winlogToJsonUDF

Convert unstructured Windows logs to JSON.

Convert unstructured Windows logs to JSON format so values can be extracted by keys.

Usage Details

winlogToJsonUDF(fieldname)

--fieldname: Column name of a table

Example

Input

instance of Win32_NTLogEvent
{
      Computer = "US1-VPEXMA90.moelisib.com";
    ...
    Category = 12548;
    CategoryString = "Special Logon";
    Message = "Special privileges assigned to new logon.
 
Subject:
    Security ID:        MOELISIB\SVC_SolarWMI
    Account Name:       SVC_SolarWMI
    Account Domain:
    Logon ID:       0x660870ee
 
Privileges:     SeSecurityPrivilege
            SeBackupPrivilege
            SeRestorePrivilege
            SeTakeOwnershipPrivilege";
    InsertionStrings = {"S-1-5-21-1939467313-459414247-2469239425-51005", "SVC_SolarWMI", "MOELISIB", "0x660870ee", "SeSecurityPrivilege
            SeBackupPrivilege
            SeRestorePrivilege
            SeTakeOwnershipPrivilege"};
};
select winlogToJsonUDF(_raw) as jsonField from table

Output

Resulting jsonField column.

{
    "Message":"Special privileges assigned to new logon."
    "Subject":{
        "Security ID":"MOELISIB\\SVC_SolarWMI",
        "Account Name":"SVC_SolarWMI",
        "Account Domain":""
        "Logon ID":"0x660870ee"
    }
    "Privileges":["SeSecurityPrivilege","SeBackupPrivilege","SeRestorePrivilege","SeTakeOwnershipPrivilege"]
}

"Account Name" can now be extracted from jsonField (output of a parsing to JSON format or a raw Windows log). The returned value is "SVC_SolarWMI".

"$.Subject.Account Name" is used in the LQL (exact keyword, space included) because "Account Name" is a subfield of the "Subject" field.

select get_json_object("jsonField","$.Subject.Account Name") from table

Did this page help you?