Hi there Graylog community,
I seem to be having an issue with regex searches. We’re running Graylog 2.4.7+9116ead (I know, it’s out of date), and I believe our elastisearch is 5.6 (based on the page the Graylog documentation sends me to.
I’m trying to build a regex that matches logs that look like passwords, to run as a check that we aren’t logging passwords in plaintext. I know that in the logs, there are some passwords, with the forms:
“password”:"$sampleString01"
“Password”:"$sampleString02"
password $sampleString02,
etc. Obviously, not all of our passwords are of this form, but the ones that I know are in the logs are. When I regex search
message:/sampleString[0-9]+/
I get several matches, but when I search
message:/$sampleString[0-9]+/
I get no matches
Similarly,
message:/\WsampleString[0-9]+/
gets no matches. Curiously,
message:/[\w\W]+/
will only match w characters.
I suspect that there is some problem with escaping characters - here’s the search query for that last one if it helps
{
“from”: 0,
“size”: 150,
“query”: {
“bool”: {
“must”: {
“query_string”: {
“query”: “message:/[\w\W]+/”,
“allow_leading_wildcard”: true
}
},
“filter”: {
“bool”: {
“must”: {
“range”: {
“timestamp”: {
“from”: “2019-05-09 16:58:15.930”,
“to”: “2019-05-09 17:58:15.930”,
“include_lower”: true,
“include_upper”: true
}
}
}
}
}
}
},
“sort”: [
{
“timestamp”: {
“order”: “desc”
}
}
],
“highlight”: {
“fragment_size”: 0,
“number_of_fragments”: 0,
“require_field_match”: false,
“fields”: {
“*”: {}
}
}
}
Is this some form of configuration issue?