Search using regex

v_2nas · February 23, 2018, 5:13am

Hi Folks,

I am searching for specific event (4624) and where targetusername doesn’t match computername.
The computer accounts in Windows is denoted by a $ at the end of the name.

So i used the regex provide in above thread. The regex ([\w-]+$) works when i test in online regexr.com
However, when i used in graylog search it failed.

My idea is to exclude all 4624 events where TargetUserName is a computer account.

jan · February 23, 2018, 8:07am

your query did not look like the one that is provided by jochen:

v_2nas · February 23, 2018, 8:30am

This regular expression
([\w-]+$)
works with java regex tester

but the same regular expression gives error in graylog search EventID:4624 AND TargetUserName:([\w-]+$)
Failed to parse query [EventID:4624 AND TargetUserName:([\w-]+$)]
Failed to parse query [EventID:4624 AND TargetUserName:([\w-]+$)]
Failed to parse query [EventID:4624 AND TargetUserName:([\w-]+$)]

v_2nas · February 23, 2018, 8:45am

jochen · February 23, 2018, 8:46am

Yes, because that’s the wrong query syntax.

Try the following query:

EventID:4624 AND TargetUserName:/.+/

Also be reminded that the regular expression has to match the complete field content if the field hasn’t been tokenized/analyzed.

See Regexp Query | Elasticsearch Reference [5.6] | Elastic for details about the Lucene regular expression syntax.

v_2nas · February 23, 2018, 8:57am

i was basing it on the regex i found on the community.
I don’t have much understanding of the regex, so i do some trial and error using what is available.

([\w-]+) matches the the condition in java regex tester, but as you mentioned, it's incorrect for graylog. i have tried to use \ char for but that didn’t work.

I need to exclude all those events where name contains a computer name preceded by , something like abcd, abcdefg$, etc.

jochen · February 23, 2018, 9:31am

That’s why I’ve pointed you to the documentation.

v_2nas · March 9, 2018, 7:36am

I manage to get assistance from another graylog ninja, so thought i will share the solution to help anyone who is in the same situation.
So, we enabled allow_leading_wildcard_searches=true in the server.conf file
Then i could use this search query to get all user minus computer accounts.

EventID:4624 AND NOT TargetUserName:*$

system · March 23, 2018, 7:36am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Regex in search assistance Graylog Central (peer support) sidecar , winlogbeat	1	2547	April 12, 2017
Trying to exclude accounts with $ Graylog Central (peer support) sidecar , winlogbeat	3	1314	April 25, 2019
Excluding Character when Searching Graylog Central (peer support)	2	769	February 25, 2019
Search for dollar sign Graylog Central (peer support)	3	1396	January 31, 2018
How to I exclude $ in my searches Graylog Central (peer support)	3	872	December 26, 2018

Search using regex

Related topics