Search to Exclude Computer names

BobbyKearan · January 14, 2021, 8:37pm

CentOS 8.3.2011
graylog-server 4.0.1 release 1

I am using NxLog on a Windows Domain Controller to send syslog format - limited to a group of EventIDs that I care about. They are coming in to graylog very well.

Trying to search windows logs and create a widget. I don’t want to see Computer login information.
So, computers all have a $ at the end of the name.
Using NOT full_message:“account name:??*$” as the search term seems like it should work… but doesn’t.

The Full message has something like “Account Name:{space}{tab}MyLatop${space}{tab}Account Domain:”

Also, I tried using TargetAccountName: - but read that it doesn’t allow searching by wildcard (by default).

How do I filter out the computer names?

gsmith · January 15, 2021, 1:21am

@BobbyKearan
Hello,
I would like to help you but need more information.
You can look here for reference

https://community.graylog.org/t/community-guidelines/6649#details

dickinsonzach · January 15, 2021, 12:52pm

Good morning, it looks like you are trying to use leading wild cards and those need to be enabled.

https://docs.graylog.org/en/4.0/pages/searching/query_language.html
Note that leading wildcards are disabled to avoid excessive memory consumption! You can enable them in your Graylog configuration file:
allow_leading_wildcard_searches = true

That can be found in /etc/graylog/server/server.conf

Thank you, Zach.

BobbyKearan · January 15, 2021, 2:01pm

Adding to post:
CentOS 8.3.2011
graylog-server 4.0.1 release 1

adding that I am using NxLog on a Windows Domain Controller to send syslog format - limited to a group of EventIDs that I care about. They are coming in to graylog very well.

Other than that, what else do you need to know? I think I laid the problem out fairly well.

BobbyKearan · January 15, 2021, 2:45pm

Changed that line in the config file - restarted the service. Logged back in - same thing.

Search is : NOT TargetUserName:"*$"
Also tried RegEx: NOT TargetUserName:/([a-z]|[A-Z]|[0-9])$/

Still showing entries with TargetUserName:Mylaptop$

Even added “logged off” to the front : “logged off” AND NOT TargetUserName:/([a-z]|[A-Z]|[0-9])$/

That only showed entries where an account was logged off. But included computer names with the $ at the end.

It seems like it should be a fairly simple task - I don’t want to see entries where the targetusername has a $ on the end.

In a desperate attempt, I did : NOT TargetUserName:/[a-zA-Z0-9-_-]{3,15}([a-z]|[A-Z]|[0-9])$/

Which seems to have worked perfectly.(as long as no computer names longer than 15 digits, which is unlikely)

system · January 29, 2021, 2:45pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Excluding Character when Searching Graylog Central (peer support)	2	710	February 25, 2019
Trying to exclude accounts with $ Graylog Central (peer support) sidecar , winlogbeat	3	1181	April 25, 2019
How to I exclude $ in my searches Graylog Central (peer support)	3	830	December 26, 2018
Search for dollar sign Graylog Central (peer support)	3	1322	January 31, 2018
Search using regex Graylog Central (peer support) sidecar , winlogbeat	8	22092	March 23, 2018

Search to Exclude Computer names

Related Topics