Hi everyone,
I’m trying to filter Windows Security event logs to only forward successful login events (Event ID 4624) to Loki, but I’m having trouble with the relabeling process. In my configuration, I’ve successfully extracted the event_id, and I can see it in Grafana without issues. However, as soon as I add a loki.relabel rule with a “keep” action based on the event_id, no logs are forwarded anymore. Without this rule, logs are sent correctly.
Here’s my configuration:
loki.process "logs_integrations_windows_exporter_security" {
forward_to = [loki.write.grafana_cloud_loki.receiver]
stage.json {
expressions = {
level = "levelText",
source = "source",
event_id = "event_id",
}
}
stage.labels {
values = {
level = "",
source = "",
event_id = "",
}
}
}
loki.relabel "logs_integrations_windows_exporter_security" {
forward_to = [loki.process.logs_integrations_windows_exporter_security.receiver]
rule {
source_labels = ["computer"]
target_label = "agent_hostname"
}
rule {
source_labels = ["event_id"]
regex = "4624"
action = "keep"
}
}
loki.source.windowsevent "logs_integrations_windows_exporter_security" {
locale = 1033
eventlog_name = "Security"
bookmark_path = "./bookmarks-sec.xml"
poll_interval = "0s"
use_incoming_timestamp = true
forward_to = [loki.relabel.logs_integrations_windows_exporter_security.receiver]
labels = {
instance = constants.hostname,
job = "integrations/windows_exporter",
}
}
What could I be doing wrong with the relabeling rule and the regex ? It seems like adding the “keep” action stops all logs from being forwarded. Any ideas on how to fix this?
Thanks in advance for your help!