Search to Exclude Computer names

CentOS 8.3.2011
graylog-server 4.0.1 release 1

I am using NxLog on a Windows Domain Controller to send syslog format - limited to a group of EventIDs that I care about. They are coming in to graylog very well.

Trying to search windows logs and create a widget. I don’t want to see Computer login information.
So, computers all have a $ at the end of the name.
Using NOT full_message:“account name:??*$” as the search term seems like it should work… but doesn’t.

The Full message has something like “Account Name:{space}{tab}MyLatop${space}{tab}Account Domain:”

Also, I tried using TargetAccountName: - but read that it doesn’t allow searching by wildcard (by default).

How do I filter out the computer names?

@BobbyKearan
Hello,
I would like to help you but need more information.
You can look here for reference

Good morning, it looks like you are trying to use leading wild cards and those need to be enabled.

https://docs.graylog.org/en/4.0/pages/searching/query_language.html
Note that leading wildcards are disabled to avoid excessive memory consumption! You can enable them in your Graylog configuration file:
allow_leading_wildcard_searches = true

That can be found in /etc/graylog/server/server.conf

Thank you, Zach.

1 Like

Adding to post:
CentOS 8.3.2011
graylog-server 4.0.1 release 1

adding that I am using NxLog on a Windows Domain Controller to send syslog format - limited to a group of EventIDs that I care about. They are coming in to graylog very well.

Other than that, what else do you need to know? I think I laid the problem out fairly well.

Changed that line in the config file - restarted the service. Logged back in - same thing.

Search is : NOT TargetUserName:"*$"
Also tried RegEx: NOT TargetUserName:/([a-z]|[A-Z]|[0-9])$/

Still showing entries with TargetUserName:Mylaptop$

Even added “logged off” to the front : “logged off” AND NOT TargetUserName:/([a-z]|[A-Z]|[0-9])$/

That only showed entries where an account was logged off. But included computer names with the $ at the end.

It seems like it should be a fairly simple task - I don’t want to see entries where the targetusername has a $ on the end.

In a desperate attempt, I did : NOT TargetUserName:/[a-zA-Z0-9-_-]{3,15}([a-z]|[A-Z]|[0-9])$/

Which seems to have worked perfectly.(as long as no computer names longer than 15 digits, which is unlikely)

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.