Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How do I write a query to extract specific information? #16302

Open
hack3rcon opened this issue Feb 15, 2025 · 0 comments
Open

How do I write a query to extract specific information? #16302

hack3rcon opened this issue Feb 15, 2025 · 0 comments

Comments

@hack3rcon
Copy link

Hello,
My Alloy configuration is:

loki.source.windowsevent "windows_security" {
	locale                 = 1033
	eventlog_name          = "Security"
	poll_interval          = "0s"
	use_incoming_timestamp = true
	forward_to             = [loki.write.default.receiver]
	labels                 = {
		job       = "windows-security",
		logsource = "windows-eventlog",
	}
	legacy_bookmark_path = "./bookmark_sec.xml"
}

loki.write "default" {
	endpoint {
		url = "http://192.168.1.2:3100/loki/api/v1/push"
	}
	external_labels = {}
}

This configuration file sends all security related reports to the Grafana server. For example:

{"source":"Microsoft-Windows-Security-Auditing","channel":"Security","computer":"DESKTOP-1PNH21K","event_id":4663,"version":1,"task":12800,"levelText":"Information","taskText":"File System","opCodeText":"Info","keywords":"Audit Success","timeCreated":"2025-02-11T11:00:47.6158325Z","eventRecordID":126166,"execution":{"processId":4,"threadId":2656,"processName":"System"},"event_data":"\u003cData Name='SubjectUserSid'\u003eS-1-5-21-2104788189-4142446361-3889847816-1001\u003c/Data\u003e\u003cData Name='SubjectUserName'\u003eGrafana\u003c/Data\u003e\u003cData Name='SubjectDomainName'\u003eDESKTOP-1PNH21K\u003c/Data\u003e\u003cData Name='SubjectLogonId'\u003e0x3e091\u003c/Data\u003e\u003cData Name='ObjectServer'\u003eSecurity\u003c/Data\u003e\u003cData Name='ObjectType'\u003eFile\u003c/Data\u003e\u003cData Name='ObjectName'\u003eC:\\Users\\Grafana\\Desktop\\Test\u003c/Data\u003e\u003cData Name='HandleId'\u003e0x293c\u003c/Data\u003e\u003cData Name='AccessList'\u003e%%4423\r\n\t\t\t\t\u003c/Data\u003e\u003cData Name='AccessMask'\u003e0x80\u003c/Data\u003e\u003cData Name='ProcessId'\u003e0x404\u003c/Data\u003e\u003cData Name='ProcessName'\u003eC:\\Windows\\explorer.exe\u003c/Data\u003e\u003cData Name='ResourceAttributes'\u003eS:AI\u003c/Data\u003e","message":"An attempt was made to access an object.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-2104788189-4142446361-3889847816-1001\r\n\tAccount Name:\t\tGrafana\r\n\tAccount Domain:\t\tDESKTOP-1PNH21K\r\n\tLogon ID:\t\t0x3E091\r\n\r\nObject:\r\n\tObject Server:\t\tSecurity\r\n\tObject Type:\t\tFile\r\n\tObject Name:\t\tC:\\Users\\Grafana\\Desktop\\Test\r\n\tHandle ID:\t\t0x293c\r\n\tResource Attributes:\tS:AI\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x404\r\n\tProcess Name:\t\tC:\\Windows\\explorer.exe\r\n\r\nAccess Request Information:\r\n\tAccesses:\t\tReadAttributes\r\n\t\t\t\t\r\n\tAccess Mask:\t\t0x80"}

I want to write a query that extracts information such as hostname, username, file and folder name, and date and time from IDs 4660 and 4663. I found the following query, but it doesn't work.

{job="windows-security"} 
  |~ `EventID="4660"` 
  or 
  |~ `EventID="4663"` 
  | logfmt 
  | line_format "{{.Hostname}} {{.Username}} {{.ObjectName}} {{.Timestamp}}" 
  | label_format hostname="{{.Hostname}}", username="{{.Username}}", object_name="{{.ObjectName}}", timestamp="{{.Timestamp}}"

What is wrong with this query?

Thank you.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@hack3rcon