winlogToJsonUDF

Convert unstructured Windows logs to JSON format so values can be extracted by keys.

Usage details

LQL Command

winlogToJsonUDF(fieldname)

--fieldname: Column name of a table

Example

Input

Win32 event

instance of Win32_NTLogEvent
{
      Computer = "US1-VPEXMA90.example.com";
    ...
    Category = 12548;
    CategoryString = "Special Logon";
    Message = "Special privileges assigned to new logon.
 
Subject:
    Security ID:        example\SVC_SolarWMI
    Account Name:       SVC_SolarWMI
    Account Domain:
    Logon ID:       0x660870ee
 
Privileges:     SeSecurityPrivilege
            SeBackupPrivilege
            SeRestorePrivilege
            SeTakeOwnershipPrivilege";
    InsertionStrings = {"S-1-5-21-1939467313-459414247-2469239425-51005", "SVC_SolarWMI", "example", "0x660870ee", "SeSecurityPrivilege
            SeBackupPrivilege
            SeRestorePrivilege
            SeTakeOwnershipPrivilege"};
};

LQL command

select winlogToJsonUDF(_raw) as jsonField from table

Output

Resulting jsonField column.

JSON

"Account Name" can now be extracted from jsonField (output of a parsing to JSON format or a raw Windows log). The returned value is "SVC_SolarWMI".

"$.Subject.Account Name" is used in the LQL (exact keyword, space included) because "Account Name" is a subfield of the "Subject" field.

LQL