Parse data from windows events log and extract lables from "event_data"

Grafana Loki
,
1

Hello All
I have following output with promtail in loki below

	(no unique labels)	
{
  "source": "Microsoft-Windows-Security-Auditing",
  "channel": "Security",
  "computer": "DLT-BSH-AD01.DOMAIN.local",
  "event_id": 6272,
  "version": 2,
  "task": 12552,
  "levelText": "Information",
  "taskText": "Network Policy Server",
  "opCodeText": "Info",
  "keywords": "Audit Success",
  "timeCreated": "2023-06-17T11:40:28.222467700Z",
  "eventRecordID": 3398695084,
  "correlation": {
    "activityID": "{71456862-5043-0018-6968-45714350d901}"
  },
  "execution": {
    "processId": 788,
    "threadId": 820,
    "processName": "lsass.exe"
  },
  "event_data": "<Data Name='SubjectUserSid'>S-1-5-21-2752612933-1646568981-4245257801-1355</Data><Data Name='SubjectUserName'>ozeevi</Data><Data Name='SubjectDomainName'>DOMAIN</Data><Data Name='FullyQualifiedSubjectUserName'>DOMAIN.local/America/USA/NewYork/Users/Migrated/Ortal Zeevi</Data><Data Name='SubjectMachineSID'>S-1-0-0</Data><Data Name='SubjectMachineName'>-</Data><Data Name='FullyQualifiedSubjectMachineName'>-</Data><Data Name='CalledStationID'>90:e2:ba:34:44:5a:gfn-fw-bsh.gefen.local</Data><Data Name='CallingStationID'>1x9.x0x.1xx.xx1:1197</Data><Data Name='NASIPv4Address'>xx2.x43.xx7.1</Data><Data Name='NASIPv6Address'>-</Data><Data Name='NASIdentifier'>openVPN</Data><Data Name='NASPortType'>Virtual</Data><Data Name='NASPort'>1197</Data><Data Name='ClientName'>AD01_VPN</Data><Data Name='ClientIPAddress'>xx2.x43.xx7.1</Data><Data Name='ProxyPolicyName'>Use Windows authentication for all users</Data><Data Name='NetworkPolicyName'>VPN_ALLOW_USERS</Data><Data Name='AuthenticationProvider'>Windows</Data><Data Name='AuthenticationServer'>DLT-BSH-AD01.DOMAIN.local</Data><Data Name='AuthenticationType'>MS-CHAPv2</Data><Data Name='EAPType'>-</Data><Data Name='AccountSessionIdentifier'>-</Data><Data Name='LoggingResult'>Accounting information was written to the local log file.</Data>",
  "message": "Network Policy Server granted access to a user.\r\n\r\nUser:\r\n\tSecurity ID:\t\t\tS-1-5-21-2752612933-1646568981-4245257801-1355\r\n\tAccount Name:\t\t\tozeevi\r\n\tAccount Domain:\t\t\tDOMAIN\r\n\tFully Qualified Account Name:\tDOMAIN.local/America/USA/NewYork/Users/Migrated/Ortal Zeevi\r\n\r\nClient Machine:\r\n\tSecurity ID:\t\t\tS-1-0-0\r\n\tAccount Name:\t\t\t-\r\n\tFully Qualified Account Name:\t-\r\n\tCalled Station Identifier:\t\t90:e2:ba:34:44:5a:gfn-fw-bsh.gefen.local\r\n\tCalling Station Identifier:\t\t1x9.x0x.1xx.xx1:1197\r\n\r\nNAS:\r\n\tNAS IPv4 Address:\t\txx2.x43.xx7.1\r\n\tNAS IPv6 Address:\t\t-\r\n\tNAS Identifier:\t\t\topenVPN\r\n\tNAS Port-Type:\t\t\tVirtual\r\n\tNAS Port:\t\t\t1197\r\n\r\nRADIUS Client:\r\n\tClient Friendly Name:\t\tAD01_VPN\r\n\tClient IP Address:\t\t\txx2.x43.xx7.1\r\n\r\nAuthentication Details:\r\n\tConnection Request Policy Name:\tUse Windows authentication for all users\r\n\tNetwork Policy Name:\t\tVPN_ALLOW_USERS\r\n\tAuthentication Provider:\t\tWindows\r\n\tAuthentication Server:\t\tDLT-BSH-AD01.DOMAIN.local\r\n\tAuthentication Type:\t\tMS-CHAPv2\r\n\tEAP Type:\t\t\t-\r\n\tAccount Session Identifier:\t\t-\r\n\tLogging Results:\t\t\tAccounting information was written to the local log file.\r\n"
}

i would like to extract labels from “event_data”: for example i would like to create labale from

r\n\tClient IP Address:\t\t\txx2.x43.xx7.1\r\n\r

, should it done with regexp?
Please advice
Thanks

2

You can do that with promtail by passing logline to json, then to regex, then to label (not tested):

pipeline_stages:
  - json:
      expressions:
        event_data:
  - regex:
      expression: 'ClientIPAddress'>(?P<ClientIP>\d+\.\d+\.\d+\.\d+)<
      source: event_data
  - labels:
      client_ip: ClientIP

If you have a lot of IPs, it may not be a good idea to make them into labels. If that’s the case you can also just parse it with logql like this (idea is the same):

{SELECTOR}
  | json
  | line_format "{{.event_data}}"
  | regexp "'ClientIPAddress'>(?P<ClientIP>\d+\.\d+\.\d+\.\d+)<"
1 Like
3

Thank you very much :smiley:

1 Like
4

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.