How do I extract data from the event_data section?

Grafana Loki
1

Hello,
When I run the following query, the following information is displayed:

2025-02-17T06:55:35.1776380Z DESKTOP-1PNH21K <Data Name='SubjectUserSid'>S-1-5-21-2104788189-4142446361-3889847816-1001</Data><Data Name='SubjectUserName'>Grafana</Data><Data Name='SubjectDomainName'>DESKTOP-1PNH21K</Data><Data Name='SubjectLogonId'>0x3b323</Data><Data Name='ObjectServer'>Security</Data><Data Name='HandleId'>0x2ac0</Data><Data Name='ProcessId'>0x136c</Data><Data Name='ProcessName'>C:\Windows\explorer.exe</Data><Data Name='TransactionId'>{00000000-0000-0000-0000-000000000000}</Data>

2025-02-17T06:55:35.1776305Z DESKTOP-1PNH21K <Data Name='SubjectUserSid'>S-1-5-21-2104788189-4142446361-3889847816-1001</Data><Data Name='SubjectUserName'>Grafana</Data><Data Name='SubjectDomainName'>DESKTOP-1PNH21K</Data><Data Name='SubjectLogonId'>0x3b323</Data><Data Name='ObjectServer'>Security</Data><Data Name='ObjectType'>File</Data><Data Name='ObjectName'>C:\Users\Grafana\Desktop\Test\New folder</Data><Data Name='HandleId'>0x2ac0</Data><Data Name='AccessList'>%%1537
				</Data><Data Name='AccessMask'>0x10000</Data><Data Name='ProcessId'>0x136c</Data><Data Name='ProcessName'>C:\Windows\explorer.exe</Data><Data Name='ResourceAttributes'>S:AI</Data>

I want to extract the hostname, username, file or folder name, and date and time. I wrote the following query:

{job="windows-security"}
| json 
| line_format "{{ .timeCreated }} {{ .computer }} {{ .event_data }}"
| pattern "<Data Name='SubjectUserName'>(?P<SubjectUserName>[^<]+)</Data>"
| pattern "<Data Name='ObjectName'>(?P<ObjectName>[^<]+)</Data>"
| line_format "{{ .timeCreated }} {{ .SubjectUserName }} {{ .ObjectName }} {{ .computer }}"

But only the following information is displayed:

2025-02-17 10:25:35.177	2025-02-17T06:55:35.1776380Z   DESKTOP-1PNH21K

What is wrong?

Thank you.

2
  1. What is . timeCreated , . computer and . event_data ? When you use line_format you are literally changing the log line, so whatever example you provided is no longer relevant.
  2. If that’s not what you intended, you should consider using pattern before line_format.
1 Like
3

Hi,
Thank you so much for your reply.
I used the following lines and the problem was fixed:

| regexp "<Data Name='SubjectUserName'>(?P<username>[^<]*)</Data>"
| regexp "<Data Name='ObjectName'>(?P<file_or_folder>[^<]*)</Data>"
| regexp "<Data Name='AccessList'>(?P<action_code>[^<]*)</Data>"

My problem is with the following line:

| line_format "Date and Time: {{.timeCreated}}, Hostname: {{.computer}}, Username: {{.username}}, File or Folder: {{.file_or_folder}}, Action Code: {{.action_code}}"

The output is:

Date and Time: 2025-02-18T08:39:12.7504909Z, Hostname: DESKTOP-1PNH21K, Username: Grafana, File or Folder: C:\Users\Grafana\Desktop\Test\New folder, Action Code: %%1537

How do I change the code %%1537 to something like read, write, or delete?

4

If you know what the action code corresponds to, you can use template to form an arbitrary string in line_format, see LogQL template functions | Grafana Loki documentation.

Example (not tested):

| line_format `Date and Time: {{.timeCreated}}, Hostname: {{.computer}}, Username: {{.username}}, File or Folder: {{.file_or_folder}}, Action Code: {{ if eq "%%1536" .action_code }} SOMEACTION {{ else if eq "%%SOMEOTHERCODE" .action_code }} SOMEOTHERACTON {{ else }} FINALACTION`
5

Hello,
Thanks again.
Do you mean something like the following:

| line_format `Date and Time: {{.timeCreated}}, Hostname: {{.computer}}, Username: {{.username}}, File or Folder: {{.file_or_folder}}, Action Code: {{ if eq "%%1536" .action_code }} ReadData {{ else if eq "%%1359" .action_code }} AppendData {{ end}}{{ end}}`