Hi, I am trying to perform a query like the following: CommandLine :( "test" "test2") OR (CommandLine :( "token" "rpc") AND CommandLine :( "\: \:"))
Returns valid results because the word “token” has been found in the commandline, however there is no “::” within the commandline. So… why it return results?
If I remove “token” no result is received. In fact, if I search only for “:” or for “::”, escaping the colon with the backslash, there is no result (and if it should return results, such as those of the routes C: \ … what if contain a colon.)
Why is this behavior?
Appreciate any help
Operating system information
CentOS
Package versions
Graylog 4.1
MongoDB 4.2
Elasticsearch 7
Service logs, configuration, and environment variables: Sysmon logs
The special characters are not working for me. And in fact I have seen it in other examples as well.
Have to enable anything in the graylog or elasticksearch configuration to be able to search for special characters?
I noticed you have a pipe at the end of of your search?
My apologies I haven’t done a lot of commands in the search bar. I’m wondering about the field your using called CommandLine. I’m unaware this can be used or is this a custom field? Is it possible to show where you see this in the documentation? Maybe I can get a better understanding.
EDIT: I tried this in my lab but unless this is a custom field/configuration I don’t have it. I do have ProcessCommandLine. as shown below:
as I have not used graylog before, I did not know that the original field was ProcessComandLine … what I have created at the beginning of the graylog configuration is the following (to allow regex in the CommandLine field):
I understand that here is my problem, and when sending that to / _template / graylog-custom-mapping the field now does not allow me or it fails to search for special characters.
Hmmm…
The next question that arises is how to fix this. and in addition to allowing regex to be as before, I am not sure if I remove any configuration of the field when doing this.
