Grafana Loki query

hack3rcon · February 15, 2025, 4:37pm

Hello,
My Alloy configuration is:

loki.source.windowsevent "windows_security" {
	locale                 = 1033
	eventlog_name          = "Security"
	poll_interval          = "0s"
	use_incoming_timestamp = true
	forward_to             = [loki.write.default.receiver]
	labels                 = {
		job       = "windows-security",
		logsource = "windows-eventlog",
	}
	legacy_bookmark_path = "./bookmark_sec.xml"
}

loki.write "default" {
	endpoint {
		url = "http://192.168.1.2:3100/loki/api/v1/push"
	}
	external_labels = {}
}

This configuration file sends all security related reports to the Grafana server. For example:

{"source":"Microsoft-Windows-Security-Auditing","channel":"Security","computer":"DESKTOP-1PNH21K","event_id":4663,"version":1,"task":12800,"levelText":"Information","taskText":"File System","opCodeText":"Info","keywords":"Audit Success","timeCreated":"2025-02-11T11:00:47.6158325Z","eventRecordID":126166,"execution":{"processId":4,"threadId":2656,"processName":"System"},"event_data":"\u003cData Name='SubjectUserSid'\u003eS-1-5-21-2104788189-4142446361-3889847816-1001\u003c/Data\u003e\u003cData Name='SubjectUserName'\u003eGrafana\u003c/Data\u003e\u003cData Name='SubjectDomainName'\u003eDESKTOP-1PNH21K\u003c/Data\u003e\u003cData Name='SubjectLogonId'\u003e0x3e091\u003c/Data\u003e\u003cData Name='ObjectServer'\u003eSecurity\u003c/Data\u003e\u003cData Name='ObjectType'\u003eFile\u003c/Data\u003e\u003cData Name='ObjectName'\u003eC:\\Users\\Grafana\\Desktop\\Test\u003c/Data\u003e\u003cData Name='HandleId'\u003e0x293c\u003c/Data\u003e\u003cData Name='AccessList'\u003e%%4423\r\n\t\t\t\t\u003c/Data\u003e\u003cData Name='AccessMask'\u003e0x80\u003c/Data\u003e\u003cData Name='ProcessId'\u003e0x404\u003c/Data\u003e\u003cData Name='ProcessName'\u003eC:\\Windows\\explorer.exe\u003c/Data\u003e\u003cData Name='ResourceAttributes'\u003eS:AI\u003c/Data\u003e","message":"An attempt was made to access an object.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-2104788189-4142446361-3889847816-1001\r\n\tAccount Name:\t\tGrafana\r\n\tAccount Domain:\t\tDESKTOP-1PNH21K\r\n\tLogon ID:\t\t0x3E091\r\n\r\nObject:\r\n\tObject Server:\t\tSecurity\r\n\tObject Type:\t\tFile\r\n\tObject Name:\t\tC:\\Users\\Grafana\\Desktop\\Test\r\n\tHandle ID:\t\t0x293c\r\n\tResource Attributes:\tS:AI\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x404\r\n\tProcess Name:\t\tC:\\Windows\\explorer.exe\r\n\r\nAccess Request Information:\r\n\tAccesses:\t\tReadAttributes\r\n\t\t\t\t\r\n\tAccess Mask:\t\t0x80"}

I want to write a query that extracts information such as hostname, username, file and folder name, and date and time from IDs 4660 and 4663. I found the following query, but it doesn’t work.

{job="windows-security"} 
  |~ `EventID="4660"` 
  or 
  |~ `EventID="4663"` 
  | logfmt 
  | line_format "{{.Hostname}} {{.Username}} {{.ObjectName}} {{.Timestamp}}" 
  | label_format hostname="{{.Hostname}}", username="{{.Username}}", object_name="{{.ObjectName}}", timestamp="{{.Timestamp}}"

What is wrong with this query?

Thank you.

m_hutley · February 16, 2025, 9:25am

Warning: I’ve never seen this language in my life.

well, EventID and event_id are two different things, right?
I dont know if the line_format is correct for your log, given that logfmt should be returning key:value pairs?

hack3rcon · February 16, 2025, 4:46pm

Hi,
Thank you so much for your reply.
I changed the query to the following:

{job="windows-security"} | json | event_id=4660 or event_id=4663 | line_format "{{ .computer }} | {{ .timeCreated }} | {{ regexReplaceAll `(?i).*<Data Name='SubjectUserName'>([^<]+)</Data>.*` .event_data `$1` }} |  {{ regexReplaceAll `(?i).*<Data Name='ObjectName'>([^<]+)</Data>.*` .event_data `$1` }} | {{ regexReplaceAll `(?i).*<Data Name='ObjectType'>([^<]+)</Data>.*` .event_data `$1` }}"

But in the output, the </Data> section is extra:

DESKTOP-1PNH21K | 2025-02-16T11:46:24.6644245Z | Grafana
				</Data><Data Name='AccessMask'>0x80</Data><Data Name='ProcessId'>0x1218</Data><Data Name='ProcessName'>C:\Windows\explorer.exe</Data><Data Name='ResourceAttributes'>S:AI</Data> |  C:\Users\Grafana\Desktop\Test
				</Data><Data Name='AccessMask'>0x80</Data><Data Name='ProcessId'>0x1218</Data><Data Name='ProcessName'>C:\Windows\explorer.exe</Data><Data Name='ResourceAttributes'>S:AI</Data> | File
				</Data><Data Name='AccessMask'>0x80</Data><Data Name='ProcessId'>0x1218</Data><Data Name='ProcessName'>C:\Windows\explorer.exe</Data><Data Name='ResourceAttributes'>S:AI</Data>

Any idea to solve it?

sibertius · February 16, 2025, 8:27pm

?

hack3rcon · February 17, 2025, 6:08pm

Hello,
Thank you so much for your reply.
Windows Event Log is XML, not HTML.

Topic		Replies	Views
Recent Server Hacker - Found a trail Server Config security	5	778	December 6, 2010
Need help with a couple of MariaDB queries for a security audit Databases	4	904	January 10, 2019
Apache logs - viewing POST data? Server Config	6	5900	October 8, 2014
Csrf can anyone help fix Server Config security	0	661	March 29, 2011
fx29 shell script Server Config security	8	1645	January 8, 2013

Grafana Loki query

Related topics