

I’m trying to use Grafana Alloy to collect only Windows Event Logs and send them to Loki. Here is my config.alloy:

logging {
  level = "info"
}

loki.source.windowsevent "system" {
  eventlog_name = "System"
  forward_to = [loki.write.default.receiver]
}

loki.source.windowsevent "security" {
  eventlog_name = "Security"
  forward_to = [loki.write.default.receiver]
}

loki.process "windows_event_parse" {
  forward_to = [loki.write.default.receiver]

  stage.json {
    expressions = {
      level    = "levelText",
      source   = "source",
      event_id = "event_id",
      channel  = "channel",
    }
  }

  stage.labels {
    values = {
      level    = "level",
      source   = "source",
      event_id = "event_id",
      channel  = "channel",
    }
  }
}

loki.write "default" {
  endpoint {
    url = "http://LOKI_SRV:3100/loki/api/v1/push"
  }
}

The logs are successfully reaching Loki. However, when I run:

curl http://localhost:3100/loki/api/v1/labels

I get:

{ "status":"success", "data":[ "channel", "computer", "level", "service_name", "source" ] }

My goal is to be able to query logs like: {event_id=“1074”}

or {event_id=~“1074|6005|6006”}

Am I missing something in my Alloy configuration? Is event_id not available under that field name, or do I need an additional processing stage?

Thank you!

Can you share a couple of lines of your logs?

If I had to guess maybe your source logs aren’t actually json formatted and the processing stage isn’t engaged.

Hello Tony,

Here is a couple of lines of my logs on Grafana :

{"source":"Service Control Manager","channel":"System","computer":"SRVIDVET01","event_id":7036,"level":4,"levelText":"Information","keywords":"Classique","timeCreated":"2026-07-02T07:32:21.407887400Z","eventRecordID":1780102,"execution":{"processId":1096,"threadId":10144,"processName":"services.exe"},"event_data":"\u003cData Name='param1'\u003eService Configuration du réseau\u003c/Data\u003e\u003cData Name='param2'\u003een cours d’exécution\u003c/Data\u003e\u003cBinary\u003e4E0065007400530065007400750070005300760063002F0034000000\u003c/Binary\u003e","message":"Le service Service Configuration du réseau est entré dans l’état : en cours d’exécution."} 

 
{"source":"Service Control Manager","channel":"System","computer":"SRVIDVET01","event_id":7036,"level":4,"levelText":"Information","keywords":"Classique","timeCreated":"2026-07-02T07:31:56.236175400Z","eventRecordID":1780101,"execution":{"processId":1096,"threadId":1684,"processName":"services.exe"},"event_data":"\u003cData Name='param1'\u003eService Configuration du réseau\u003c/Data\u003e\u003cData Name='param2'\u003earrêté\u003c/Data\u003e\u003cBinary\u003e4E0065007400530065007400750070005300760063002F0031000000\u003c/Binary\u003e","message":"Le service Service Configuration du réseau est entré dans l’état : arrêté."} 

 
{"source":"Service Control Manager","channel":"System","computer":"SRVIDVET01","event_id":7036,"level":4,"levelText":"Information","keywords":"Classique","timeCreated":"2026-07-02T07:27:20.700629200Z","eventRecordID":1780100,"execution":{"processId":1096,"threadId":10144,"processName":"services.exe"},"event_data":"\u003cData Name='param1'\u003eService Configuration du réseau\u003c/Data\u003e\u003cData Name='param2'\u003een cours d’exécution\u003c/Data\u003e\u003cBinary\u003e4E0065007400530065007400750070005300760063002F0034000000\u003c/Binary\u003e","message":"Le service Service Configuration du réseau est entré dans l’état : en cours d’exécution."} 

 
{"source":"Service Control Manager","channel":"System","computer":"SRVIDVET01","event_id":7036,"level":4,"levelText":"Information","keywords":"Classique","timeCreated":"2026-07-02T07:26:37.834863800Z","eventRecordID":1780099,"execution":{"processId":1096,"threadId":10144,"processName":"services.exe"},"event_data":"\u003cData Name='param1'\u003eService Configuration du réseau\u003c/Data\u003e\u003cData Name='param2'\u003earrêté\u003c/Data\u003e\u003cBinary\u003e4E0065007400530065007400750070005300760063002F0031000000\u003c/Binary\u003e","message":"Le service Service Configuration du réseau est entré dans l’état : arrêté."}

I dont think that the Windows logs are json formatted.

Your logs look pretty JSON to me. Try changing your forward_to target:

Change:

loki.source.windowsevent "security" {
  eventlog_name = "Security"
  forward_to = [loki.write.default.receiver]
}

loki.process "windows_event_parse" {
  forward_to = [loki.write.default.receiver]
  ...
}

to:

loki.source.windowsevent "security" {
  eventlog_name = "Security"
  forward_to = [loki.process.windows_event_parse.receiver]
}

loki.process "windows_event_parse" {
  forward_to = [loki.process.windows_event_parse.receiver]
  ...
}

Thank you. Finally, it works perfectly. I need to make some adjustments based on your code:

logging {
  level = "info"
}

loki.source.windowsevent "application" {
  eventlog_name = "Application"
  forward_to = [loki.process.windows_event_parse.receiver]
}

loki.source.windowsevent "system" {
  eventlog_name = "System"
  forward_to = [loki.process.windows_event_parse.receiver]
}

loki.source.windowsevent "security" {
  eventlog_name = "Security"
  forward_to = [loki.process.windows_event_parse.receiver]
}

loki.process "windows_event_parse" {
  forward_to = [loki.write.default.receiver]

  stage.json {
    expressions = {
      level    = "levelText",
      source   = "source",
      event_id = "event_id",
      channel  = "channel",
    }
  }

  stage.labels {
    values = {
      level    = "level",
      source   = "source",
      event_id = "event_id",
      channel  = "channel",
    }
  }
}

loki.write "default" {
  endpoint {
    url = "http://loki_server:3100/loki/api/v1/push"
  }
}