Writing a query to extract Event ID 4663

Hello,
My Alloy configuration is:

loki.source.windowsevent "windows_security" {
	locale                 = 1033
	eventlog_name          = "Security"
	poll_interval          = "0s"
	use_incoming_timestamp = true
	forward_to             = [loki.write.default.receiver]
	labels                 = {
		job       = "windows-security",
		logsource = "windows-eventlog",
	}
	legacy_bookmark_path = "./bookmark_sec.xml"
}

loki.write "default" {
	endpoint {
		url = "http://192.168.1.2:3100/loki/api/v1/push"
	}
	external_labels = {}
}

When I run the query {job=“windows-security”} |= `` I get information like the following:

{"source":"Microsoft-Windows-Security-Auditing","channel":"Security","computer":"DESKTOP-1PNH21K","event_id":4663,"version":1,"task":12800,"levelText":"Information","taskText":"File System","opCodeText":"Info","keywords":"Audit Success","timeCreated":"2025-02-11T11:00:47.6158325Z","eventRecordID":126166,"execution":{"processId":4,"threadId":2656,"processName":"System"},"event_data":"\u003cData Name='SubjectUserSid'\u003eS-1-5-21-2104788189-4142446361-3889847816-1001\u003c/Data\u003e\u003cData Name='SubjectUserName'\u003eGrafana\u003c/Data\u003e\u003cData Name='SubjectDomainName'\u003eDESKTOP-1PNH21K\u003c/Data\u003e\u003cData Name='SubjectLogonId'\u003e0x3e091\u003c/Data\u003e\u003cData Name='ObjectServer'\u003eSecurity\u003c/Data\u003e\u003cData Name='ObjectType'\u003eFile\u003c/Data\u003e\u003cData Name='ObjectName'\u003eC:\\Users\\Grafana\\Desktop\\Test\u003c/Data\u003e\u003cData Name='HandleId'\u003e0x293c\u003c/Data\u003e\u003cData Name='AccessList'\u003e%%4423\r\n\t\t\t\t\u003c/Data\u003e\u003cData Name='AccessMask'\u003e0x80\u003c/Data\u003e\u003cData Name='ProcessId'\u003e0x404\u003c/Data\u003e\u003cData Name='ProcessName'\u003eC:\\Windows\\explorer.exe\u003c/Data\u003e\u003cData Name='ResourceAttributes'\u003eS:AI\u003c/Data\u003e","message":"An attempt was made to access an object.\r\n\r\nSubject:\r\n\tSecurity ID:\t\tS-1-5-21-2104788189-4142446361-3889847816-1001\r\n\tAccount Name:\t\tGrafana\r\n\tAccount Domain:\t\tDESKTOP-1PNH21K\r\n\tLogon ID:\t\t0x3E091\r\n\r\nObject:\r\n\tObject Server:\t\tSecurity\r\n\tObject Type:\t\tFile\r\n\tObject Name:\t\tC:\\Users\\Grafana\\Desktop\\Test\r\n\tHandle ID:\t\t0x293c\r\n\tResource Attributes:\tS:AI\r\n\r\nProcess Information:\r\n\tProcess ID:\t\t0x404\r\n\tProcess Name:\t\tC:\\Windows\\explorer.exe\r\n\r\nAccess Request Information:\r\n\tAccesses:\t\tReadAttributes\r\n\t\t\t\t\r\n\tAccess Mask:\t\t0x80"}

When I run the query {job=“windows-security”, event_id=“4663”} I don’t get any information:

Query-21430×366 25.6 KB

Why?

Thank you.

Hello,
It seems that the only labels are job and logsource. The rest of the fields are included in the log message. Since the log is in JSON you can do a query like this instead:
{job="windows-security"} | json | event_id=4663
or maybe just using simple line filters:
{job="windows-security"} |= "\"event_id\":4663"

If your Loki version supports structured metadata, you can try to add event_id there and then query it like this:
{job="windows-security"} | event_id=4663

Hello,
Thank you so much for your reply.
I tested all three queries and got no output. the Loki version is:

# loki --version
loki, version 3.3.2 (branch: release-3.3.x, revision: 23b5fc2c)
  build user:       root@b9db99946dd3
  build date:       2024-12-18T16:50:49Z
  go version:       go1.23.1
  platform:         linux/amd64
  tags:             netgo