JOIN GRAYLOG FOR OUR

ANNUAL CONFERENCE

Thursday,
October 21, 2021
10am-5pm CT
REGISTER NOW

Search for special character ":" not work

Description of your problem

Hi, I am trying to perform a query like the following:
CommandLine :( "test" "test2") OR (CommandLine :( "token" "rpc") AND CommandLine :( "\: \:"))

Returns valid results because the word “token” has been found in the commandline, however there is no “::” within the commandline. So… why it return results?

If I remove “token” no result is received. In fact, if I search only for “:” or for “::”, escaping the colon with the backslash, there is no result (and if it should return results, such as those of the routes C: \ … what if contain a colon.)

Why is this behavior?

Appreciate any help

Operating system information

  • CentOS

Package versions

  • Graylog 4.1
  • MongoDB 4.2
  • Elasticsearch 7
  • Service logs, configuration, and environment variables: Sysmon logs

Hello && Welcome

Have you tried something like this?

CommandLine: ( “test” “test2”) OR CommandLine: ( “token” “rpc”) AND CommandLine: ( "\: \:")

Maybe this documentation will help.

Search query language

Hi @gsmith, thank you for the reply :slight_smile:

Yes I try it:


Also look the official graylog page…

The special characters are not working for me. And in fact I have seen it in other examples as well.
Have to enable anything in the graylog or elasticksearch configuration to be able to search for special characters?

1 Like

Hello,

I noticed you have a pipe at the end of of your search?
My apologies I haven’t done a lot of commands in the search bar. I’m wondering about the field your using called CommandLine. I’m unaware this can be used or is this a custom field? Is it possible to show where you see this in the documentation? Maybe I can get a better understanding.

EDIT: I tried this in my lab but unless this is a custom field/configuration I don’t have it. I do have ProcessCommandLine. as shown below:

1 Like

Hi again,

You’re right! :smiley:
This are my fields:
image

as I have not used graylog before, I did not know that the original field was ProcessComandLine … what I have created at the beginning of the graylog configuration is the following (to allow regex in the CommandLine field):

{
  "template": "graylog_*",
  "mappings": {
      "properties": {
        "CommandLine": {
          "analyzer": "standard",
          "fielddata": "false",
          "type" : "text"
        }
      }
  }
}

I understand that here is my problem, and when sending that to / _template / graylog-custom-mapping the field now does not allow me or it fails to search for special characters.

Hmmm…
The next question that arises is how to fix this. and in addition to allowing regex to be as before, I am not sure if I remove any configuration of the field when doing this.

Thank you @gsmith

pd: the pipe is my mouse

1 Like