Hi, I collect windows eventlog entries with promtail (version 2.4.2) and forward them to Loki. This usually works fine. Now I have noticed that some entries are missing data. It always seems to be the data that is below “user_data” in the XML view of the eventlog entry. Since there is an “exclude_user_data” parameter for the “promtail.yaml”, I assume that this data is actually supposed to be collected. In the log entries in Loki where the string “user_data” appears, this “detected field” always contains only a copy of the data from “event_data”.
Is this a configuration problem or possibly a “bug”?
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.