Hello,
I want to send Security-related logs to Loki server using PSLoki module, but I couldn’t find an example.
Any idea welcomed.
Thank you.
There’s examples on their Github page for the project:
They also state to use Get-Help against all their commands to familiarize yourself.
Hello,
If you mean the example below, I have to say that firstly it didn’t work properly for me and secondly it sends the entire log:
$labels = @{
'label' = 'value'
'foo' = 'bar'
}
$logEntries = @(
@{
time = "1666644815000000000"
line = "log something"
}
@{
time = "1666644823000000000"
line = "log something else"
}
)
$response = Send-LokiLogEntry -URI "https://logs-prod-us-central1.grafana.net/loki/api/v1/push" -Labels $labels -Entries $logEntries
Write-Host "Log entries sent to Loki [$($response.StatusCode) $($response.StatusDescription)]"
About the parameters of this command I saw this URL. I didn’t see anything about filtering. For example, only sending IDs 4660 and 4663 to the Loki server. Is there another way to do this?
yeah I don’t know. I don’t know what a Loki server is, or anything about these log files, I’m simply pointing out the information that’s available.
Reading the PSLoki page it looks like you have to provide log entries in a very specific format in a hashtable. I see you already opened an issue on their Github page, but it looks like you’re the first person ever to do so. I’m not sure what their response time will be like.
If i’m understanding everything that’s in play correctly you’d have to ‘get’ the logs from the windows event log using cmdlets to do that:
PS> $Logs = Get-WinEvent -FilterHashtable @{LogName = "Security"; Id = 4660,4663}
Those are an EventLogRecord object:
PS> $Logs[0].Gettype()
IsPublic IsSerial Name BaseType
-------- -------- ---- --------
True False EventLogRecord System.Diagnostics.Eventing.Reader.EventRecord
Then it sounds like you have to get each one of those records in to a hashtable format that Loki wants. The “TimeCreated” property of each EventLogRecord is a DateTime object that needs to be converted to epoch time for Loki. and then I guess just throw the Message property contents in that hashtable as the “line” value in the hashtable? idk.
EDIT: they provide you a function for converting the timestamp:
PS> Get-LokiTimestamp -Timestamp $Logs[0].TimeCreated
1741186963000000000
2 Likes
Hello,
Thank you so much for your reply.
Unfortunately, there are no practical examples!
I think you might be forging your own path here so there might not be any examples to copy from.
I think for Windows log collection most people are probably using an agent like (maybe Grafana Alloy?) to push the logs to Loki.
If you want to strictly use PowerShell and the PSLoki module it looks like you’re going to have to write it yourself. The code snippets I provided should be enough to get you going, but if it seems a little daunting right now it might be a sign that it’s time to step back and consider if there’s a better approach for this. Not everything needs to be solved in PowerShell.