What is wrong with my configuration file?

hack3rcon · February 11, 2025, 7:21am

Hello,
The Alloy configuration file is as follows:

loki.process "windows_event_logs" {
	forward_to = [loki.write.default.receiver]

	stage.regex {
		expression = ".*EventID=\"4660\".*SubjectUserName=\"(?P<username>[^\"]+)\".*ObjectName=\"(?P<file>[^\"]+)\".*ObjectType=\"(?P<folder>[^\"]+)\".*Computer=\"(?P<hostname>[^\"]+)\".*IpAddress=\"(?P<ip_address>[^\"]+)\".*TimeCreated=\"(?P<timestamp>[^\"]+)\".*"
	}

	stage.labels {
		values = {
			file       = "file",
			folder     = "folder",
			hostname   = "hostname",
			ip_address = "ip_address",
			timestamp  = "timestamp",
			username   = "username",
		}
	}

	stage.timestamp {
		source = "timestamp"
		format = "RFC3339"
	}
}

loki.relabel "windows_event_logs" {
	forward_to = [loki.process.windows_event_logs.receiver]

	rule {
		source_labels = ["__name__"]
		target_label  = "__name__"
	}
}

loki.source.windowsevent "windows_event_logs" {
	eventlog_name          = "Security"
	xpath_query            = "*[System[(EventID=4660)]]"
	poll_interval          = "0s"
	use_incoming_timestamp = true
	forward_to             = [loki.relabel.windows_event_logs.receiver]
	labels                 = {
		job = "windows_event_logs",
	}
	legacy_bookmark_path = "./bookmark.xml"
}

loki.write "default" {
	endpoint {
		url = "http://192.168.1.2:3100/loki/api/v1/push"
	}
	external_labels = {}
}

The information Loki received is as follows:

{"source":"Microsoft-Windows-Security-Auditing","channel":"Security","computer":"DESKTOP-1PNH21K","event_id":4660,"task":12800,"levelText":"Information","taskText":"File System","opCodeText":"Info","keywords":"Audit Success","timeCreated":"2025-02-11T07:16:30.8670622Z","eventRecordID":117239,"execution":{"processId":4,"threadId":7744,"processName":"System"},"event_data":"\u003cData Name='SubjectUserSid'\u003eS-1-5-21-2104788189-4142446361-3889847816-1001\u003c/Data\u003e\u003cData Name='SubjectUserName'\u003eGrafana\u003c/Data\u003e\u003cData Name='SubjectDomainName'\u003eDESKTOP-1PNH21K\u003c/Data\u003e\u003cData Name='SubjectLogonId'\u003e0x3e091\u003c/Data\u003e\u003cData Name='ObjectServer'\u003eSecurity\u003c/Data\u003e\u003cData Name='HandleId'\u003e0x1a04\u003c/Data\u003e\u003cData Name='ProcessId'\u003e0x404\u003c/Data\u003e\u003cData Name='ProcessName'\u003eC:\\Windows\\explorer.exe\u003c/Data\u003e\u003cData Name='TransactionId'\u003e{00000000-0000-0000-0000-000000000000}\u003c/Data\u003e","message":"An object was deleted.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-2104788189-4142446361-3889847816-1001\r\n\tAccount Name:\t\tGrafana\r\n\tAccount Domain:\t\tDESKTOP-1PNH21K\r\n\tLogon ID:\t\t0x3E091\r\n\r\nObject:\r\n\tObject Server:\tSecurity\r\n\tHandle ID:\t0x1a04\r\n\r\nProcess Information:\r\n\tProcess ID:\t0x404\r\n\tProcess Name:\tC:\\Windows\\explorer.exe\r\n\tTransaction ID:\t{00000000-0000-0000-0000-000000000000}"}

Why isn’t this information your file or folder name?

Thank you.

tonyswumac · February 11, 2025, 5:06pm

Can you post samples of your source logs, please?

Also:

If your source logs are already in JSON format, I’d recommend using stage.json instead.
I would recommend not making ip and timestamp into labels.

hack3rcon · February 12, 2025, 7:36am

Hello,
Thank you so much for your reply.
I want to collect Windows Event Logs and send them to Grafana server. The logs are as follows:

{"source":"Microsoft-Windows-Security-Auditing","channel":"Security","computer":"DESKTOP-1PNH21K","event_id":4663,"version":1,"task":12800,"levelText":"Information","taskText":"File System","opCodeText":"Info","keywords":"Audit Success","timeCreated":"2025-02-11T11:00:47.6158325Z","eventRecordID":126166,"execution":{"processId":4,"threadId":2656,"processName":"System"},"event_data":"\u003cData Name='SubjectUserSid'\u003eS-1-5-21-2104788189-4142446361-3889847816-1001\u003c/Data\u003e\u003cData Name='SubjectUserName'\u003eGrafana\u003c/Data\u003e\u003cData Name='SubjectDomainName'\u003eDESKTOP-1PNH21K\u003c/Data\u003e\u003cData Name='SubjectLogonId'\u003e0x3e091\u003c/Data\u003e\u003cData Name='ObjectServer'\u003eSecurity\u003c/Data\u003e\u003cData Name='ObjectType'\u003eFile\u003c/Data\u003e\u003cData Name='ObjectName'\u003eC:\\Users\\Grafana\\Desktop\\Test\u003c/Data\u003e\u003cData Name='HandleId'\u003e0x293c\u003c/Data\u003e\u003cData Name='AccessList'\u003e%%4423\r\n\t\t\t\t\u003c/Data\u003e\u003cData Name='AccessMask'\u003e0x80\u003c/Data\u003e\u003cData Name='ProcessId'\u003e0x404\u003c/Data\u003e\u003cData Name='ProcessName'\u003eC:\\Windows\\explorer.exe\u003c/Data\u003e\u003cData Name='ResourceAttributes'\u003eS:AI\u003c/Data\u003e","message":"An attempt was made to access an object.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-2104788189-4142446361-3889847816-1001\r\n\tAccount Name:\t\tGrafana\r\n\tAccount Domain:\t\tDESKTOP-1PNH21K\r\n\tLogon ID:\t\t0x3E091\r\n\r\nObject:\r\n\tObject Server:\t\tSecurity\r\n\tObject Type:\t\tFile\r\n\tObject Name:\t\tC:\\Users\\Grafana\\Desktop\\Test\r\n\tHandle ID:\t\t0x293c\r\n\tResource Attributes:\tS:AI\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x404\r\n\tProcess Name:\t\tC:\\Windows\\explorer.exe\r\n\r\nAccess Request Information:\r\n\tAccesses:\t\tReadAttributes\r\n\t\t\t\t\r\n\tAccess Mask:\t\t0x80"}

I realized that ID 4660 does not include the file or folder name and I also need ID 4663. That means I need to send both IDs to the server, but how do I do that?
I’m a newbie and I don’t know how to write the configuration file to send both IDs to the server. Unfortunately, I couldn’t find any examples on the internet that would work!

tonyswumac · February 13, 2025, 12:22am

Maybe try something like this:

stage.json {
  expressions = {
    event_id = "",
  }
}

stage.labels {
  values = {
    event_id = "",
  }
}

hack3rcon · February 13, 2025, 10:49am

Hi,
Thanks again.
Can you write the complete configuration file? Do you mean something like the following?

loki.process "windows_event_logs" {
  forward_to = [loki.write.default.receiver]

  stage.json {
    expressions = {
      event_id = "",
    }
  }

  stage.labels {
    values = {
      event_id = "",
    }
  }  
}

loki.relabel "windows_event_logs" {
  forward_to = [loki.process.windows_event_logs.receiver]

  rule {
    source_labels = ["__name__"]
    target_label  = "__name__"
  }
}

loki.source.windowsevent "windows_event_logs" {
  eventlog_name          = "Security"
  xpath_query            = "*[System[(EventID=4660)]]"
  poll_interval          = "0s"
  use_incoming_timestamp = true
  forward_to             = [loki.relabel.windows_event_logs.receiver]
  labels                 = {
    job = "windows_event_logs",
  }
  legacy_bookmark_path = "./bookmark.xml"
}

loki.write "default" {
  endpoint {
    url = "http://192.168.1.2:3100/loki/api/v1/push"
  }
  external_labels = {}
}

tonyswumac · February 13, 2025, 8:23pm

Looks ok to me, I’d say try it out and see.

hack3rcon · February 13, 2025, 8:37pm

Thanks, but don’t you think the following section should also be changed?

loki.source.windowsevent "windows_event_logs" {
  eventlog_name          = "Security"
  xpath_query            = "*[System[(EventID=4660)]]"
  poll_interval          = "0s"
  use_incoming_timestamp = true
  forward_to             = [loki.relabel.windows_event_logs.receiver]
  labels                 = {
    job = "windows_event_logs",
  }
  legacy_bookmark_path = "./bookmark.xml"
}

I also need ID 4663.

yosiasz · February 13, 2025, 9:30pm

can adding
*[System[(EventID=4660 or EventID=4663)]] work?

how would you do an xpath_query outside of alloy for 2 EventIDs?

hack3rcon · February 13, 2025, 10:00pm

Hello,
Thank you so much for your reply.
I tried the configuration below, but it didn’t work and it only sends one ID instead of both IDs:

loki.process "windows_event_logs" {
  forward_to = [loki.write.default.receiver]

  stage.regex {
    expression = ".*EventID=\"(4660|4663)\".*SubjectUserName=\"(?P<username>[^\"]+)\".*ObjectName=\"(?P<file>[^\"]+)\".*ObjectType=\"(?P<folder>[^\"]+)\".*Computer=\"(?P<hostname>[^\"]+)\".*IpAddress=\"(?P<ip_address>[^\"]+)\".*TimeCreated=\"(?P<timestamp>[^\"]+)\".*"
  }

  stage.labels {
    values = {
      file       = "file",
      folder     = "folder",
      hostname   = "hostname",
      ip_address = "ip_address",
      timestamp  = "timestamp",
      username   = "username",
    }
  }

  stage.timestamp {
    source = "timestamp"
    format = "RFC3339"
  }
}

loki.relabel "windows_event_logs" {
  forward_to = [loki.process.windows_event_logs.receiver]

  rule {
    source_labels = ["__name__"]
    target_label  = "__name__"
  }
}

loki.source.windowsevent "windows_event_logs" {
  eventlog_name          = "Security"
  xpath_query            = "*[System[(EventID=4660 or EventID=4663)]]"
  poll_interval          = "0s"
  use_incoming_timestamp = true
  forward_to             = [loki.relabel.windows_event_logs.receiver]
  labels                 = {
    job = "windows_event_logs",
  }
  legacy_bookmark_path = "./bookmark.xml"
}

loki.write "default" {
  endpoint {
    url = "http://192.168.1.2:3100/loki/api/v1/push"
  }
  external_labels = {}
}

I think filtering IDs shouldn’t be a strange thing!

yosiasz · February 13, 2025, 10:26pm

try this. first do a debug and see what is spitting out in allow debug window
It is also good to order your stanzas like one is reading a book: intro, body, conclusion. yours it like time travel

This is what I added for debugging purposes

forward_to = [loki.echo.debug.receiver]

loki.echo "debug" { }

logging {
  level  = "info"
  format = "logfmt"
}

loki.source.windowsevent "windows_event_logs" {
  eventlog_name          = "Security"
  xpath_query            = "*[System[(EventID=4660 or EventID=4663)]]"
  poll_interval          = "0s"
  use_incoming_timestamp = true
  forward_to             = [loki.relabel.windows_event_logs.receiver]
  labels                 = {
    job = "windows_event_logs",
  }
  legacy_bookmark_path = "./bookmark.xml"
}

loki.relabel "windows_event_logs" {
  forward_to = [loki.process.windows_event_logs.receiver]

  rule {
    source_labels = ["__name__"]
    target_label  = "__name__"
  }
}

loki.process "windows_event_logs" {
  forward_to = [loki.echo.debug.receiver]

  stage.regex {
    expression = ".*EventID=\"(4660|4663)\".*SubjectUserName=\"(?P<username>[^\"]+)\".*ObjectName=\"(?P<file>[^\"]+)\".*ObjectType=\"(?P<folder>[^\"]+)\".*Computer=\"(?P<hostname>[^\"]+)\".*IpAddress=\"(?P<ip_address>[^\"]+)\".*TimeCreated=\"(?P<timestamp>[^\"]+)\".*"
  }

  stage.labels {
    values = {
      file       = "file",
      folder     = "folder",
      hostname   = "hostname",
      ip_address = "ip_address",
      timestamp  = "timestamp",
      username   = "username",
    }
  }

  stage.timestamp {
    source = "timestamp"
    format = "RFC3339"
  }
}


loki.echo "debug" { }

loki.write "default" {
  endpoint {
    url = "http://192.168.1.2:3100/loki/api/v1/push"
  }
  external_labels = {}
}

hack3rcon · February 14, 2025, 6:51am

Thanks again.
I don’t have access to the server right now and I’ll do the test tomorrow.
Where do the lines you added for debugging show me the problem?

hack3rcon · February 15, 2025, 6:03am

Hello,
I ran the following configuration:

logging {
  level  = "info"
  format = "logfmt"
}

loki.source.windowsevent "windows_event_logs" {
  eventlog_name          = "Security"
  xpath_query            = "*[System[(EventID=4660 or EventID=4663)]]"
  poll_interval          = "0s"
  use_incoming_timestamp = true
  forward_to             = [loki.relabel.windows_event_logs.receiver]
  labels                 = {
    job = "windows_event_logs",
  }
  legacy_bookmark_path = "./bookmark.xml"
}

loki.relabel "windows_event_logs" {
  forward_to = [loki.process.windows_event_logs.receiver]

  rule {
    source_labels = ["__name__"]
    target_label  = "__name__"
  }
}

loki.process "windows_event_logs" {
  forward_to = [loki.echo.debug.receiver]

  stage.regex {
    expression = ".*EventID=\"(4660|4663)\".*SubjectUserName=\"(?P<username>[^\"]+)\".*ObjectName=\"(?P<file>[^\"]+)\".*ObjectType=\"(?P<folder>[^\"]+)\".*Computer=\"(?P<hostname>[^\"]+)\".*IpAddress=\"(?P<ip_address>[^\"]+)\".*TimeCreated=\"(?P<timestamp>[^\"]+)\".*"
  }

  stage.labels {
    values = {
      file       = "file",
      folder     = "folder",
      hostname   = "hostname",
      ip_address = "ip_address",
      timestamp  = "timestamp",
      username   = "username",
    }
  }

  stage.timestamp {
    source = "timestamp"
    format = "RFC3339"
  }
}


loki.echo "debug" { }

loki.write "default" {
  endpoint {
    url = "http://192.168.1.2:3100/loki/api/v1/push"
  }
  external_labels = {}
}

When I looked at the Windows Event Viewer, the following reports were generated:

ts=2025-02-15T05:55:03.0552645Z level=info component_path=/ component_id=loki.echo.debug receiver=loki.echo.debug entry="{\"source\":\"Microsoft-Windows-Security-Auditing\",\"channel\":\"Security\",\"computer\":\"DESKTOP-1PNH21K\",\"event_id\":4663,\"version\":1,\"task\":12800,\"levelText\":\"Information\",\"taskText\":\"File System\",\"opCodeText\":\"Info\",\"keywords\":\"Audit Success\",\"timeCreated\":\"2025-02-11T10:45:37.6576565Z\",\"eventRecordID\":124091,\"execution\":{\"processId\":4,\"threadId\":868,\"processName\":\"System\"},\"event_data\":\"\\u003cData Name='SubjectUserSid'\\u003eS-1-5-21-2104788189-4142446361-3889847816-1001\\u003c/Data\\u003e\\u003cData Name='SubjectUserName'\\u003eGrafana\\u003c/Data\\u003e\\u003cData Name='SubjectDomainName'\\u003eDESKTOP-1PNH21K\\u003c/Data\\u003e\\u003cData Name='SubjectLogonId'\\u003e0x3e091\\u003c/Data\\u003e\\u003cData Name='ObjectServer'\\u003eSecurity\\u003c/Data\\u003e\\u003cData Name='ObjectType'\\u003eFile\\u003c/Data\\u003e\\u003cData Name='ObjectName'\\u003eC:\\\\Users\\\\Grafana\\\\Desktop\\\\Test\\u003c/Data\\u003e\\u003cData Name='HandleId'\\u003e0x1bbc\\u003c/Data\\u003e\\u003cData Name='AccessList'\\u003eCountry/region code\\r\\n\\t\\t\\t\\t\\u003c/Data\\u003e\\u003cData Name='AccessMask'\\u003e0x1\\u003c/Data\\u003e\\u003cData Name='ProcessId'\\u003e0x404\\u003c/Data\\u003e\\u003cData Name='ProcessName'\\u003eC:\\\\Windows\\\\explorer.exe\\u003c/Data\\u003e\\u003cData Name='ResourceAttributes'\\u003eS:AI\\u003c/Data\\u003e\",\"message\":\"An attempt was made to access an object.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tS-1-5-21-2104788189-4142446361-3889847816-1001\\r\\n\\tAccount Name:\\t\\tGrafana\\r\\n\\tAccount Domain:\\t\\tDESKTOP-1PNH21K\\r\\n\\tLogon ID:\\t\\t0x3E091\\r\\n\\r\\nObject:\\r\\n\\tObject Server:\\t\\tSecurity\\r\\n\\tObject Type:\\t\\tFile\\r\\n\\tObject Name:\\t\\tC:\\\\Users\\\\Grafana\\\\Desktop\\\\Test\\r\\n\\tHandle ID:\\t\\t0x1bbc\\r\\n\\tResource Attributes:\\tS:AI\\r\\n\\r\\nProcess Information:\\r\\n\\tProcess ID:\\t\\t0x404\\r\\n\\tProcess Name:\\t\\tC:\\\\Windows\\\\explorer.exe\\r\\n\\r\\nAccess Request Information:\\r\\n\\tAccesses:\\t\\tReadData (or ListDirectory)\\r\\n\\t\\t\\t\\t\\r\\n\\tAccess Mask:\\t\\t0x1\"}" labels="{channel=\"Security\", computer=\"DESKTOP-1PNH21K\", job=\"windows_event_logs\"}"

ts=2025-02-15T05:56:10.9457659Z level=info component_path=/ component_id=loki.echo.debug receiver=loki.echo.debug entry="{\"source\":\"Microsoft-Windows-Security-Auditing\",\"channel\":\"Security\",\"computer\":\"DESKTOP-1PNH21K\",\"event_id\":4660,\"task\":12800,\"levelText\":\"Information\",\"taskText\":\"File System\",\"opCodeText\":\"Info\",\"keywords\":\"Audit Success\",\"timeCreated\":\"2025-02-15T05:56:08.5085280Z\",\"eventRecordID\":129178,\"execution\":{\"processId\":4,\"threadId\":304,\"processName\":\"System\"},\"event_data\":\"\\u003cData Name='SubjectUserSid'\\u003eS-1-5-21-2104788189-4142446361-3889847816-1001\\u003c/Data\\u003e\\u003cData Name='SubjectUserName'\\u003eGrafana\\u003c/Data\\u003e\\u003cData Name='SubjectDomainName'\\u003eDESKTOP-1PNH21K\\u003c/Data\\u003e\\u003cData Name='SubjectLogonId'\\u003e0x32891\\u003c/Data\\u003e\\u003cData Name='ObjectServer'\\u003eSecurity\\u003c/Data\\u003e\\u003cData Name='HandleId'\\u003e0x2720\\u003c/Data\\u003e\\u003cData Name='ProcessId'\\u003e0x12ac\\u003c/Data\\u003e\\u003cData Name='ProcessName'\\u003eC:\\\\Windows\\\\explorer.exe\\u003c/Data\\u003e\\u003cData Name='TransactionId'\\u003e{00000000-0000-0000-0000-000000000000}\\u003c/Data\\u003e\",\"message\":\"An object was deleted.\\r\\n\\r\\nSubject:\\r\\n\\tSecurity ID:\\t\\tS-1-5-21-2104788189-4142446361-3889847816-1001\\r\\n\\tAccount Name:\\t\\tGrafana\\r\\n\\tAccount Domain:\\t\\tDESKTOP-1PNH21K\\r\\n\\tLogon ID:\\t\\t0x32891\\r\\n\\r\\nObject:\\r\\n\\tObject Server:\\tSecurity\\r\\n\\tHandle ID:\\t0x2720\\r\\n\\r\\nProcess Information:\\r\\n\\tProcess ID:\\t0x12ac\\r\\n\\tProcess Name:\\tC:\\\\Windows\\\\explorer.exe\\r\\n\\tTransaction ID:\\t{00000000-0000-0000-0000-000000000000}\"}" labels="{channel=\"Security\", computer=\"DESKTOP-1PNH21K\", job=\"windows_event_logs\"}"

But the problem is that the Grafana server is not receiving any reports:

# tcpdump -vvv -i any src 192.168.1.3 and port 3100
tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes

This is because of the line xpath_query = "*[System[(EventID=4660 or EventID=4663)]]".

yosiasz · February 19, 2025, 5:30pm

you have eventlog_name Security but you are doing xpath query from System.

eventlog_name          = "Security"
xpath_query            = "*[System[(EventID=4660 or EventID=4663)]]"

check out the doc

hack3rcon · February 19, 2025, 5:43pm

Hi,
Thank you so much for your reply.
Do you mean something like the following:

eventlog_name          = "Security"
xpath_query            = "*[Security[(EventID=4660 or EventID=4663)]]"

yosiasz · February 19, 2025, 5:44pm

Did you read the document? copy pasting will lead you into rabbit holes.

hack3rcon · February 19, 2025, 5:49pm

I couldn’t find an example!

yosiasz · February 19, 2025, 6:32pm

start with a simple config and work your way up

logging {
  level  = "info"
  format = "logfmt"
}

loki.source.windowsevent "windows_event_logs" {
  eventlog_name          = "System"
  poll_interval          = "0s"
  use_incoming_timestamp = true
  forward_to = [loki.echo.debug.receiver, loki.write.local_loki.receiver]
}

loki.echo "debug" { }

loki.write "local_loki" {
    endpoint {
        url = "localhost:3100/loki/api/v1/push"
    }
}

change loki endpoint as needed, just don’t just copy/pasta and hope that it works. run this in your command line using

 C:\LGTM\alloy> .\alloy-windows-amd64.exe run .\config.hack3rcon.alloy

and then check the output.

you should start seeing something like this

then keep building one piece at a time. you can also now start to explore the data piece by piece, change config, test, verify (rinse/repeat)

hack3rcon · February 20, 2025, 6:16am

Hi,
Thanks again.
As I said, the configuration works for a single ID, but not for multiple IDs. I can send all logs related to a section such as Security or a specific ID to the server, but I cannot send multiple specific IDs.

Topic		Replies	Views
Grafana Alloy for Windows Grafana Alloy	0	19	February 8, 2025
Grafana Loki, Alloy and Windows Event Log Grafana Loki	0	21	February 9, 2025
Grafana Alloy for sending Windows Event Logs Ask AI	12	53	February 11, 2025
Writing a query to extract Event ID 4663 Grafana Loki	2	14	February 11, 2025
Configuration with multiple IDs Grafana Alloy	0	10	February 9, 2025

What is wrong with my configuration file?

Related topics