Pic 1
Pic 2
So here’s are the problem. At first, after 2 weeks of alloy deployment everything seems fine. But after that, whenever I set the range to be the last 7 days, the data is not tally as shown in Pic 2. It should be the same for every panel as in Pic 1. Why did this happened ? Is it because of a bug ? Already tried to restart the grafana service but the output is still the same.
Grafana version: v11.1.3
OS used: Unix environment
Query for each panel are shown below:
Most frequent logon type:
topk(20, sum by (LogonType) (
count_over_time(
{channel="Security", computer=~"$computer"} |= "$search" !~ "DWM" !~"UMFD" !~ "ramcosupport" !~ "Ramcoerpusr_app" !~ "dashboard.user"
| json
| line_format "{{.event_data}}"
| event_id=~"4624"
| regexp "<Data Name='LogonType'>(?P<LogonType>[0-9]+)<"
| LogonType=~"^(2|7|9|10|11)$"
[$__range]
#[7d]
)
))
Top account by logon:
topk(20,
sum by (TargetUserName) (
count_over_time(
{channel="Security", computer=~"$computer"} |= "$search" !~ "DWM" !~ "UMFD" !~ "ramcosupport" !~ "Ramcoerpusr_app" !~ "dashboard.user"
| json
| line_format "{{.event_data}}"
| regexp "<Data Name='TargetUserName'>(?P<TargetUserName>[^<]+)<"
| regexp "<Data Name='LogonType'>(?P<LogonType>[0-9]+)<"
| LogonType=~"^(2|7|9|10|11)$"
| event_id=~"4624"
#[7d]
[$__range]
)
)
)
Top source IPs by logon count:
topk(20,
sum by (IpAddress) (
count_over_time(
{channel="Security", computer=~"$computer"} !~ "DWM" !~ "UMFD" !~ "ramcosupport" !~ "Ramcoerpusr_app" !~ "dashboard.user" !~ "ramcoerpusr_app"
| json
| event_id="4624"
| line_format "{{.event_data}}"
| regexp "<Data Name='IpAddress'>\\s*(?P<IpAddress>[^<]+)<"
| regexp "<Data Name='LogonType'>(?P<LogonType>[0-9]+)<"
| LogonType=~"^(2|7|9|10|11)$"
| IpAddress!=""
| IpAddress!="-"
[$__range]
#[7d]
)
)
)
Most frequent event ID:
sum by (event_id) (
count_over_time(
{channel="Security", computer=~"$computer"} |= "$search" !~ "DWM" !~ "UMFD" !~ "ramcosupport" !~ "Ramcoerpusr_app" !~ "dashboard.user"
| json
| line_format "{{.event_data}}"
| regexp "<Data Name='LogonType'>(?P<LogonType>[0-9]+)<"
| LogonType=~"^(2|7|9|10|11)$"
| event_id=~"4624|4634"
[$__range]
)
)
Alloy config file:
// Existing component to scrape the active “Security” Windows Event Log channel
loki.source.windowsevent “security” {
eventlog_name = “Security”
use_incoming_timestamp = true
forward_to = [loki.write.endpoint.receiver]
}
// Writes the processed logs to the Loki server
loki.write “endpoint” {
endpoint {
url = “http://IP/loki/api/v1/push”
}
}
// Enables live debugging for troubleshooting
livedebugging {
enabled = true
}
Loki config file:
auth_enabled: false
server:
http_listen_port: 3100
grpc_listen_port: 9096
http_server_write_timeout: 5m
http_server_read_timeout: 5m
common:
instance_addr: 127.0.0.1
path_prefix: /tmp/loki
storage:
filesystem:
chunks_directory: /tmp/loki/chunks
rules_directory: /tmp/loki/rules
replication_factor: 1
ring:
kvstore:
store: inmemory
query_range:
max_retries: 5
parallelise_shardable_queries: true
results_cache:
cache:
embedded_cache:
enabled: true
max_size_mb: 100
limits_config:
split_queries_by_interval: 12h
schema_config:
configs:
- from: 2020-10-24
store: tsdb
object_store: filesystem
schema: v13
index:
prefix: index_
period: 24h
ruler:
alertmanager_url: http://localhost:9093
frontend:
encoding: protobuf
max_outstanding_per_tenant: 4096
compress_responses: true
# By default, Loki will send anonymous, but uniquely-identifiable usage and configuration
# analytics to Grafana Labs. These statistics are sent to https://stats.grafana.org/
#
# Statistics help us better understand how Loki is used, and they show us performance
# levels for most users. This helps us prioritize features and documentation.
# For more information on what's sent, look at
# https://github.com/grafana/loki/blob/main/pkg/analytics/stats.go
# Refer to the buildReport method to see what goes into a report.
#
# If you would like to disable reporting, uncomment the following lines:
#analytics:
# reporting_enabled: false