🗄 Log Aggregation

Install & Configure Loki on Windows

Run Grafana Loki on Windows as a log aggregation backend. Download the binary, configure storage, install as a Windows Service and connect Grafana and Promtail to it. Covers local filesystem and S3-compatible storage options.

What is Loki?

Loki is Grafana's log aggregation system — it stores logs indexed by labels (not full-text) making it much cheaper than Elasticsearch for log storage. Logs are shipped by Promtail (or other agents) and queried in Grafana using LogQL.

        Promtail → Loki :3100 ← LogQL queries ← Grafana
      

Step 1 — Download Loki for Windows

# Download the latest Loki Windows binary
$version = "3.5.0"
$url = "https://github.com/grafana/loki/releases/download/v$version/loki-windows-amd64.exe.zip"
Invoke-WebRequest -Uri $url -OutFile "loki.zip"

# Extract to C:\Loki
Expand-Archive -Path "loki.zip" -DestinationPath "C:\Loki" -Force
New-Item -ItemType Directory -Path "C:\Loki\data","C:\Loki\chunks","C:\Loki
ules" -Force | Out-Null

Step 2 — Create loki-config.yaml

Save as C:\Loki\loki-config.yaml. This is a minimal single-binary config suitable for a Windows server:

auth_enabled: false

server:
  http_listen_port: 3100
  grpc_listen_port: 9096
  log_level: info

common:
  instance_addr: 127.0.0.1
  path_prefix: C:\Loki\data
  storage:
    filesystem:
      chunks_directory: C:\Loki\chunks
      rules_directory: C:\Loki
ules
  replication_factor: 1
  ring:
    kvstore:
      store: inmemory

schema_config:
  configs:
    - from: 2024-01-01
      store: tsdb
      object_store: filesystem
      schema: v13
      index:
        prefix: index_
        period: 24h

limits_config:
  retention_period: 744h   # 31 days

compactor:
  working_directory: C:\Loki\data\compactor
  retention_enabled: true

Step 3 — Install Loki as a Windows Service

# Register with sc.exe
sc.exe create Loki `
  binPath= "C:\Loki\loki-windows-amd64.exe -config.file=C:\Loki\loki-config.yaml" `
  start= auto `
  DisplayName= "Grafana Loki"

# Start the service
Start-Service -Name "Loki"

# Verify it is listening on port 3100
Start-Sleep -Seconds 3
Invoke-WebRequest "http://localhost:3100/ready" -UseBasicParsing

Tip: Use NSSM for easier service management with log file capture — see the Promtail guide for the NSSM pattern.

Step 4 — Open Firewall for Promtail

If Promtail runs on a different host, open port 3100 for it:

# Allow Promtail agents to push logs (restrict to your subnet)
New-NetFirewallRule `
  -DisplayName "Loki Inbound" `
  -Direction Inbound `
  -Protocol TCP `
  -LocalPort 3100 `
  -RemoteAddress 192.168.1.0/24 `
  -Action Allow

Step 5 — Add Loki as a data source in Grafana

Open Connections

In Grafana, go to Connections → Data sources → Add new data source.

Select Loki

Search for Loki and click it.

Set URL

Enter http://localhost:3100 (or the Loki server IP if remote).

Save & Test

Click Save & test. You should see a green confirmation message.

Query logs in Grafana Explore

Go to Explore, select the Loki data source and try these LogQL queries:

# All logs from Windows Event Log
{job="windows_events"}

# Filter by log level
{job="windows_events"} |= "ERROR"

# Count error rate over time
count_over_time({job="windows_events"} |= "ERROR" [5m])

# Show logs from a specific host
{host="WIN-SERVER01"}

# Parse and filter JSON logs
{job="app_logs"} | json | level="error"

Loki data retention & storage management

# Check Loki storage usage
Get-ChildItem "C:\Loki" -Recurse | Measure-Object -Property Length -Sum |
  Select-Object @{Name="SizeMB"; Expression={[math]::Round($_.Sum / 1MB, 2)}}

# Loki service management
Get-Service -Name "Loki"
Restart-Service -Name "Loki"
Stop-Service -Name "Loki"

The retention_period: 744h in the config (31 days) automatically removes old chunks. Adjust this value based on your storage capacity.