loki.source.windowsevent not working for "ForwardedEvents"

[Nachtfalkeaw]

What's wrong?

I want to collect logs from the "ForwardedEvents" Windows Event Log. This is not working with "eventlog_name" and not with "xpath_query" using loki.source.windowsevent

Steps to reproduce

None of these configurations allows me to collect Windows Event Forwarded Logs.

xpath_query solution:

• We use "ForwardedEvents" as Path.
• We select anything (*) which is not older than 60s from actual time.
• we add channel_new to identify these logs in loki (if they arrive) because they chare the same channel "Security" or "Application" as local logs.

loki.source.windowsevent "forwardedevents" {
    use_incoming_timestamp = true

            // Define the XPath query to select events from the Windows Event Log
    xpath_query = `
      <QueryList>
        <Query Id="0" Path="ForwardedEvents">
          <Select Path="ForwardedEvents">*[System[TimeCreated[timediff(@SystemTime) &lt;= 60000]]]</Select>
        </Query>
      </QueryList>
    `

    labels = {
      "service_name" = "windows_eventlog",
      "channel" = "ForwardedEvents",
      "channel_new" = "ForwardedEvents",
    }

    forward_to = [loki.process.windows_eventlog.receiver]
}

evebntlog_name solution not working, too:

loki.source.windowsevent "forwardedevents" {
    use_incoming_timestamp = true
    eventlog_name = "ForwardedEvents"

    labels = {
      "service_name" = "windows_eventlog",
      "channel" = "ForwardedEvents",
      "channel_new" = "ForwardedEvents",
    }

    forward_to = [loki.process.windows_eventlog.receiver]
}

To verify that the xpath_query in general is working we collected Logs from "Windows PowerShell" channel using this config:

loki.source.windowsevent "windows_powershell" {
    use_incoming_timestamp = true

    xpath_query = `
      <QueryList>
        <Query Id="0" Path="Windows PowerShell">
          <Select Path="Windows PowerShell">*</Select>
        </Query>
      </QueryList>
    `

    labels = {
      "service_name" = "windows_eventlog",
      "channel" = "Windows PowerShell",
    }

    forward_to = [loki.process.windows_eventlog.receiver]
}

Hint:
If I choose "Forwarded Events" or "Weitergeleitete Ereignisse" (German) instead of "ForwardedEvents" I get the error message in alloy that this channel does not exist. This lets me assume that "ForwardedEvents" is a correct channel name. However if I open a log from "ForwardedEvents" its channel is always Securty, Application, System, Setup. So messages in ForwardedEvents keep their original channel.

System information

Windows Server 2022

Software version

Grafana Alloy 1.5.1

Configuration

loki.source.windowsevent "forwardedevents" {
    use_incoming_timestamp = true

            // Define the XPath query to select events from the Windows Event Log
    xpath_query = `
      <QueryList>
        <Query Id="0" Path="ForwardedEvents">
          <Select Path="ForwardedEvents">*[System[TimeCreated[timediff(@SystemTime) &lt;= 60000]]]</Select>
        </Query>
      </QueryList>
    `

    labels = {
      "service_name" = "windows_eventlog",
      "channel" = "ForwardedEvents",
      "channel_new" = "ForwardedEvents",
    }

    forward_to = [loki.process.windows_eventlog.receiver]
}


evebntlog_name solution not working, too:


loki.source.windowsevent "forwardedevents" {
    use_incoming_timestamp = true
    eventlog_name = "ForwardedEvents"

    labels = {
      "service_name" = "windows_eventlog",
      "channel" = "ForwardedEvents",
      "channel_new" = "ForwardedEvents",
    }

    forward_to = [loki.process.windows_eventlog.receiver]
}

Logs

do not arrive