📋 Log Collection

Promtail on Windows — Collect Logs for Grafana Loki

Install Promtail on Windows, configure it to collect Windows Event Logs and file-based logs, push them to a Loki instance, and visualise everything in Grafana dashboards. Complete setup guide with YAML configuration examples.

What is Promtail?

Promtail is the log collection agent for Grafana Loki. It tails log files, reads Windows Event Logs and forwards log entries to Loki with labels for filtering. On Windows, Promtail runs as a service and supports both file-based logs and the Windows Event Log API.

📁 File logs

Tail any text log file — IIS logs, application logs, custom file outputs.

🪟 Windows Event Logs

Collect System, Application and Security event logs via the Windows API.

🏷 Labels

Add labels (host, job, environment) to logs for filtering in Grafana.

Step 1 — Download Promtail for Windows

Download the Promtail Windows binary from the Grafana Loki releases page on GitHub. Choose the promtail-windows-amd64.exe.zip asset.

# Download with PowerShell (replace version as needed)
$version = "3.5.0"
$url = "https://github.com/grafana/loki/releases/download/v$version/promtail-windows-amd64.exe.zip"
Invoke-WebRequest -Uri $url -OutFile "promtail.zip"

# Extract
Expand-Archive -Path "promtail.zip" -DestinationPath "C:\Promtail" -Force

Step 2 — Create promtail-config.yaml

Create a configuration file at C:\Promtail\promtail-config.yaml. Below is a full example that collects Windows Event Logs and a custom application log file.

server:
  http_listen_port: 9080
  grpc_listen_port: 0

positions:
  filename: C:\Promtail\positions.yaml

clients:
  - url: http://localhost:3100/loki/api/v1/push
    # Replace with your Loki endpoint if not local

scrape_configs:

  # ── Windows Application Event Log ──
  - job_name: windows_events
    windows_events:
      use_incoming_timestamp: true
      bookmark_path: C:\Promtailookmark.xml
      eventlog_name: Application
      xpath_query: "*"
      labels:
        job: windows_events
        host: __HOSTNAME__
        channel: application
    pipeline_stages:
      - json:
          expressions:
            message: message
            level: level
      - labels:
          level:

  # ── Windows System Event Log ──
  - job_name: windows_system
    windows_events:
      use_incoming_timestamp: true
      bookmark_path: C:\Promtailookmark-system.xml
      eventlog_name: System
      xpath_query: "*"
      labels:
        job: windows_events
        channel: system

  # ── Custom application log file ──
  - job_name: app_logs
    static_configs:
      - targets:
          - localhost
        labels:
          job: my_app
          host: __HOSTNAME__
          __path__: C:\Logs\myapp\*.log

Replace __HOSTNAME__ with ${HOSTNAME} or a static value. Replace the Loki URL with your actual Loki endpoint if it's on a different host.

Step 3 — Install Promtail as a Windows Service

Use NSSM (Non-Sucking Service Manager) or the built-in sc command to run Promtail as a service.

Option A — Using sc.exe (no extra tools)

# Register Promtail as a Windows service
sc.exe create Promtail `
  binPath= "C:\Promtail\promtail-windows-amd64.exe -config.file=C:\Promtail\promtail-config.yaml" `
  start= auto `
  DisplayName= "Grafana Promtail"

# Start the service
Start-Service -Name "Promtail"

# Verify status
Get-Service -Name "Promtail"

Option B — Using NSSM

# Download NSSM from https://nssm.cc/download
# Then install Promtail:
nssm install Promtail "C:\Promtail\promtail-windows-amd64.exe"
nssm set Promtail AppParameters "-config.file=C:\Promtail\promtail-config.yaml"
nssm set Promtail AppDirectory "C:\Promtail"
nssm set Promtail Start SERVICE_AUTO_START
nssm start Promtail

Step 4 — Verify logs arrive in Loki

After starting Promtail, confirm logs are being shipped to Loki and visible in Grafana.

Check Promtail status page

Open http://localhost:9080 in your browser. You'll see the Promtail web UI showing active targets and any errors.

Open Grafana → Explore

In Grafana, go to Explore, select your Loki data source and run a query: {job="windows_events"}

Check Promtail logs

Get-Content "C:\Promtail\promtail.log" -Tail 30

Troubleshooting Promtail on Windows

No logs appearing in Loki

Check the Loki URL in your config — it must be reachable from the Windows host.
Verify Loki is running: Invoke-WebRequest http://localhost:3100/ready -UseBasicParsing
Check Windows Firewall — allow outbound on the Loki port (default 3100).

Access denied reading Event Logs

Promtail needs rights to read the Windows Event Log. Run the service as an Administrator account, or add the service account to the Event Log Readers local group.

# Add service account to Event Log Readers group
Add-LocalGroupMember -Group "Event Log Readers" -Member "NT SERVICE\Promtail"

positions.yaml not found

Promtail creates positions.yaml automatically on first run. If you see an error, ensure the directory C:\Promtail is writable by the service account.