Get a clean output from windows logs in Grafana

I’ve started playing arrond with Loki and Windows security logs. What I’m looking for is a way to show locked out user accounts in a dashboard. All the info I need is in the linetext, but I can’t figure out a way to clean up or extract the info.

Logline looks like this:
{“source”:“Microsoft-Windows-Security-Auditing”,“channel”:“Security”,“computer”:“”,“event_id”:4740,“task”:13824,“levelText”:“Information”,“taskText”:“User Account Management”,“opCodeText”:“Info”,“keywords”:“Audit Success”,“timeCreated”:“2023-03-31T09:32:49.109963600Z”,“eventRecordID”:15976100448,“execution”:{“processId”:624,“threadId”:3872,“processName”:“lsass.exe”},“event_data”:“\u003cData Name=‘TargetUserName’\u003e"USERNAME”\u003c/Data\u003e\u003cData Name=‘TargetDomainName’\u003e"COMPUTERNAME"\u003c/Data\u003e\u003cData Name=‘TargetSid’\u003e"SID"\u003c/Data\u003e\u003cData Name=‘SubjectUserSid’\u003e"SUS"\u003c/Data\u003e\u003cData Name=‘SubjectUserName’\u003e"SERVER"$\u003c/Data\u003e\u003cData Name=‘SubjectDomainName’\u003e"DOMAIN"\u003c/Data\u003e\u003cData Name=‘SubjectLogonId’\u003e0x3e7\u003c/Data\u003e",“message”:“A user account was locked out.\r\n\r\nSubject:\r\n\tSecurity ID:\t\t"SUS”\r\n\tAccount Name:\t\t"SERVER"$\r\n\tAccount Domain:\t\t"DOMAIN"\r\n\tLogon ID:\t\t0x3E7\r\n\r\nAccount That Was Locked Out:\r\n\tSecurity ID:\t\t"SID"\r\n\tAccount Name:\t\t"USERNAME"\r\n\r\nAdditional Information:\r\n\tCaller Computer Name:\t"COMPUTER"}

All I need is time, username and caller computername. If I could get this info in a table, I would be very happy (for a while).

You have a lot of generic text in your example, and I am not entirely sure which part is what you are interested in. But look into json and pattern parser, potentially even regexp: Log queries | Grafana Loki documentation

Hi, I’ve looked at the documentation, and tried to get something to work.All I need is “username” and “Computer”. I was trying something like this for username: (?<=u003e).*?(?=\u003c), but no luck.

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.