Probably means one of those events is not happening, or the event ID you looking for is not under Security because itβs working on my pc 
Hi,
Thanks again.
I guess not. Can you share the complete configuration?
I am using your own config, the only thing I changed was the xpath
Hi,
Thanks again.
So, your configuration is as follows:
loki.process "windows_event_logs" {
forward_to = [loki.write.default.receiver]
stage.regex {
expression = ".*EventID=\"4660\".*SubjectUserName=\"(?P<username>[^\"]+)\".*ObjectName=\"(?P<file>[^\"]+)\".*ObjectType=\"(?P<folder>[^\"]+)\".*Computer=\"(?P<hostname>[^\"]+)\".*IpAddress=\"(?P<ip_address>[^\"]+)\".*TimeCreated=\"(?P<timestamp>[^\"]+)\".*"
}
stage.labels {
values = {
file = "file",
folder = "folder",
hostname = "hostname",
ip_address = "ip_address",
timestamp = "timestamp",
username = "username",
}
}
stage.timestamp {
source = "timestamp"
format = "RFC3339"
}
}
loki.relabel "windows_event_logs" {
forward_to = [loki.process.windows_event_logs.receiver]
rule {
source_labels = ["__name__"]
target_label = "__name__"
}
}
loki.source.windowsevent "windows_event_logs" {
eventlog_name = "Security"
xpath_query = "*[System/EventID=5061] or *[System/EventID=5379]"
poll_interval = "0s"
use_incoming_timestamp = true
forward_to = [loki.relabel.windows_event_logs.receiver]
labels = {
job = "windows_event_logs",
}
legacy_bookmark_path = "./bookmark.xml"
}
loki.write "default" {
endpoint {
url = "http://192.168.1.2:3100/loki/api/v1/push"
}
external_labels = {}
}
Are you only getting logs for IDs 5061 and 5379 on the Loki server?
1 Like