Hello,
My goal is to send Windows Event Logs to Grafana server and analyze it through Loki. I have installed Grafana and Loki on Linux and Alloy on Windows. I just want to send and analyze Windows Event IDs 4656 and 4658 to my server. The Alloy configuration file on Windows is as follows:
// Define the loki.write block
loki.write "endpoint" {
endpoint {
url = "http://YOUR_LOKI_SERVER_IP:3100/loki/api/v1/push"
}
}
// Define the loki.process block
loki.process "endpoint" {
forward_to = [loki.write.endpoint.receiver]
// Stage to parse JSON
stage.json {
expressions = {
message = "message",
source = "source",
computer = "computer",
eventRecordID = "eventRecordID",
channel = "channel",
EventID = "EventID", // Extract the EventID field
}
}
// Stage to filter events based on EventID
stage.regex {
expression = ".*\"EventID\":\\s*(4656|4658).*"
}
// Stage to add structured metadata
stage.structured_metadata {
values = {
eventRecordID = "eventRecordID",
channel = "channel",
}
}
// Stage to process EventLog message
stage.eventlogmessage {
source = "message"
overwrite_existing = true
}
// Stage to add labels
stage.labels {
values = {
service_name = "source",
}
}
// Stage to output the message
stage.output {
source = "message"
}
}
// Define the loki.source.windowsevent blocks
loki.source.windowsevent "application" {
eventlog_name = "Application"
use_incoming_timestamp = true
forward_to = [loki.process.endpoint.receiver]
}
loki.source.windowsevent "system" {
eventlog_name = "System"
use_incoming_timestamp = true
forward_to = [loki.process.endpoint.receiver]
}
Now I have a few questions:
1- Which dashboard can I use?
2- I found a dashboard with ID 20946, but this dashboard has its own configuration file. How do I change this configuration file to only send IDs 4656 and 4658?
Please show me some solutions.
Thank you.