DocumentationIntegrations
Documentation
Contact Us

winlogToJsonUDF

Convert unstructured Windows logs to JSON.

Suggest Edits

Convert unstructured Windows logs to JSON format so values can be extracted by keys.

Usage Details

winlogToJsonUDF(fieldname)

--fieldname: Column name of a table

Example

Input 

instance of Win32_NTLogEvent
{
      Computer = "US1-VPEXMA90.example.com";
    ...
    Category = 12548;
    CategoryString = "Special Logon";
    Message = "Special privileges assigned to new logon.
 
Subject:
    Security ID:        example\SVC_SolarWMI
    Account Name:       SVC_SolarWMI
    Account Domain:
    Logon ID:       0x660870ee
 
Privileges:     SeSecurityPrivilege
            SeBackupPrivilege
            SeRestorePrivilege
            SeTakeOwnershipPrivilege";
    InsertionStrings = {"S-1-5-21-1939467313-459414247-2469239425-51005", "SVC_SolarWMI", "example", "0x660870ee", "SeSecurityPrivilege
            SeBackupPrivilege
            SeRestorePrivilege
            SeTakeOwnershipPrivilege"};
};

select winlogToJsonUDF(_raw) as jsonField from table

Output

Resulting jsonField column.

{
    "Message":"Special privileges assigned to new logon."
    "Subject":{
        "Security ID":"example\\SVC_SolarWMI",
        "Account Name":"SVC_SolarWMI",
        "Account Domain":""
        "Logon ID":"0x660870ee"
    }
    "Privileges":["SeSecurityPrivilege","SeBackupPrivilege","SeRestorePrivilege","SeTakeOwnershipPrivilege"]
}

"Account Name" can now be extracted from jsonField (output of a parsing to JSON format or a raw Windows log). The returned value is "SVC_SolarWMI".

"$.Subject.Account Name" is used in the LQL (exact keyword, space included) because "Account Name" is a subfield of the "Subject" field.

select get_json_object("jsonField","$.Subject.Account Name") from table

Updated about 1 year ago

© Devo Technology Inc. All Rights Reserved.