Processing windows Security event logs and parsing event_data XML into JSON for later querying

[mennotech]

I'm looking to use Grafana Cloud for collecting metrics and log data. Currently I have a mix of Linux and Windows Servers that I would like to connect data from.

I have been able to start collecting data from my Windows Servers. So far things are working well. However, I would like to collect Security event logs as well. I was able to get this to work by adding the following to the Grafana Agent [static mode] configuration.

    - job_name: integrations/windows-exporter-system
      windows_events:
        use_incoming_timestamp: true
        bookmark_path: "./bookmarks-security.xml"
        eventlog_name: "Security"
        xpath_query: '*'
        locale: 1033
        # - 1033 to force English language
        # -  0 to use default Windows locale
        labels:
          job: integrations/windows_exporter
          instance: 'name' # must match instance used in windows_exporter
      relabel_configs:
        - source_labels: ['computer']
          target_label: 'agent_hostname'
      pipeline_stages:
        - json:
            expressions:
              source: source
              level: levelText
        - labels:
            source:
            level:    

Security event log items are flowing properly to Grafana Cloud. However, I'm unable to do advanced queries, for example like filtering based on SubjectUserName or TargetUserSid values.

{channel="Security"} | json

This parses out some of the data into searchable fields. However, the really useful data is stored in the "event_data" field. The information in the event_data field is encoded in XML. From what I can tell, there is no way format XML data in Grafana Cloud.

My questions is, can the event_data field be converted into JSON by the Grafana Agent so that I can query the event_data easily in Granafa Cloud?

[mennotech]

For context, it appears winlogbeat parses the event_data XML data into separate values for storage and later querying:

https://www.elastic.co/guide/en/beats/winlogbeat/current/exported-fields-winlog.html#_event_data