Regex in Search Field


(Tom Powers) #1

Hello Graylog Community,

I know I can use this in a stream, where I can have a regex contains [a-zA-Z0-9/+=]{500}

I’m using that to look for Base64 encoded commands

But how could I use that in a regular search in Graylog?

Running as a stream tends to die due to excessive processing time

I tried escaping the characters but always for the giant screen of fail

All insight is appreciated

Thanks

TP


(Jan Doberstein) #2

I would try to extract that with a processing pipeline having that in a single field would make it easy to search for.

extracting the information makes it more easy to search and compare messages.


(Tom Powers) #3

The documentation is a bit spotty and I’m having some issues piecing this together. Would you have a pipeline example with the syntax listed here so I can sort of assemble my mind around this? I think once I get the idea it will become clear.

All insight is appreciated!!


(Jan Doberstein) #4

without knowing your data it is impossible to build a processing pipeline that makes sense.


(Tom Powers) #5

Understood.

This Regex in question is a simple query against the command line field in GELF coming from windows machines.

Looking for stuff like

jusched.exe /c asklhfalksdhflksadjhnflaskjdncvlsadkjnclksjadnclkjasnclkjsddclkjanlskdjncksjddlkcajnadskjcnlksjdandclkjsadclkjnsdlkjcdnlakjndckjsadclkajdslkcjnaslkdjnclkjasdncdkljdnlcjdsnckweijsdjnckasdnc

Which would be an encoded command.

Does that help any?


#6

You should rewrite it based on your needs, but here is a working example.

rule "elastic server address"
   when
      contains(to_string($message.message), "Retrying request to")
   then
    set_field("elastic_ip", regex("http://(.*):9200" ,to_string($message.message))["0"]);
   end

The pipeline can encode base64, I would store the encoded version also, maybe it is better for search.


(system) #7

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.