Where do I download Promtail for Windows?

From the official Loki releases (promtail-windows-amd64.exe). Always verify the source and integrity.

Can Promtail collect Windows Event Logs?

Yes. Promtail supports windows_eventlog inputs. You can specify channels like Application, System, Security (Security may require elevated permissions).

Does Promtail need a firewall rule?

Promtail typically makes outbound connections to Loki and doesn't require inbound rules. No Windows Firewall rule is needed unless you expose a local endpoint.

How to run Promtail as a service?

Use sc.exe to create a Windows service pointing to promtail.exe with -config.file=... and set start=auto.

Promtail on Windows — Collect Event Logs & Files, Send to Loki

Prerequisites

Loki endpoint URL (cloud or self‑hosted) and credentials if needed.
Administrative privileges to run Promtail as a service.
YAML config file path (e.g., C:\\Promtail\\promtail.yaml).

Download Promtail

Get promtail-windows-amd64.exe from the official Loki releases.
Place it in a folder like C:\\Promtail\\ and create a config file next to it.

mkdir C:\\Promtail

Run Promtail (ad-hoc)

Use this to test your configuration before installing the service.

C:\\Promtail\\promtail-windows-amd64.exe -config.file=C:\\Promtail\\promtail.yaml

Install as a Windows service

Register Promtail as a service for automatic start on boot.

sc.exe create promtail binPath= "C:\\Promtail\\promtail-windows-amd64.exe -config.file=C:\\Promtail\\promtail.yaml" start= auto

sc.exe start promtail

If you run Promtail under a custom service account, ensure it has permission to read targeted log files and Event Log channels.

Windows Event Logs (overview)

Promtail can subscribe to channels like Application, System, and Security (Security may require higher privileges).
Start with Application/System for basic visibility; add others as needed.
Filter by levels or providers to reduce noise where appropriate.

File logs (overview)

Point Promtail at rolling log files (e.g., C:\\Logs\\*.log).
Ensure the service account can read the files and directories.
Use labels (job, instance, etc.) to identify the source in Loki.

Send to Loki

Configure the Loki client.url and authentication if required.
Verify ingestion by opening Grafana → Explore → Loki → query recent logs.

Promtail primarily makes outbound connections. Typically no Windows Firewall inbound rule is needed.

Troubleshooting

No logs appearing in Loki: check Promtail console/service logs for config errors; verify Loki URL/credentials and network egress.
YAML errors: indentation and escaping backslashes on Windows are common pitfalls.
Access denied to Event Logs or files: run Promtail with sufficient rights or use a dedicated service account with read access.
High volume/noise: add filters and relabeling to reduce unwanted events.

See also: Windows Firewall • Common Errors

Promtail on Windows (send logs to Loki)